self.lockout2ntlm_ldb,
initial_logoncount_relation="equal")
- def __test_login_lockout(self, creds):
- username = creds.get_username()
- userpass = creds.get_password()
- userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
-
- use_kerberos = creds.get_kerberos_state()
- # This unlocks by waiting for account_lockout_duration
- if use_kerberos == MUST_USE_KERBEROS:
- logoncount_relation = 'greater'
- lastlogon_relation = 'greater'
- print "Performs a lockout attempt against LDAP using Kerberos"
- else:
- logoncount_relation = 'equal'
- lastlogon_relation = 'equal'
- print "Performs a lockout attempt against LDAP using NTLM"
-
- # Change password on a connection as another user
- res = self._check_account(userdn,
- badPwdCount=0,
- badPasswordTime=("greater", 0),
- logonCount=(logoncount_relation, 0),
- lastLogon=("greater", 0),
- lastLogonTimestamp=("greater", 0),
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
- logonCount = int(res[0]["logonCount"][0])
- lastLogon = int(res[0]["lastLogon"][0])
- firstLogon = lastLogon
- lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0])
- print firstLogon
- print lastLogonTimestamp
-
-
- self.assertGreater(lastLogon, badPasswordTime)
- self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
-
- # Open a second LDB connection with the user credentials. Use the
- # command line credentials for informations like the domain, the realm
- # and the workstation.
- creds_lockout = self.insta_creds(creds)
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
-
- self.assertLoginFailure(host_url, creds_lockout, lp)
-
- res = self._check_account(userdn,
- badPwdCount=1,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0,
- msg='lastlogontimestamp with wrong password')
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- # Correct old password
- creds_lockout.set_password(userpass)
-
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
-
- # lastLogonTimestamp should not change
- # lastLogon increases if badPwdCount is non-zero (!)
- res = self._check_account(userdn,
- badPwdCount=0,
- badPasswordTime=badPasswordTime,
- logonCount=(logoncount_relation, logonCount),
- lastLogon=('greater', lastLogon),
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0,
- msg='LLTimestamp is updated to lastlogon')
-
- logonCount = int(res[0]["logonCount"][0])
- lastLogon = int(res[0]["lastLogon"][0])
- self.assertGreater(lastLogon, badPasswordTime)
- self.assertGreaterEqual(lastLogon, lastLogonTimestamp)
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
-
- self.assertLoginFailure(host_url, creds_lockout, lp)
-
- res = self._check_account(userdn,
- badPwdCount=1,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
-
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
-
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=2,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- print "two failed password change"
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
-
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
-
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=3,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- lockoutTime=("greater", badPasswordTime),
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
- lockoutTime = int(res[0]["lockoutTime"][0])
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=3,
- badPasswordTime=badPasswordTime,
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- lockoutTime=lockoutTime,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=3,
- badPasswordTime=badPasswordTime,
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- lockoutTime=lockoutTime,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
-
- # The correct password, but we are locked out
- creds_lockout.set_password(userpass)
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=3,
- badPasswordTime=badPasswordTime,
- logonCount=logonCount,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- lockoutTime=lockoutTime,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=dsdb.UF_LOCKOUT)
-
- # wait for the lockout to end
- time.sleep(self.account_lockout_duration + 1)
- print self.account_lockout_duration + 1
-
- res = self._check_account(userdn,
- badPwdCount=3, effective_bad_password_count=0,
- badPasswordTime=badPasswordTime,
- logonCount=logonCount,
- lockoutTime=lockoutTime,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
-
- # The correct password after letting the timeout expire
-
- creds_lockout.set_password(userpass)
-
- creds_lockout2 = self.insta_creds(creds_lockout)
-
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout2, lp=lp)
- time.sleep(3)
-
- res = self._check_account(userdn,
- badPwdCount=0,
- badPasswordTime=badPasswordTime,
- logonCount=(logoncount_relation, logonCount),
- lastLogon=(lastlogon_relation, lastLogon),
- lastLogonTimestamp=lastLogonTimestamp,
- lockoutTime=0,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0,
- msg="lastLogon is way off")
-
- logonCount = int(res[0]["logonCount"][0])
- lastLogon = int(res[0]["lastLogon"][0])
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=1,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lockoutTime=0,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=2,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lockoutTime=0,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- time.sleep(self.lockout_observation_window + 1)
-
- res = self._check_account(userdn,
- badPwdCount=2, effective_bad_password_count=0,
- badPasswordTime=badPasswordTime,
- logonCount=logonCount,
- lockoutTime=0,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
-
- # The wrong password
- creds_lockout.set_password("thatsAcomplPASS1x")
- try:
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
- self.fail()
- except LdbError, (num, msg):
- self.assertEquals(num, ERR_INVALID_CREDENTIALS)
-
- res = self._check_account(userdn,
- badPwdCount=1,
- badPasswordTime=("greater", badPasswordTime),
- logonCount=logonCount,
- lockoutTime=0,
- lastLogon=lastLogon,
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
- badPasswordTime = int(res[0]["badPasswordTime"][0])
-
- # The correct password without letting the timeout expire
- creds_lockout.set_password(userpass)
- ldb_lockout = SamDB(url=host_url, credentials=creds_lockout, lp=lp)
-
- res = self._check_account(userdn,
- badPwdCount=0,
- badPasswordTime=badPasswordTime,
- logonCount=(logoncount_relation, logonCount),
- lockoutTime=0,
- lastLogon=("greater", lastLogon),
- lastLogonTimestamp=lastLogonTimestamp,
- userAccountControl=
- dsdb.UF_NORMAL_ACCOUNT,
- msDSUserAccountControlComputed=0)
-
-
def test_login_lockout_krb5(self):
self._test_login_lockout(self.lockout1krb5_creds)