2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
11 sys.path.append("bin/python")
13 samba.ensure_external_module("subunit", "subunit/python")
14 samba.ensure_external_module("testtools", "testtools")
16 import samba.getopt as options
18 from samba.auth import system_session
19 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
20 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
21 from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
22 from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
23 from ldb import ERR_NO_SUCH_ATTRIBUTE
24 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
25 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
26 from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE, ERR_INSUFFICIENT_ACCESS_RIGHTS
27 from ldb import Message, MessageElement, Dn
28 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
30 from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_INTERDOMAIN_TRUST_ACCOUNT,
31 UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
32 UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
33 UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE, ATYPE_NORMAL_ACCOUNT,
34 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
35 GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
36 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
37 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
38 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
39 ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
40 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
41 ATYPE_WORKSTATION_TRUST, SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE,
42 SYSTEM_FLAG_CONFIG_ALLOW_RENAME, SYSTEM_FLAG_CONFIG_ALLOW_MOVE,
43 SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE)
44 from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
45 DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
47 from subunit.run import SubunitTestRunner
50 from samba.ndr import ndr_pack, ndr_unpack
51 from samba.dcerpc import security
53 parser = optparse.OptionParser("sam.py [options] <host>")
54 sambaopts = options.SambaOptions(parser)
55 parser.add_option_group(sambaopts)
56 parser.add_option_group(options.VersionOptions(parser))
57 # use command line creds if available
58 credopts = options.CredentialsOptions(parser)
59 parser.add_option_group(credopts)
60 opts, args = parser.parse_args()
68 lp = sambaopts.get_loadparm()
69 creds = credopts.get_credentials(lp)
71 class SamTests(unittest.TestCase):
73 def delete_force(self, ldb, dn):
76 except LdbError, (num, _):
77 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
79 def find_basedn(self, ldb):
80 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
81 attrs=["defaultNamingContext"])
82 self.assertEquals(len(res), 1)
83 return res[0]["defaultNamingContext"][0]
85 def find_domain_sid(self):
86 res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
87 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
90 super(SamTests, self).setUp()
93 self.base_dn = self.find_basedn(ldb)
94 self.domain_sid = self.find_domain_sid()
96 print "baseDN: %s\n" % self.base_dn
98 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
99 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
100 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
101 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
102 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
104 def test_users_groups(self):
105 """This tests the SAM users and groups behaviour"""
106 print "Testing users and groups behaviour\n"
109 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
110 "objectclass": "group"})
113 "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
114 "objectclass": "group"})
116 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
117 scope=SCOPE_BASE, attrs=["objectSID"])
118 self.assertTrue(len(res1) == 1)
119 group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
120 res1[0]["objectSID"][0])).split()[1]
122 res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
123 scope=SCOPE_BASE, attrs=["objectSID"])
124 self.assertTrue(len(res1) == 1)
125 group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
126 res1[0]["objectSID"][0])).split()[1]
128 # Try to create a user with an invalid account name
131 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
132 "objectclass": ["user", "person"],
133 "sAMAccountName": "administrator"})
135 except LdbError, (num, _):
136 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
137 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
139 # Try to create a user with an invalid primary group
142 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
143 "objectclass": ["user", "person"],
144 "primaryGroupID": "0"})
146 except LdbError, (num, _):
147 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
148 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
150 # Try to Create a user with a valid primary group
153 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
154 "objectclass": ["user", "person"],
155 "primaryGroupID": str(group_rid_1)})
157 except LdbError, (num, _):
158 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
159 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
161 # Test to see how we should behave when the user account doesn't
164 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
165 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
170 except LdbError, (num, _):
171 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
173 # Test to see how we should behave when the account isn't a user
175 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
176 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
181 except LdbError, (num, _):
182 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
184 # Test default primary groups on add operations
187 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
188 "objectclass": ["user", "person"]})
190 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
191 scope=SCOPE_BASE, attrs=["primaryGroupID"])
192 self.assertTrue(len(res1) == 1)
193 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
195 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
198 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
199 "objectclass": ["user", "person"],
200 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
202 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
203 scope=SCOPE_BASE, attrs=["primaryGroupID"])
204 self.assertTrue(len(res1) == 1)
205 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
207 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
209 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
210 # since such accounts aren't directly creatable (ACCESS_DENIED)
213 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
214 "objectclass": ["computer"],
215 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
217 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
218 scope=SCOPE_BASE, attrs=["primaryGroupID"])
219 self.assertTrue(len(res1) == 1)
220 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
222 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
225 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
226 "objectclass": ["computer"],
227 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
229 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
230 scope=SCOPE_BASE, attrs=["primaryGroupID"])
231 self.assertTrue(len(res1) == 1)
232 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
234 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
236 # Read-only DC accounts are only creatable by
237 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
238 # we have a fallback in the assertion)
240 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
241 "objectclass": ["computer"],
242 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
244 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
245 scope=SCOPE_BASE, attrs=["primaryGroupID"])
246 self.assertTrue(len(res1) == 1)
247 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
248 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
250 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
252 # Test default primary groups on modify operations
255 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
256 "objectclass": ["user", "person"]})
259 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
260 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
261 "userAccountControl")
264 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
265 scope=SCOPE_BASE, attrs=["primaryGroupID"])
266 self.assertTrue(len(res1) == 1)
267 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
269 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
270 # since such accounts aren't directly creatable (ACCESS_DENIED)
272 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
275 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
276 "objectclass": ["computer"]})
278 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
279 scope=SCOPE_BASE, attrs=["primaryGroupID"])
280 self.assertTrue(len(res1) == 1)
281 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
284 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
285 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
286 "userAccountControl")
289 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
290 scope=SCOPE_BASE, attrs=["primaryGroupID"])
291 self.assertTrue(len(res1) == 1)
292 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
295 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
296 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
297 "userAccountControl")
300 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
301 scope=SCOPE_BASE, attrs=["primaryGroupID"])
302 self.assertTrue(len(res1) == 1)
303 self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
305 # Read-only DC accounts are only creatable by
306 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
307 # we have a fallback in the assertion)
309 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
310 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
311 "userAccountControl")
314 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
315 scope=SCOPE_BASE, attrs=["primaryGroupID"])
316 self.assertTrue(len(res1) == 1)
317 self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
318 res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
320 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
322 # Recreate account for further tests
325 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
326 "objectclass": ["user", "person"]})
328 # Try to set an invalid account name
330 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
331 m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
336 except LdbError, (num, _):
337 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
339 # But to reset the actual "sAMAccountName" should still be possible
340 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
341 scope=SCOPE_BASE, attrs=["sAMAccountName"])
342 self.assertTrue(len(res1) == 1)
344 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
345 m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
349 # And another (free) name should be possible as well
351 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
352 m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
356 # We should be able to reset our actual primary group
358 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
359 m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
363 # Try to add invalid primary group
365 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
366 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
371 except LdbError, (num, _):
372 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
374 # Try to make group 1 primary - should be denied since it is not yet
377 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
378 m["primaryGroupID"] = MessageElement(str(group_rid_1),
379 FLAG_MOD_REPLACE, "primaryGroupID")
383 except LdbError, (num, _):
384 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
386 # Make group 1 secondary
388 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
389 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
390 FLAG_MOD_REPLACE, "member")
393 # Make group 1 primary
395 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
396 m["primaryGroupID"] = MessageElement(str(group_rid_1),
397 FLAG_MOD_REPLACE, "primaryGroupID")
400 # Try to delete group 1 - should be denied
402 ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
404 except LdbError, (num, _):
405 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
407 # Try to add group 1 also as secondary - should be denied
409 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
410 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
411 FLAG_MOD_ADD, "member")
415 except LdbError, (num, _):
416 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
418 # Try to add invalid member to group 1 - should be denied
420 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
421 m["member"] = MessageElement(
422 "cn=ldaptestuser3,cn=users," + self.base_dn,
423 FLAG_MOD_ADD, "member")
427 except LdbError, (num, _):
428 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
430 # Make group 2 secondary
432 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
433 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
434 FLAG_MOD_ADD, "member")
439 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
440 m["primaryGroupID"] = MessageElement(str(group_rid_2),
441 FLAG_MOD_REPLACE, "primaryGroupID")
444 # Swap the groups (does not really make sense but does the same)
446 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
447 m["primaryGroupID"] = MessageElement(str(group_rid_1),
448 FLAG_MOD_REPLACE, "primaryGroupID")
449 m["primaryGroupID"] = MessageElement(str(group_rid_2),
450 FLAG_MOD_REPLACE, "primaryGroupID")
453 # Old primary group should contain a "member" attribute for the user,
454 # the new shouldn't contain anymore one
455 res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
456 scope=SCOPE_BASE, attrs=["member"])
457 self.assertTrue(len(res1) == 1)
458 self.assertTrue(len(res1[0]["member"]) == 1)
459 self.assertEquals(res1[0]["member"][0].lower(),
460 ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
462 res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
463 scope=SCOPE_BASE, attrs=["member"])
464 self.assertTrue(len(res1) == 1)
465 self.assertFalse("member" in res1[0])
467 # Primary group member
469 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
470 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
471 FLAG_MOD_DELETE, "member")
475 except LdbError, (num, _):
476 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
478 # Delete invalid group member
480 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
481 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
482 FLAG_MOD_DELETE, "member")
486 except LdbError, (num, _):
487 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
489 # Also this should be denied
492 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
493 "objectclass": ["user", "person"],
494 "primaryGroupID": "0"})
496 except LdbError, (num, _):
497 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
499 # Recreate user accounts
501 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
504 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
505 "objectclass": ["user", "person"]})
508 "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
509 "objectclass": ["user", "person"]})
512 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
513 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
514 FLAG_MOD_ADD, "member")
519 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
520 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
521 FLAG_MOD_ADD, "member")
525 except LdbError, (num, _):
526 self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
530 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
531 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
532 FLAG_MOD_REPLACE, "member")
536 except LdbError, (num, _):
537 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
541 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
542 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
543 "cn=ldaptestuser1,cn=users," + self.base_dn],
544 FLAG_MOD_REPLACE, "member")
548 except LdbError, (num, _):
549 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
553 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
554 m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
555 FLAG_MOD_REPLACE, "member")
556 m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
557 FLAG_MOD_ADD, "member")
561 except LdbError, (num, _):
562 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
565 m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
566 m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
567 "cn=ldaptestuser2,cn=users," + self.base_dn],
568 FLAG_MOD_REPLACE, "member")
571 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
572 self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
573 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
574 self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
576 def test_sam_attributes(self):
577 """Test the behaviour of special attributes of SAM objects"""
578 print "Testing the behaviour of special attributes of SAM objects\n"""
581 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
582 "objectclass": ["user", "person"]})
584 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
585 "objectclass": "group"})
588 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
589 m["groupType"] = MessageElement("0", FLAG_MOD_ADD,
594 except LdbError, (num, _):
595 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
598 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
599 m["groupType"] = MessageElement([], FLAG_MOD_DELETE,
604 except LdbError, (num, _):
605 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
608 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
609 m["primaryGroupID"] = MessageElement("0", FLAG_MOD_ADD,
614 except LdbError, (num, _):
615 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
618 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
619 m["primaryGroupID"] = MessageElement([], FLAG_MOD_DELETE,
624 except LdbError, (num, _):
625 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
628 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
629 m["userAccountControl"] = MessageElement("0", FLAG_MOD_ADD,
630 "userAccountControl")
634 except LdbError, (num, _):
635 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
638 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
639 m["userAccountControl"] = MessageElement([], FLAG_MOD_DELETE,
640 "userAccountControl")
644 except LdbError, (num, _):
645 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
648 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
649 m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD,
654 except LdbError, (num, _):
655 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
658 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
659 m["objectSid"] = MessageElement([], FLAG_MOD_REPLACE, "objectSid")
663 except LdbError, (num, _):
664 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
667 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
668 m["objectSid"] = MessageElement([], FLAG_MOD_DELETE, "objectSid")
672 except LdbError, (num, _):
673 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
676 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
677 m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
682 except LdbError, (num, _):
683 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
686 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
687 m["sAMAccountType"] = MessageElement([], FLAG_MOD_REPLACE,
692 except LdbError, (num, _):
693 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
696 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
697 m["sAMAccountType"] = MessageElement([], FLAG_MOD_DELETE,
702 except LdbError, (num, _):
703 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
706 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
707 m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
712 except LdbError, (num, _):
713 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
716 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
717 m["sAMAccountName"] = MessageElement([], FLAG_MOD_DELETE,
722 except LdbError, (num, _):
723 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
725 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
726 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
728 def test_primary_group_token_constructed(self):
729 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
730 print "Testing primary group token behaviour and other constructed attributes\n"
734 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
735 "objectclass": "group",
736 "primaryGroupToken": "100"})
738 except LdbError, (num, _):
739 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
740 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
743 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
744 "objectclass": ["user", "person"]})
747 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
748 "objectclass": "group"})
750 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
751 res1 = ldb.search(self.base_dn,
752 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
753 self.assertTrue(len(res1) == 1)
754 self.assertFalse("primaryGroupToken" in res1[0])
755 self.assertTrue("canonicalName" in res1[0])
756 self.assertTrue("objectClass" in res1[0])
757 self.assertTrue("objectSid" in res1[0])
759 res1 = ldb.search(self.base_dn,
760 scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
761 self.assertTrue(len(res1) == 1)
762 self.assertFalse("primaryGroupToken" in res1[0])
763 self.assertFalse("objectSid" in res1[0])
764 self.assertFalse("objectClass" in res1[0])
765 self.assertTrue("canonicalName" in res1[0])
767 res1 = ldb.search("cn=users," + self.base_dn,
768 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
769 self.assertTrue(len(res1) == 1)
770 self.assertFalse("primaryGroupToken" in res1[0])
772 res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
773 scope=SCOPE_BASE, attrs=["primaryGroupToken"])
774 self.assertTrue(len(res1) == 1)
775 self.assertFalse("primaryGroupToken" in res1[0])
777 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
779 self.assertTrue(len(res1) == 1)
780 self.assertFalse("primaryGroupToken" in res1[0])
782 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
783 scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
784 self.assertTrue(len(res1) == 1)
785 primary_group_token = int(res1[0]["primaryGroupToken"][0])
787 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
788 self.assertEquals(primary_group_token, rid)
791 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
792 m["primaryGroupToken"] = "100"
796 except LdbError, (num, _):
797 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
799 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
800 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
802 def test_tokenGroups(self):
803 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
804 print "Testing tokenGroups behaviour\n"
806 # The domain object shouldn't contain any "tokenGroups" entry
807 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
808 self.assertTrue(len(res) == 1)
809 self.assertFalse("tokenGroups" in res[0])
811 # The domain administrator should contain "tokenGroups" entries
812 # (the exact number depends on the domain/forest function level and the
813 # DC software versions)
814 res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
815 scope=SCOPE_BASE, attrs=["tokenGroups"])
816 self.assertTrue(len(res) == 1)
817 self.assertTrue("tokenGroups" in res[0])
820 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
821 "objectclass": ["user", "person"]})
823 # This testuser should contain at least two "tokenGroups" entries
824 # (exactly two on an unmodified "Domain Users" and "Users" group)
825 res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
826 scope=SCOPE_BASE, attrs=["tokenGroups"])
827 self.assertTrue(len(res) == 1)
828 self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
830 # one entry which we need to find should point to domains "Domain Users"
831 # group and another entry should point to the builtin "Users"group
832 domain_users_group_found = False
833 users_group_found = False
834 for sid in res[0]["tokenGroups"]:
835 rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
837 domain_users_group_found = True
839 users_group_found = True
841 self.assertTrue(domain_users_group_found)
842 self.assertTrue(users_group_found)
844 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
846 def test_groupType(self):
847 """Test the groupType behaviour"""
848 print "Testing groupType behaviour\n"
850 # You can never create or change to a
851 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
858 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
859 "objectclass": "group",
862 except LdbError, (num, _):
863 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
864 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
868 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
869 "objectclass": "group",
870 "groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
872 except LdbError, (num, _):
873 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
874 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
877 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
878 "objectclass": "group",
879 "groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
881 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
882 scope=SCOPE_BASE, attrs=["sAMAccountType"])
883 self.assertTrue(len(res1) == 1)
884 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
885 ATYPE_SECURITY_GLOBAL_GROUP)
886 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
889 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
890 "objectclass": "group",
891 "groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
893 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
894 scope=SCOPE_BASE, attrs=["sAMAccountType"])
895 self.assertTrue(len(res1) == 1)
896 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
897 ATYPE_SECURITY_UNIVERSAL_GROUP)
898 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
901 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
902 "objectclass": "group",
903 "groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
905 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
906 scope=SCOPE_BASE, attrs=["sAMAccountType"])
907 self.assertTrue(len(res1) == 1)
908 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
909 ATYPE_SECURITY_LOCAL_GROUP)
910 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
913 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
914 "objectclass": "group",
915 "groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
917 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
918 scope=SCOPE_BASE, attrs=["sAMAccountType"])
919 self.assertTrue(len(res1) == 1)
920 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
921 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
922 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
925 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
926 "objectclass": "group",
927 "groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
929 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
930 scope=SCOPE_BASE, attrs=["sAMAccountType"])
931 self.assertTrue(len(res1) == 1)
932 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
933 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
934 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
937 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
938 "objectclass": "group",
939 "groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
941 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
942 scope=SCOPE_BASE, attrs=["sAMAccountType"])
943 self.assertTrue(len(res1) == 1)
944 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
945 ATYPE_DISTRIBUTION_LOCAL_GROUP)
946 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
951 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
952 "objectclass": "group"})
954 # We can change in this direction: global <-> universal <-> local
955 # On each step also the group type itself (security/distribution) is
958 # After creation we should have a "security global group"
959 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
960 scope=SCOPE_BASE, attrs=["sAMAccountType"])
961 self.assertTrue(len(res1) == 1)
962 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
963 ATYPE_SECURITY_GLOBAL_GROUP)
968 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
969 m["groupType"] = MessageElement("0",
970 FLAG_MOD_REPLACE, "groupType")
973 except LdbError, (num, _):
974 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
978 # Default is "global group"
981 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
982 m["groupType"] = MessageElement(
983 str(GTYPE_SECURITY_GLOBAL_GROUP),
984 FLAG_MOD_REPLACE, "groupType")
987 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
988 scope=SCOPE_BASE, attrs=["sAMAccountType"])
989 self.assertTrue(len(res1) == 1)
990 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
991 ATYPE_SECURITY_GLOBAL_GROUP)
993 # Change to "local" (shouldn't work)
997 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
998 m["groupType"] = MessageElement(
999 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1000 FLAG_MOD_REPLACE, "groupType")
1003 except LdbError, (num, _):
1004 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1006 # Change to "universal"
1009 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1010 m["groupType"] = MessageElement(
1011 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1012 FLAG_MOD_REPLACE, "groupType")
1015 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1016 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1017 self.assertTrue(len(res1) == 1)
1018 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1019 ATYPE_SECURITY_UNIVERSAL_GROUP)
1021 # Change back to "global"
1024 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1025 m["groupType"] = MessageElement(
1026 str(GTYPE_SECURITY_GLOBAL_GROUP),
1027 FLAG_MOD_REPLACE, "groupType")
1030 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1031 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1032 self.assertTrue(len(res1) == 1)
1033 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1034 ATYPE_SECURITY_GLOBAL_GROUP)
1036 # Change back to "universal"
1039 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1040 m["groupType"] = MessageElement(
1041 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1042 FLAG_MOD_REPLACE, "groupType")
1045 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1046 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1047 self.assertTrue(len(res1) == 1)
1048 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1049 ATYPE_SECURITY_UNIVERSAL_GROUP)
1054 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1055 m["groupType"] = MessageElement(
1056 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1057 FLAG_MOD_REPLACE, "groupType")
1060 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1061 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1062 self.assertTrue(len(res1) == 1)
1063 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1064 ATYPE_SECURITY_LOCAL_GROUP)
1066 # Change to "global" (shouldn't work)
1070 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1071 m["groupType"] = MessageElement(
1072 str(GTYPE_SECURITY_GLOBAL_GROUP),
1073 FLAG_MOD_REPLACE, "groupType")
1076 except LdbError, (num, _):
1077 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1079 # Change to "builtin local" (shouldn't work)
1083 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1084 m["groupType"] = MessageElement(
1085 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1086 FLAG_MOD_REPLACE, "groupType")
1089 except LdbError, (num, _):
1090 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1093 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1095 # Change back to "universal"
1098 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1099 m["groupType"] = MessageElement(
1100 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1101 FLAG_MOD_REPLACE, "groupType")
1104 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1105 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1106 self.assertTrue(len(res1) == 1)
1107 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1108 ATYPE_SECURITY_UNIVERSAL_GROUP)
1110 # Change to "builtin local" (shouldn't work)
1114 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1115 m["groupType"] = MessageElement(
1116 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1117 FLAG_MOD_REPLACE, "groupType")
1120 except LdbError, (num, _):
1121 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1123 # Change back to "global"
1126 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1127 m["groupType"] = MessageElement(
1128 str(GTYPE_SECURITY_GLOBAL_GROUP),
1129 FLAG_MOD_REPLACE, "groupType")
1132 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1133 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1134 self.assertTrue(len(res1) == 1)
1135 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1136 ATYPE_SECURITY_GLOBAL_GROUP)
1138 # Change to "builtin local" (shouldn't work)
1142 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1143 m["groupType"] = MessageElement(
1144 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1145 FLAG_MOD_REPLACE, "groupType")
1148 except LdbError, (num, _):
1149 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1151 # Distribution groups
1153 # Default is "global group"
1156 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1157 m["groupType"] = MessageElement(
1158 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1159 FLAG_MOD_REPLACE, "groupType")
1162 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1163 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1164 self.assertTrue(len(res1) == 1)
1165 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1166 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1168 # Change to local (shouldn't work)
1172 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1173 m["groupType"] = MessageElement(
1174 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1175 FLAG_MOD_REPLACE, "groupType")
1178 except LdbError, (num, _):
1179 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1181 # Change to "universal"
1184 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1185 m["groupType"] = MessageElement(
1186 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1187 FLAG_MOD_REPLACE, "groupType")
1190 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1191 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1192 self.assertTrue(len(res1) == 1)
1193 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1194 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1196 # Change back to "global"
1199 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1200 m["groupType"] = MessageElement(
1201 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1202 FLAG_MOD_REPLACE, "groupType")
1205 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1206 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1207 self.assertTrue(len(res1) == 1)
1208 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1209 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1211 # Change back to "universal"
1214 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1215 m["groupType"] = MessageElement(
1216 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1217 FLAG_MOD_REPLACE, "groupType")
1220 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1221 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1222 self.assertTrue(len(res1) == 1)
1223 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1224 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1229 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1230 m["groupType"] = MessageElement(
1231 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1232 FLAG_MOD_REPLACE, "groupType")
1235 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1236 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1237 self.assertTrue(len(res1) == 1)
1238 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1239 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1241 # Change to "global" (shouldn't work)
1245 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1246 m["groupType"] = MessageElement(
1247 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1248 FLAG_MOD_REPLACE, "groupType")
1251 except LdbError, (num, _):
1252 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1254 # Change back to "universal"
1256 # Try to add invalid member to group 1 - should be denied
1258 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1259 m["member"] = MessageElement(
1260 "cn=ldaptestuser3,cn=users," + self.base_dn,
1261 FLAG_MOD_ADD, "member")
1265 except LdbError, (num, _):
1266 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1268 # Make group 2 secondary
1270 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1271 m["groupType"] = MessageElement(
1272 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1273 FLAG_MOD_REPLACE, "groupType")
1276 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1277 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1278 self.assertTrue(len(res1) == 1)
1279 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1280 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1282 # Change back to "global"
1285 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1286 m["groupType"] = MessageElement(
1287 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1288 FLAG_MOD_REPLACE, "groupType")
1291 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1292 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1293 self.assertTrue(len(res1) == 1)
1294 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1295 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1297 # Both group types: this performs only random checks - all possibilities
1298 # would require too much code.
1300 # Default is "global group"
1303 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1304 m["groupType"] = MessageElement(
1305 str(GTYPE_SECURITY_GLOBAL_GROUP),
1306 FLAG_MOD_REPLACE, "groupType")
1309 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1310 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1311 self.assertTrue(len(res1) == 1)
1312 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1313 ATYPE_SECURITY_GLOBAL_GROUP)
1315 # Change to "local" (shouldn't work)
1319 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1320 m["groupType"] = MessageElement(
1321 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1322 FLAG_MOD_REPLACE, "groupType")
1325 except LdbError, (num, _):
1326 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1328 # Change to "universal"
1331 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1332 m["groupType"] = MessageElement(
1333 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1334 FLAG_MOD_REPLACE, "groupType")
1337 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1338 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1339 self.assertTrue(len(res1) == 1)
1340 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1341 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1343 # Change back to "global"
1346 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1347 m["groupType"] = MessageElement(
1348 str(GTYPE_SECURITY_GLOBAL_GROUP),
1349 FLAG_MOD_REPLACE, "groupType")
1352 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1353 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1354 self.assertTrue(len(res1) == 1)
1355 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1356 ATYPE_SECURITY_GLOBAL_GROUP)
1358 # Change back to "universal"
1361 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1362 m["groupType"] = MessageElement(
1363 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1364 FLAG_MOD_REPLACE, "groupType")
1367 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1368 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1369 self.assertTrue(len(res1) == 1)
1370 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1371 ATYPE_SECURITY_UNIVERSAL_GROUP)
1376 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1377 m["groupType"] = MessageElement(
1378 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1379 FLAG_MOD_REPLACE, "groupType")
1382 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1383 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1384 self.assertTrue(len(res1) == 1)
1385 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1386 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1388 # Change to "global" (shouldn't work)
1392 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1393 m["groupType"] = MessageElement(
1394 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1395 FLAG_MOD_REPLACE, "groupType")
1398 except LdbError, (num, _):
1399 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1401 # Change back to "universal"
1404 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1405 m["groupType"] = MessageElement(
1406 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1407 FLAG_MOD_REPLACE, "groupType")
1410 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1411 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1412 self.assertTrue(len(res1) == 1)
1413 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1414 ATYPE_SECURITY_UNIVERSAL_GROUP)
1416 # Change back to "global"
1419 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1420 m["groupType"] = MessageElement(
1421 str(GTYPE_SECURITY_GLOBAL_GROUP),
1422 FLAG_MOD_REPLACE, "groupType")
1425 res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1426 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1427 self.assertTrue(len(res1) == 1)
1428 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1429 ATYPE_SECURITY_GLOBAL_GROUP)
1431 self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1433 def test_userAccountControl(self):
1434 """Test the userAccountControl behaviour"""
1435 print "Testing userAccountControl behaviour\n"
1437 # With a user object
1441 # As user you can only set a normal account.
1442 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1444 # With SYSTEM rights you can set a interdomain trust account.
1449 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1450 "objectclass": ["user", "person"],
1451 "userAccountControl": "0"})
1453 except LdbError, (num, _):
1454 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1455 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1457 # This has to wait until s4 supports it (needs a password module change)
1460 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1461 # "objectclass": ["user", "person"],
1462 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1464 # except LdbError, (num, _):
1465 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1466 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1469 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1470 "objectclass": ["user", "person"],
1471 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1473 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1474 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1475 self.assertTrue(len(res1) == 1)
1476 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1477 ATYPE_NORMAL_ACCOUNT)
1478 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1482 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1483 "objectclass": ["user", "person"],
1484 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1486 except LdbError, (num, _):
1487 self.assertEquals(num, ERR_OTHER)
1488 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1490 # This isn't supported yet in s4
1493 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1494 # "objectclass": ["user", "person"],
1495 # "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1497 # except LdbError, (num, _):
1498 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1499 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1503 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1504 # "objectclass": ["user", "person"],
1505 # "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1506 # except LdbError, (num, _):
1507 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1508 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1510 # This isn't supported yet in s4 - needs ACL module adaption
1513 # "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1514 # "objectclass": ["user", "person"],
1515 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1517 # except LdbError, (num, _):
1518 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1519 # self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1524 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1525 "objectclass": ["user", "person"]})
1527 # After creation we should have a normal account
1528 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1529 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1530 self.assertTrue(len(res1) == 1)
1531 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1532 ATYPE_NORMAL_ACCOUNT)
1534 # As user you can only switch from a normal account to a workstation
1535 # trust account and back.
1536 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1538 # With SYSTEM rights you can switch to a interdomain trust account.
1543 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1544 m["userAccountControl"] = MessageElement("0",
1545 FLAG_MOD_REPLACE, "userAccountControl")
1547 except LdbError, (num, _):
1548 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1550 # This has to wait until s4 supports it (needs a password module change)
1553 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1554 # m["userAccountControl"] = MessageElement(
1555 # str(UF_NORMAL_ACCOUNT),
1556 # FLAG_MOD_REPLACE, "userAccountControl")
1558 # except LdbError, (num, _):
1559 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1562 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1563 m["userAccountControl"] = MessageElement(
1564 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1565 FLAG_MOD_REPLACE, "userAccountControl")
1568 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1569 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1570 self.assertTrue(len(res1) == 1)
1571 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1572 ATYPE_NORMAL_ACCOUNT)
1576 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1577 m["userAccountControl"] = MessageElement(
1578 str(UF_TEMP_DUPLICATE_ACCOUNT),
1579 FLAG_MOD_REPLACE, "userAccountControl")
1582 except LdbError, (num, _):
1583 self.assertEquals(num, ERR_OTHER)
1585 # This isn't supported yet in s4
1588 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1589 # m["userAccountControl"] = MessageElement(
1590 # str(UF_SERVER_TRUST_ACCOUNT),
1591 # FLAG_MOD_REPLACE, "userAccountControl")
1594 # except LdbError, (num, _):
1595 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1598 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1599 m["userAccountControl"] = MessageElement(
1600 str(UF_WORKSTATION_TRUST_ACCOUNT),
1601 FLAG_MOD_REPLACE, "userAccountControl")
1604 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1605 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1606 self.assertTrue(len(res1) == 1)
1607 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1608 ATYPE_WORKSTATION_TRUST)
1611 m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1612 m["userAccountControl"] = MessageElement(
1613 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1614 FLAG_MOD_REPLACE, "userAccountControl")
1617 res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1618 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1619 self.assertTrue(len(res1) == 1)
1620 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1621 ATYPE_NORMAL_ACCOUNT)
1623 # This isn't supported yet in s4 - needs ACL module adaption
1626 # m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1627 # m["userAccountControl"] = MessageElement(
1628 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1629 # FLAG_MOD_REPLACE, "userAccountControl")
1632 # except LdbError, (num, _):
1633 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1635 # With a computer object
1639 # As computer you can set a normal account and a server trust account.
1640 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1642 # With SYSTEM rights you can set a interdomain trust account.
1647 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1648 "objectclass": ["computer"],
1649 "userAccountControl": "0"})
1651 except LdbError, (num, _):
1652 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1653 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1655 # This has to wait until s4 supports it (needs a password module change)
1658 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1659 # "objectclass": ["computer"],
1660 # "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1662 # except LdbError, (num, _):
1663 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1664 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1667 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1668 "objectclass": ["computer"],
1669 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1671 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1672 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1673 self.assertTrue(len(res1) == 1)
1674 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1675 ATYPE_NORMAL_ACCOUNT)
1676 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1680 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1681 "objectclass": ["computer"],
1682 "userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1684 except LdbError, (num, _):
1685 self.assertEquals(num, ERR_OTHER)
1686 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1689 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1690 "objectclass": ["computer"],
1691 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1693 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1694 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1695 self.assertTrue(len(res1) == 1)
1696 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1697 ATYPE_WORKSTATION_TRUST)
1698 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1702 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1703 "objectclass": ["computer"],
1704 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1705 except LdbError, (num, _):
1706 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1707 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1709 # This isn't supported yet in s4 - needs ACL module adaption
1712 # "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1713 # "objectclass": ["computer"],
1714 # "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1716 # except LdbError, (num, _):
1717 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1718 # self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1723 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1724 "objectclass": ["computer"]})
1726 # After creation we should have a normal account
1727 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1728 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1729 self.assertTrue(len(res1) == 1)
1730 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1731 ATYPE_NORMAL_ACCOUNT)
1733 # As computer you can switch from a normal account to a workstation
1734 # or server trust account and back (also swapping between trust
1735 # accounts is allowed).
1736 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1738 # With SYSTEM rights you can switch to a interdomain trust account.
1743 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1744 m["userAccountControl"] = MessageElement("0",
1745 FLAG_MOD_REPLACE, "userAccountControl")
1747 except LdbError, (num, _):
1748 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1750 # This has to wait until s4 supports it (needs a password module change)
1753 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1754 # m["userAccountControl"] = MessageElement(
1755 # str(UF_NORMAL_ACCOUNT),
1756 # FLAG_MOD_REPLACE, "userAccountControl")
1758 # except LdbError, (num, _):
1759 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1762 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1763 m["userAccountControl"] = MessageElement(
1764 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1765 FLAG_MOD_REPLACE, "userAccountControl")
1768 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1769 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1770 self.assertTrue(len(res1) == 1)
1771 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1772 ATYPE_NORMAL_ACCOUNT)
1776 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1777 m["userAccountControl"] = MessageElement(
1778 str(UF_TEMP_DUPLICATE_ACCOUNT),
1779 FLAG_MOD_REPLACE, "userAccountControl")
1782 except LdbError, (num, _):
1783 self.assertEquals(num, ERR_OTHER)
1786 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1787 m["userAccountControl"] = MessageElement(
1788 str(UF_SERVER_TRUST_ACCOUNT),
1789 FLAG_MOD_REPLACE, "userAccountControl")
1792 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1793 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1794 self.assertTrue(len(res1) == 1)
1795 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1796 ATYPE_WORKSTATION_TRUST)
1799 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1800 m["userAccountControl"] = MessageElement(
1801 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1802 FLAG_MOD_REPLACE, "userAccountControl")
1805 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1806 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1807 self.assertTrue(len(res1) == 1)
1808 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1809 ATYPE_NORMAL_ACCOUNT)
1812 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1813 m["userAccountControl"] = MessageElement(
1814 str(UF_WORKSTATION_TRUST_ACCOUNT),
1815 FLAG_MOD_REPLACE, "userAccountControl")
1818 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1819 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1820 self.assertTrue(len(res1) == 1)
1821 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1822 ATYPE_WORKSTATION_TRUST)
1825 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1826 m["userAccountControl"] = MessageElement(
1827 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1828 FLAG_MOD_REPLACE, "userAccountControl")
1831 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1832 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1833 self.assertTrue(len(res1) == 1)
1834 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1835 ATYPE_NORMAL_ACCOUNT)
1838 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1839 m["userAccountControl"] = MessageElement(
1840 str(UF_SERVER_TRUST_ACCOUNT),
1841 FLAG_MOD_REPLACE, "userAccountControl")
1844 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1845 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1846 self.assertTrue(len(res1) == 1)
1847 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1848 ATYPE_WORKSTATION_TRUST)
1851 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1852 m["userAccountControl"] = MessageElement(
1853 str(UF_WORKSTATION_TRUST_ACCOUNT),
1854 FLAG_MOD_REPLACE, "userAccountControl")
1857 res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1858 scope=SCOPE_BASE, attrs=["sAMAccountType"])
1859 self.assertTrue(len(res1) == 1)
1860 self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1861 ATYPE_WORKSTATION_TRUST)
1863 # This isn't supported yet in s4 - needs ACL module adaption
1866 # m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1867 # m["userAccountControl"] = MessageElement(
1868 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1869 # FLAG_MOD_REPLACE, "userAccountControl")
1872 # except LdbError, (num, _):
1873 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1875 self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1876 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1878 def test_dNSHostName(self):
1879 """Test the dNSHostName behaviour"""
1880 print "Testing dNSHostName behaviour\n"
1883 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1884 "objectclass": "computer",
1885 "dNSHostName": "testname.testdom"})
1887 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1888 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1889 self.assertTrue(len(res) == 1)
1890 self.assertFalse("servicePrincipalName" in res[0])
1892 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1895 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1896 "objectclass": "computer",
1897 "servicePrincipalName": "HOST/testname.testdom"})
1899 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1900 scope=SCOPE_BASE, attrs=["dNSHostName"])
1901 self.assertTrue(len(res) == 1)
1902 self.assertFalse("dNSHostName" in res[0])
1904 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1907 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1908 "objectclass": "computer",
1909 "dNSHostName": "testname2.testdom",
1910 "servicePrincipalName": "HOST/testname.testdom"})
1912 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1913 scope=SCOPE_BASE, attrs=["dNSHostName"])
1914 self.assertTrue(len(res) == 1)
1915 self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
1917 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1918 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1919 self.assertTrue(len(res) == 1)
1920 self.assertEquals(res[0]["servicePrincipalName"][0],
1921 "HOST/testname.testdom")
1924 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1925 m["dNSHostName"] = MessageElement("testname.testdoM",
1926 FLAG_MOD_REPLACE, "dNSHostName")
1929 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1930 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1931 self.assertTrue(len(res) == 1)
1932 self.assertEquals(res[0]["servicePrincipalName"][0],
1933 "HOST/testname.testdom")
1936 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1937 m["dNSHostName"] = MessageElement("testname2.testdom2",
1938 FLAG_MOD_REPLACE, "dNSHostName")
1941 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1942 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1943 self.assertTrue(len(res) == 1)
1944 self.assertEquals(res[0]["servicePrincipalName"][0],
1945 "HOST/testname2.testdom2")
1948 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1949 m["dNSHostName"] = MessageElement([],
1950 FLAG_MOD_DELETE, "dNSHostName")
1953 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1954 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1955 self.assertTrue(len(res) == 1)
1956 self.assertEquals(res[0]["servicePrincipalName"][0],
1957 "HOST/testname2.testdom2")
1960 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1961 m["dNSHostName"] = MessageElement("testname.testdom3",
1962 FLAG_MOD_REPLACE, "dNSHostName")
1965 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1966 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1967 self.assertTrue(len(res) == 1)
1968 self.assertEquals(res[0]["servicePrincipalName"][0],
1969 "HOST/testname2.testdom2")
1972 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1973 m["dNSHostName"] = MessageElement("testname2.testdom2",
1974 FLAG_MOD_REPLACE, "dNSHostName")
1978 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1979 m["dNSHostName"] = MessageElement("testname3.testdom3",
1980 FLAG_MOD_REPLACE, "dNSHostName")
1981 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1983 "servicePrincipalName")
1986 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1987 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1988 self.assertTrue(len(res) == 1)
1989 self.assertEquals(res[0]["servicePrincipalName"][0],
1990 "HOST/testname3.testdom3")
1993 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1994 m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1996 "servicePrincipalName")
1997 m["dNSHostName"] = MessageElement("testname4.testdom4",
1998 FLAG_MOD_REPLACE, "dNSHostName")
2001 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2002 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2003 self.assertTrue(len(res) == 1)
2004 self.assertEquals(res[0]["servicePrincipalName"][0],
2005 "HOST/testname2.testdom2")
2008 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2009 m["servicePrincipalName"] = MessageElement([],
2011 "servicePrincipalName")
2015 m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2016 m["dNSHostName"] = MessageElement("testname2.testdom2",
2017 FLAG_MOD_REPLACE, "dNSHostName")
2020 res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2021 scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2022 self.assertTrue(len(res) == 1)
2023 self.assertFalse("servicePrincipalName" in res[0])
2025 self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2028 if not "://" in host:
2029 if os.path.isfile(host):
2030 host = "tdb://%s" % host
2032 host = "ldap://%s" % host
2034 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
2035 if not "tdb://" in host:
2036 gc_ldb = Ldb("%s:3268" % host, credentials=creds,
2037 session_info=system_session(), lp=lp)
2041 runner = SubunitTestRunner()
2043 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():