REVIEW/RUN selftest: Add test for password lockout

[metze/samba/wip.git] / source4 / dsdb / tests / python / password_lockout.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This tests the password changes over LDAP for AD implementations
#
# Copyright Matthias Dieter Wallnoefer 2010
# Copyright Andrew Bartlett 2013
#
# Notice: This tests will also work against Windows Server if the connection is
# secured enough (SASL with a minimum of 128 Bit encryption) - consider
# MS-ADTS 3.1.1.3.1.5

import optparse
import sys
import base64
import time
import os

sys.path.insert(0, "bin/python")
import samba
samba.ensure_external_module("testtools", "testtools")
samba.ensure_external_module("subunit", "subunit/python")

import samba.getopt as options

from samba.auth import system_session
from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
from ldb import SCOPE_BASE, LdbError
from ldb import ERR_ATTRIBUTE_OR_VALUE_EXISTS
from ldb import ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS
from ldb import ERR_NO_SUCH_ATTRIBUTE
from ldb import ERR_CONSTRAINT_VIOLATION
from ldb import ERR_INVALID_CREDENTIALS
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba import gensec, dsdb
from samba.samdb import SamDB
import samba.tests
from samba.tests import delete_force
from subunit.run import SubunitTestRunner
import unittest
from samba.dcerpc import security, samr
from samba.ndr import ndr_unpack

parser = optparse.OptionParser("passwords.py [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
# use command line creds if available
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
opts, args = parser.parse_args()

if len(args) < 1:
    parser.print_usage()
    sys.exit(1)

host = args[0]

lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)

# Force an encrypted connection
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)

#
# Tests start here
#

class PasswordTests(samba.tests.TestCase):

    def setUp(self):
        super(PasswordTests, self).setUp()
        self.ldb = ldb
        self.base_dn = ldb.domain_dn()

        # (Re)adds the test user "testuser" with no password atm
        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
        self.ldb.add({
             "dn": "cn=testuser,cn=users," + self.base_dn,
             "objectclass": "user",
             "sAMAccountName": "testuser"})

        # Tests a password change when we don't have any password yet with a
        # wrong old password
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: noPassword
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            # Windows (2008 at least) seems to have some small bug here: it
            # returns "0000056A" on longer (always wrong) previous passwords.
            self.assertTrue('00000056' in msg)

        # Sets the initial user password with a "special" password change
        # I think that this internally is a password set operation and it can
        # only be performed by someone which has password set privileges on the
        # account (at least in s4 we do handle it like that).
        self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
""")

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Enables the user account
        self.ldb.enable_account("(sAMAccountName=testuser)")

        # Open a second LDB connection with the user credentials. Use the
        # command line credentials for informations like the domain, the realm
        # and the workstation.
        creds2 = Credentials()
        creds2.set_username("testuser")
        creds2.set_password("thatsAcomplPASS1")
        creds2.set_domain(creds.get_domain())
        creds2.set_realm(creds.get_realm())
        creds2.set_workstation(creds.get_workstation())
        creds2.set_gensec_features(creds2.get_gensec_features()
                                                          | gensec.FEATURE_SEAL)

        self.ldb2 = SamDB(url=host_url, credentials=creds2, lp=lp)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "0")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

     # (Re)adds the test user "testuser3" with no password atm
        delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn)
        self.ldb.add({
             "dn": "cn=testuser3,cn=users," + self.base_dn,
             "objectclass": "user",
             "sAMAccountName": "testuser3"})

        # Tests a password change when we don't have any password yet with a
        # wrong old password
        try:
            self.ldb.modify_ldif("""
dn: cn=testuser3,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: noPassword
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            # Windows (2008 at least) seems to have some small bug here: it
            # returns "0000056A" on longer (always wrong) previous passwords.
            self.assertTrue('00000056' in msg)

        # Sets the initial user password with a "special" password change
        # I think that this internally is a password set operation and it can
        # only be performed by someone which has password set privileges on the
        # account (at least in s4 we do handle it like that).
        self.ldb.modify_ldif("""
dn: cn=testuser3,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
""")

        # Enables the user account
        self.ldb.enable_account("(sAMAccountName=testuser3)")

        # Open a second LDB connection with the user credentials. Use the
        # command line credentials for informations like the domain, the realm
        # and the workstation.
        creds3 = Credentials()
        creds3.set_username("testuser3")
        creds3.set_password("thatsAcomplPASS1")
        creds3.set_domain(creds.get_domain())
        creds3.set_realm(creds.get_realm())
        creds3.set_workstation(creds.get_workstation())
        creds3.set_gensec_features(creds3.get_gensec_features()
                                                          | gensec.FEATURE_SEAL)
        self.ldb3 = SamDB(url=host_url, credentials=creds3, lp=lp)


        self.samr = samr.samr("ncacn_ip_tcp:%s[sign]" % host, lp, creds)
        self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
        self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, security.dom_sid(self.ldb.get_domain_sid()))

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["objectSid"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("objectSid" in res[0])
        (domain_sid, self.rid) = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]).split()
        self.assertEquals(security.dom_sid(self.ldb.get_domain_sid()), domain_sid)

        self.samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)

    def test_userPassword_lockout_with_clear_change(self):
        print "Performs a password cleartext change operation on 'userPassword'"
        # Notice: This works only against Windows if "dSHeuristics" has been set
        # properly

        # Change password on a connection as another user

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1x
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)


        # Correct old password
        self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1
add: userPassword
userPassword: thatsAcomplPASS2
""")

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1x
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "2")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        print "two failed password change"

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1x
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1x
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('00000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS1x
add: userPassword
userPassword: thatsAcomplPASS2
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('00000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        try:
            # Correct old password
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS2
add: userPassword
userPassword: thatsAcomplPASS2x
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('0000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)


        # Now reset the password, which does NOT change the lockout!
        self.ldb.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
replace: userPassword
userPassword: thatsAcomplPASS2
""")

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        try:
            # Correct old password
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: userPassword
userPassword: thatsAcomplPASS2
add: userPassword
userPassword: thatsAcomplPASS2x
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('0000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        lockoutTime = res[0]["lockoutTime"][0]

        m = Message()
        m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
        m["userAccountControl"] = MessageElement(
          str(dsdb.UF_LOCKOUT),
          FLAG_MOD_REPLACE, "userAccountControl")

        self.ldb.modify(m)

        # This shows that setting the UF_LOCKOUT flag makes no difference
        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime", "userAccountControl"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertTrue("lockoutTime"in res[0])
        self.assertEquals(res[0]["lockoutTime"][0], str(lockoutTime))
        self.assertTrue("userAccountControl" in res[0])
        self.assertTrue(int(res[0]["userAccountControl"][0]) & dsdb.UF_NORMAL_ACCOUNT == dsdb.UF_NORMAL_ACCOUNT)
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # This shows that setting the UF_LOCKOUT flag makes no difference
        try:
            # Correct old password
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('0000775' in msg)


    def test_unicodePwd_lockout_with_clear_change(self):
        print "Performs a password cleartext change operation on 'unicodePwd'"
        # Notice: This works only against Windows if "dSHeuristics" has been set
        # properly

        # Change password on a connection as another user

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Correct old password
        self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
        self.assertEquals(res[0]["badPwdCount"][0], "2")

        print "two failed password change"

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertTrue('00000056' in msg)
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('00000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)


        # Wrong old password
        try:
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('00000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        try:
            # Correct old password
            self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
""")
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
            self.assertTrue('0000775' in msg)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)

        acb_info = self.samr.QueryUserInfo(samr_user, 16)
        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK)

        acb_info.acct_flags = samr.ACB_NORMAL

        # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute)
        self.samr.SetUserInfo(samr_user, 16, acb_info)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "0")
        self.assertEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Correct old password
        self.ldb3.modify_ldif("""
dn: cn=testuser,cn=users,""" + self.base_dn + """
changetype: modify
delete: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
add: unicodePwd
unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
""")

    def _test_login_lockout(self, use_kerberos):
        print "Performs a lockout attempt against LDAP using NTLM"

        # Change password on a connection as another user

        # Open a second LDB connection with the user credentials. Use the
        # command line credentials for informations like the domain, the realm
        # and the workstation.
        creds_lockout = Credentials()
        creds_lockout.set_username("testuser")
        creds_lockout.set_domain(creds.get_domain())
        creds_lockout.set_realm(creds.get_realm())
        creds_lockout.set_workstation(creds.get_workstation())
        creds_lockout.set_gensec_features(creds_lockout.get_gensec_features()
                                          | gensec.FEATURE_SEAL)
        creds_lockout.set_kerberos_state(use_kerberos)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")

        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)

        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # Correct old password
        creds_lockout.set_password("thatsAcomplPASS1")

        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "0")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")

        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)

        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")

        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()

        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "2")
        self.assertTrue("lockoutTime" not in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        print "two failed password change"

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")

        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()

        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertTrue("lockoutTime" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        # The correct password
        creds_lockout.set_password("thatsAcomplPASS1")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "3")
        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)

        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)

        acb_info = self.samr.QueryUserInfo(samr_user, 16)
        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK)

        time.sleep(account_lockout_duration + 1)

        # The correct password after letting the timeout expire
        creds_lockout.set_password("thatsAcomplPASS1")
        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "0")
        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)

        acb_info = self.samr.QueryUserInfo(samr_user, 16)
        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "2")
        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        time.sleep(lockout_observation_window + 1)

        # The wrong password
        creds_lockout.set_password("thatsAcomplPASS1x")
        try:
            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
            self.fail()
        except LdbError, (num, msg):
            self.assertEquals(num, ERR_INVALID_CREDENTIALS)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "1")
        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        # The correct password without letting the timeout expire
        creds_lockout.set_password("thatsAcomplPASS1")
        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)

        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
                                                  "lockoutTime"])
        self.assertTrue(len(res) == 1)
        self.assertTrue("badPwdCount" in res[0])
        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
        self.assertEquals(res[0]["badPwdCount"][0], "0")
        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)

        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)

        acb_info = self.samr.QueryUserInfo(samr_user, 16)
        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL)


    def test_login_lockout_ntlm(self):
        self._test_login_lockout(DONT_USE_KERBEROS)


    def test_login_lockout_kerberos(self):
        self._test_login_lockout(MUST_USE_KERBEROS)


    def tearDown(self):
        super(PasswordTests, self).tearDown()
        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
        delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
        delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn)
        # Close the second LDB connection (with the user credentials)
        self.ldb2 = None

host_url = "ldap://%s" % host

ldb = SamDB(url=host_url, session_info=system_session(lp), credentials=creds, lp=lp)

# Gets back the basedn
base_dn = ldb.domain_dn()

# Gets back the configuration basedn
configuration_dn = ldb.get_config_basedn().get_linearized()

# Get the old "dSHeuristics" if it was set
dsheuristics = ldb.get_dsheuristics()

res = ldb.search(base_dn,
                 scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"])

if "lockoutDuration" in res[0]:
    lockoutDuration = res[0]["lockoutDuration"][0]
else:
    lockoutDuration = 0

if "lockoutObservationWindow" in res[0]:
    lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
else:
    lockoutObservationWindow = 0

if "lockoutThreshold" in res[0]:
    lockoutThreshold = res[0]["lockoutThreshold"][0]
else:
    lockoutTreshold = 0

m = Message()
m.dn = Dn(ldb, base_dn)

account_lockout_duration = 10
account_lockout_duration_ticks = -int(account_lockout_duration * (1e7))

m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks),
                                      FLAG_MOD_REPLACE, "lockoutDuration")

account_lockout_threshold = 3
m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold),
                                       FLAG_MOD_REPLACE, "lockoutThreshold")

lockout_observation_window = 5
lockout_observation_window_ticks = -int(lockout_observation_window * (1e7))

m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks),
                                               FLAG_MOD_REPLACE, "lockOutObservationWindow")

ldb.modify(m)

# Set the "dSHeuristics" to activate the correct "userPassword" behaviour
ldb.set_dsheuristics("000000001")

# Get the old "minPwdAge"
minPwdAge = ldb.get_minPwdAge()

# Set it temporarely to "0"
ldb.set_minPwdAge("0")

runner = SubunitTestRunner()
rc = 0
if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful():
    rc = 1

# Reset the "dSHeuristics" as they were before
ldb.set_dsheuristics(dsheuristics)

# Reset the "minPwdAge" as it was before
ldb.set_minPwdAge(minPwdAge)

ldb.modify_ldif("""
dn: """ + base_dn + """
changetype: modify
replace: lockoutDuration
lockoutDuration: """ + str(lockoutDuration) + """
replace: lockoutObservationWindow
lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
replace: lockoutThreshold
lockoutThreshold: """ + str(lockoutThreshold) + """
""")

sys.exit(rc)