REVIEW/RUN selftest: Add test for password lockout
authorAndrew Bartlett <abartlet@samba.org>
Sun, 24 Nov 2013 21:03:05 +0000 (10:03 +1300)
committerStefan Metzmacher <metze@samba.org>
Fri, 21 Mar 2014 14:43:38 +0000 (15:43 +0100)
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
source4/dsdb/tests/python/password_lockout.py [new file with mode: 0755]
source4/selftest/tests.py

diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py
new file mode 100755 (executable)
index 0000000..e42f97f
--- /dev/null
@@ -0,0 +1,1055 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# This tests the password changes over LDAP for AD implementations
+#
+# Copyright Matthias Dieter Wallnoefer 2010
+# Copyright Andrew Bartlett 2013
+#
+# Notice: This tests will also work against Windows Server if the connection is
+# secured enough (SASL with a minimum of 128 Bit encryption) - consider
+# MS-ADTS 3.1.1.3.1.5
+
+import optparse
+import sys
+import base64
+import time
+import os
+
+sys.path.insert(0, "bin/python")
+import samba
+samba.ensure_external_module("testtools", "testtools")
+samba.ensure_external_module("subunit", "subunit/python")
+
+import samba.getopt as options
+
+from samba.auth import system_session
+from samba.credentials import Credentials, DONT_USE_KERBEROS, MUST_USE_KERBEROS
+from ldb import SCOPE_BASE, LdbError
+from ldb import ERR_ATTRIBUTE_OR_VALUE_EXISTS
+from ldb import ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS
+from ldb import ERR_NO_SUCH_ATTRIBUTE
+from ldb import ERR_CONSTRAINT_VIOLATION
+from ldb import ERR_INVALID_CREDENTIALS
+from ldb import Message, MessageElement, Dn
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from samba import gensec, dsdb
+from samba.samdb import SamDB
+import samba.tests
+from samba.tests import delete_force
+from subunit.run import SubunitTestRunner
+import unittest
+from samba.dcerpc import security, samr
+from samba.ndr import ndr_unpack
+
+parser = optparse.OptionParser("passwords.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+    parser.print_usage()
+    sys.exit(1)
+
+host = args[0]
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+# Force an encrypted connection
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
+
+#
+# Tests start here
+#
+
+class PasswordTests(samba.tests.TestCase):
+
+    def setUp(self):
+        super(PasswordTests, self).setUp()
+        self.ldb = ldb
+        self.base_dn = ldb.domain_dn()
+
+        # (Re)adds the test user "testuser" with no password atm
+        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
+        self.ldb.add({
+             "dn": "cn=testuser,cn=users," + self.base_dn,
+             "objectclass": "user",
+             "sAMAccountName": "testuser"})
+
+        # Tests a password change when we don't have any password yet with a
+        # wrong old password
+        try:
+            self.ldb.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: noPassword
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            # Windows (2008 at least) seems to have some small bug here: it
+            # returns "0000056A" on longer (always wrong) previous passwords.
+            self.assertTrue('00000056' in msg)
+
+        # Sets the initial user password with a "special" password change
+        # I think that this internally is a password set operation and it can
+        # only be performed by someone which has password set privileges on the
+        # account (at least in s4 we do handle it like that).
+        self.ldb.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+add: userPassword
+userPassword: thatsAcomplPASS1
+""")
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Enables the user account
+        self.ldb.enable_account("(sAMAccountName=testuser)")
+
+        # Open a second LDB connection with the user credentials. Use the
+        # command line credentials for informations like the domain, the realm
+        # and the workstation.
+        creds2 = Credentials()
+        creds2.set_username("testuser")
+        creds2.set_password("thatsAcomplPASS1")
+        creds2.set_domain(creds.get_domain())
+        creds2.set_realm(creds.get_realm())
+        creds2.set_workstation(creds.get_workstation())
+        creds2.set_gensec_features(creds2.get_gensec_features()
+                                                          | gensec.FEATURE_SEAL)
+
+        self.ldb2 = SamDB(url=host_url, credentials=creds2, lp=lp)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "0")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+     # (Re)adds the test user "testuser3" with no password atm
+        delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn)
+        self.ldb.add({
+             "dn": "cn=testuser3,cn=users," + self.base_dn,
+             "objectclass": "user",
+             "sAMAccountName": "testuser3"})
+
+        # Tests a password change when we don't have any password yet with a
+        # wrong old password
+        try:
+            self.ldb.modify_ldif("""
+dn: cn=testuser3,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: noPassword
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            # Windows (2008 at least) seems to have some small bug here: it
+            # returns "0000056A" on longer (always wrong) previous passwords.
+            self.assertTrue('00000056' in msg)
+
+        # Sets the initial user password with a "special" password change
+        # I think that this internally is a password set operation and it can
+        # only be performed by someone which has password set privileges on the
+        # account (at least in s4 we do handle it like that).
+        self.ldb.modify_ldif("""
+dn: cn=testuser3,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+add: userPassword
+userPassword: thatsAcomplPASS1
+""")
+
+        # Enables the user account
+        self.ldb.enable_account("(sAMAccountName=testuser3)")
+
+        # Open a second LDB connection with the user credentials. Use the
+        # command line credentials for informations like the domain, the realm
+        # and the workstation.
+        creds3 = Credentials()
+        creds3.set_username("testuser3")
+        creds3.set_password("thatsAcomplPASS1")
+        creds3.set_domain(creds.get_domain())
+        creds3.set_realm(creds.get_realm())
+        creds3.set_workstation(creds.get_workstation())
+        creds3.set_gensec_features(creds3.get_gensec_features()
+                                                          | gensec.FEATURE_SEAL)
+        self.ldb3 = SamDB(url=host_url, credentials=creds3, lp=lp)
+
+
+        self.samr = samr.samr("ncacn_ip_tcp:%s[sign]" % host, lp, creds)
+        self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
+        self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, security.dom_sid(self.ldb.get_domain_sid()))
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["objectSid"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("objectSid" in res[0])
+        (domain_sid, self.rid) = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]).split()
+        self.assertEquals(security.dom_sid(self.ldb.get_domain_sid()), domain_sid)
+
+        self.samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)
+
+    def test_userPassword_lockout_with_clear_change(self):
+        print "Performs a password cleartext change operation on 'userPassword'"
+        # Notice: This works only against Windows if "dSHeuristics" has been set
+        # properly
+
+        # Change password on a connection as another user
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1x
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+
+        # Correct old password
+        self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1x
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "2")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        print "two failed password change"
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1x
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1x
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('00000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1x
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('00000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        try:
+            # Correct old password
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS2
+add: userPassword
+userPassword: thatsAcomplPASS2x
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('0000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+
+        # Now reset the password, which does NOT change the lockout!
+        self.ldb.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+replace: userPassword
+userPassword: thatsAcomplPASS2
+""")
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        try:
+            # Correct old password
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS2
+add: userPassword
+userPassword: thatsAcomplPASS2x
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('0000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        lockoutTime = res[0]["lockoutTime"][0]
+
+        m = Message()
+        m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(
+          str(dsdb.UF_LOCKOUT),
+          FLAG_MOD_REPLACE, "userAccountControl")
+
+        self.ldb.modify(m)
+
+        # This shows that setting the UF_LOCKOUT flag makes no difference
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime", "userAccountControl"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertTrue("lockoutTime"in res[0])
+        self.assertEquals(res[0]["lockoutTime"][0], str(lockoutTime))
+        self.assertTrue("userAccountControl" in res[0])
+        self.assertTrue(int(res[0]["userAccountControl"][0]) & dsdb.UF_NORMAL_ACCOUNT == dsdb.UF_NORMAL_ACCOUNT)
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # This shows that setting the UF_LOCKOUT flag makes no difference
+        try:
+            # Correct old password
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('0000775' in msg)
+
+
+    def test_unicodePwd_lockout_with_clear_change(self):
+        print "Performs a password cleartext change operation on 'unicodePwd'"
+        # Notice: This works only against Windows if "dSHeuristics" has been set
+        # properly
+
+        # Change password on a connection as another user
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Correct old password
+        self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+        self.assertEquals(res[0]["badPwdCount"][0], "2")
+
+        print "two failed password change"
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertTrue('00000056' in msg)
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('00000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+
+        # Wrong old password
+        try:
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1x\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('00000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        try:
+            # Correct old password
+            self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
+""")
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+            self.assertTrue('0000775' in msg)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)
+
+        acb_info = self.samr.QueryUserInfo(samr_user, 16)
+        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK)
+
+        acb_info.acct_flags = samr.ACB_NORMAL
+
+        # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute)
+        self.samr.SetUserInfo(samr_user, 16, acb_info)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed", "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "0")
+        self.assertEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Correct old password
+        self.ldb3.modify_ldif("""
+dn: cn=testuser,cn=users,""" + self.base_dn + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2x\"".encode('utf-16-le')) + """
+""")
+
+    def _test_login_lockout(self, use_kerberos):
+        print "Performs a lockout attempt against LDAP using NTLM"
+
+        # Change password on a connection as another user
+
+        # Open a second LDB connection with the user credentials. Use the
+        # command line credentials for informations like the domain, the realm
+        # and the workstation.
+        creds_lockout = Credentials()
+        creds_lockout.set_username("testuser")
+        creds_lockout.set_domain(creds.get_domain())
+        creds_lockout.set_realm(creds.get_realm())
+        creds_lockout.set_workstation(creds.get_workstation())
+        creds_lockout.set_gensec_features(creds_lockout.get_gensec_features()
+                                          | gensec.FEATURE_SEAL)
+        creds_lockout.set_kerberos_state(use_kerberos)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # Correct old password
+        creds_lockout.set_password("thatsAcomplPASS1")
+
+        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "0")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "2")
+        self.assertTrue("lockoutTime" not in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        print "two failed password change"
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertTrue("lockoutTime" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        # The correct password
+        creds_lockout.set_password("thatsAcomplPASS1")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "3")
+        self.assertNotEquals(res[0]["lockoutTime"][0], "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), dsdb.UF_LOCKOUT)
+
+        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)
+
+        acb_info = self.samr.QueryUserInfo(samr_user, 16)
+        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL| samr.ACB_AUTOLOCK)
+
+        time.sleep(account_lockout_duration + 1)
+
+        # The correct password after letting the timeout expire
+        creds_lockout.set_password("thatsAcomplPASS1")
+        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "0")
+        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)
+
+        acb_info = self.samr.QueryUserInfo(samr_user, 16)
+        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "2")
+        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        time.sleep(lockout_observation_window + 1)
+
+        # The wrong password
+        creds_lockout.set_password("thatsAcomplPASS1x")
+        try:
+            ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+            self.fail()
+        except LdbError, (num, msg):
+            self.assertEquals(num, ERR_INVALID_CREDENTIALS)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "1")
+        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        # The correct password without letting the timeout expire
+        creds_lockout.set_password("thatsAcomplPASS1")
+        ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
+
+        res = ldb.search("cn=testuser,cn=users," + self.base_dn,
+                         scope=SCOPE_BASE, attrs=["badPwdCount", "msDS-User-Account-Control-Computed",
+                                                  "lockoutTime"])
+        self.assertTrue(len(res) == 1)
+        self.assertTrue("badPwdCount" in res[0])
+        self.assertTrue("msDS-User-Account-Control-Computed" in res[0])
+        self.assertEquals(res[0]["badPwdCount"][0], "0")
+        self.assertTrue("lockoutTime" not in res[0] or res[0]["lockoutTime"][0] == "0")
+        self.assertEquals(int(res[0]["msDS-User-Account-Control-Computed"][0]), 0)
+
+        samr_user = self.samr.OpenUser(self.samr_domain, security.SEC_FLAG_MAXIMUM_ALLOWED, self.rid)
+
+        acb_info = self.samr.QueryUserInfo(samr_user, 16)
+        self.assertEquals(acb_info.acct_flags, samr.ACB_NORMAL)
+
+
+    def test_login_lockout_ntlm(self):
+        self._test_login_lockout(DONT_USE_KERBEROS)
+
+
+    def test_login_lockout_kerberos(self):
+        self._test_login_lockout(MUST_USE_KERBEROS)
+
+
+    def tearDown(self):
+        super(PasswordTests, self).tearDown()
+        delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
+        delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
+        delete_force(self.ldb, "cn=testuser3,cn=users," + self.base_dn)
+        # Close the second LDB connection (with the user credentials)
+        self.ldb2 = None
+
+host_url = "ldap://%s" % host
+
+ldb = SamDB(url=host_url, session_info=system_session(lp), credentials=creds, lp=lp)
+
+# Gets back the basedn
+base_dn = ldb.domain_dn()
+
+# Gets back the configuration basedn
+configuration_dn = ldb.get_config_basedn().get_linearized()
+
+# Get the old "dSHeuristics" if it was set
+dsheuristics = ldb.get_dsheuristics()
+
+res = ldb.search(base_dn,
+                 scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"])
+
+if "lockoutDuration" in res[0]:
+    lockoutDuration = res[0]["lockoutDuration"][0]
+else:
+    lockoutDuration = 0
+
+if "lockoutObservationWindow" in res[0]:
+    lockoutObservationWindow = res[0]["lockoutObservationWindow"][0]
+else:
+    lockoutObservationWindow = 0
+
+if "lockoutThreshold" in res[0]:
+    lockoutThreshold = res[0]["lockoutThreshold"][0]
+else:
+    lockoutTreshold = 0
+
+m = Message()
+m.dn = Dn(ldb, base_dn)
+
+account_lockout_duration = 10
+account_lockout_duration_ticks = -int(account_lockout_duration * (1e7))
+
+m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks),
+                                      FLAG_MOD_REPLACE, "lockoutDuration")
+
+account_lockout_threshold = 3
+m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold),
+                                       FLAG_MOD_REPLACE, "lockoutThreshold")
+
+lockout_observation_window = 5
+lockout_observation_window_ticks = -int(lockout_observation_window * (1e7))
+
+m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks),
+                                               FLAG_MOD_REPLACE, "lockOutObservationWindow")
+
+ldb.modify(m)
+
+# Set the "dSHeuristics" to activate the correct "userPassword" behaviour
+ldb.set_dsheuristics("000000001")
+
+# Get the old "minPwdAge"
+minPwdAge = ldb.get_minPwdAge()
+
+# Set it temporarely to "0"
+ldb.set_minPwdAge("0")
+
+runner = SubunitTestRunner()
+rc = 0
+if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful():
+    rc = 1
+
+# Reset the "dSHeuristics" as they were before
+ldb.set_dsheuristics(dsheuristics)
+
+# Reset the "minPwdAge" as it was before
+ldb.set_minPwdAge(minPwdAge)
+
+ldb.modify_ldif("""
+dn: """ + base_dn + """
+changetype: modify
+replace: lockoutDuration
+lockoutDuration: """ + str(lockoutDuration) + """
+replace: lockoutObservationWindow
+lockoutObservationWindow: """ + str(lockoutObservationWindow) + """
+replace: lockoutThreshold
+lockoutThreshold: """ + str(lockoutThreshold) + """
+""")
+
+sys.exit(rc)
index b3a7d214e5dbea90627e46167e7535fda8b4b6ac..364292fb33d00f26b852a1457325041acb98a94a 100755 (executable)
@@ -441,6 +441,7 @@ for env in ["dc", "fl2000dc", "fl2003dc", "fl2008r2dc"]:
         # isn't available on DCs with Windows 2000 domain function level -
         # therefore skip it in that configuration
         plantestsuite("samba4.ldap.passwords.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/passwords.py"), "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"])
+        plantestsuite("samba4.ldap.password_lockout.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/password_lockout.py"), "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN", "--realm=$REALM"])
 
 planpythontestsuite("dc:local", "samba.tests.upgradeprovisionneeddc")
 planpythontestsuite("plugin_s4_dc:local", "samba.tests.posixacl")