test: Add a test for "deny ous"

Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 9becbb63d328c9fc0b0ca2f74938742f0003e71d..7ae112ada71a937ebf06554309185e5c003df818 100755 (executable)
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -80,6 +80,20 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
 changetype: modify
 add: gidNumber
 gidNumber: 2000002
+
+dn: ou=sub,$BASE_DN
+changetype: add
+objectClass: organizationalUnit
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: forbidden
+uidNumber: 2000003
+gidNumber: 2000001
+unixHomeDirectory: /home/forbidden
+loginShell: /bin/tcsh
+gecos: User in forbidden OU
 EOF
 
 #
@@ -143,6 +157,20 @@ test "$out" = "$DOMAIN_SID-512"
 ret=$?
 testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
 
+#
+# Test 5: Make sure deny_ou is really denied
+# This depends on the "deny ous" setting in Samba3.pm
+#
+
+sid="$($wbinfo -n $DOMAIN/forbidden | awk '{print $1}')"
+testit "Could create forbidden" test -n "$sid" || failed=$(expr $failed + 1)
+if [ -n "$sid" ]
+then
+    uid="$($wbinfo --sid-to-uid $sid)"
+    testit "Can not resolve forbidden user" test -z "$uid" ||
+       failed=$(($failed + 1))
+fi
+
 #
 # Trusted domain test 1: Test uid of Administrator, should be 2500000
 #
@@ -209,6 +237,12 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
 changetype: modify
 delete: gidNumber
 gidNumber: 2000002
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: delete
+
+dn: ou=sub,$BASE_DN
+changetype: delete
 EOF
 
 #

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 15b13f2920f9ed4758bbfc6ab681760ddfd0c406..b4fa99c738885ecadac8d3cd72c9cae170c8dc47 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1390,6 +1390,7 @@ sub setup_ad_member_idmap_ad
        idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
        idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
        idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
+       idmap config $dcvars->{DOMAIN} : deny ous = \"ou=sub,DC=samba2008r2,DC=example,DC=com\"
        idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
        idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
        gensec_gssapi:requested_life_time = 5