auth/credentials/tests/bind.py

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # This is unit with tests for LDAP access checks
   4
   5 from __future__ import print_function
   6 import optparse
   7 import sys
   8 import base64
   9 import copy
  10
  11 sys.path.insert(0, "bin/python")
  12 import samba
  13 from samba.tests.subunitrun import SubunitOptions, TestProgram
  14
  15 import samba.getopt as options
  16
  17 from ldb import SCOPE_BASE, SCOPE_SUBTREE
  18
  19 from samba import gensec
  20 import samba.tests
  21 from samba.tests import delete_force
  22 from samba.credentials import Credentials
  23
  24 def create_credential(lp, other):
  25     c = Credentials()
  26     c.guess(lp)
  27     c.set_gensec_features(other.get_gensec_features())
  28     return c
  29
  30 parser = optparse.OptionParser("ldap [options] <host>")
  31 sambaopts = options.SambaOptions(parser)
  32 parser.add_option_group(sambaopts)
  33
  34 # use command line creds if available
  35 credopts = options.CredentialsOptions(parser)
  36 parser.add_option_group(credopts)
  37 subunitopts = SubunitOptions(parser)
  38 parser.add_option_group(subunitopts)
  39 opts, args = parser.parse_args()
  40
  41 if len(args) < 1:
  42     parser.print_usage()
  43     sys.exit(1)
  44
  45 host = args[0]
  46 lp = sambaopts.get_loadparm()
  47 creds = credopts.get_credentials(lp)
  48 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
  49
  50 creds_machine = create_credential(lp, creds)
  51 creds_user1 = create_credential(lp, creds)
  52 creds_user2 = create_credential(lp, creds)
  53 creds_user3 = create_credential(lp, creds)
  54 creds_user4 = create_credential(lp, creds)
  55
  56 class BindTests(samba.tests.TestCase):
  57
  58     info_dc = None
  59
  60     def setUp(self):
  61         super(BindTests, self).setUp()
  62         # fetch rootDSEs
  63
  64         self.ldb = samba.tests.connect_samdb(host, credentials=creds, lp=lp, ldap_only=True)
  65
  66         if self.info_dc is None:
  67             res = self.ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
  68             self.assertEquals(len(res), 1)
  69             BindTests.info_dc = res[0]
  70         # cache some of RootDSE props
  71         self.schema_dn = self.info_dc["schemaNamingContext"][0]
  72         self.domain_dn = self.info_dc["defaultNamingContext"][0]
  73         self.config_dn = self.info_dc["configurationNamingContext"][0]
  74         self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
  75         self.password = "P@ssw0rd"
  76         self.username = "BindTestUser"
  77
  78     def tearDown(self):
  79         super(BindTests, self).tearDown()
  80
  81     def test_computer_account_bind(self):
  82         # create a computer acocount for the test
  83         delete_force(self.ldb, self.computer_dn)
  84         self.ldb.add_ldif("""
  85 dn: """ + self.computer_dn + """
  86 cn: CENTOS53
  87 displayName: CENTOS53$
  88 name: CENTOS53
  89 sAMAccountName: CENTOS53$
  90 countryCode: 0
  91 objectClass: computer
  92 objectClass: organizationalPerson
  93 objectClass: person
  94 objectClass: top
  95 objectClass: user
  96 codePage: 0
  97 userAccountControl: 4096
  98 dNSHostName: centos53.alabala.test
  99 operatingSystemVersion: 5.2 (3790)
 100 operatingSystem: Windows Server 2003
 101 """)
 102         self.ldb.modify_ldif("""
 103 dn: """ + self.computer_dn + """
 104 changetype: modify
 105 replace: unicodePwd
 106 unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
 107 """)
 108
 109         # do a simple bind and search with the machine account
 110         creds_machine.set_bind_dn(self.computer_dn)
 111         creds_machine.set_password(self.password)
 112         print("BindTest with: " + creds_machine.get_bind_dn())
 113         ldb_machine = samba.tests.connect_samdb(host, credentials=creds_machine,
 114                                                 lp=lp, ldap_only=True)
 115         res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 116
 117     def test_user_account_bind(self):
 118         # create user
 119         self.ldb.newuser(username=self.username, password=self.password)
 120         ldb_res = self.ldb.search(base=self.domain_dn,
 121                                   scope=SCOPE_SUBTREE,
 122                                   expression="(samAccountName=%s)" % self.username)
 123         self.assertEquals(len(ldb_res), 1)
 124         user_dn = ldb_res[0]["dn"]
 125         self.addCleanup(delete_force, self.ldb, user_dn)
 126
 127         # do a simple bind and search with the user account in format user@realm
 128         creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
 129         creds_user1.set_password(self.password)
 130         print("BindTest with: " + creds_user1.get_bind_dn())
 131         ldb_user1 = samba.tests.connect_samdb(host, credentials=creds_user1,
 132                                               lp=lp, ldap_only=True)
 133         res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 134
 135         # do a simple bind and search with the user account in format domain\user
 136         creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username)
 137         creds_user2.set_password(self.password)
 138         print("BindTest with: " + creds_user2.get_bind_dn())
 139         ldb_user2 = samba.tests.connect_samdb(host, credentials=creds_user2,
 140                                               lp=lp, ldap_only=True)
 141         res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 142
 143         # do a simple bind and search with the user account DN
 144         creds_user3.set_bind_dn(str(user_dn))
 145         creds_user3.set_password(self.password)
 146         print("BindTest with: " + creds_user3.get_bind_dn())
 147         ldb_user3 = samba.tests.connect_samdb(host, credentials=creds_user3,
 148                                               lp=lp, ldap_only=True)
 149         res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 150
 151     def test_user_account_bind_no_domain(self):
 152         # create user
 153         self.ldb.newuser(username=self.username, password=self.password)
 154         ldb_res = self.ldb.search(base=self.domain_dn,
 155                                   scope=SCOPE_SUBTREE,
 156                                   expression="(samAccountName=%s)" % self.username)
 157         self.assertEquals(len(ldb_res), 1)
 158         user_dn = ldb_res[0]["dn"]
 159         self.addCleanup(delete_force, self.ldb, user_dn)
 160
 161         creds_user4.set_username(self.username)
 162         creds_user4.set_password(self.password)
 163         creds_user4.set_domain('')
 164         creds_user4.set_workstation('')
 165         print("BindTest (no domain) with: " + self.username)
 166         try:
 167             ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4,
 168                                                   lp=lp, ldap_only=True)
 169         except:
 170             self.fail("Failed to connect without the domain set")
 171
 172         res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 173
 174
 175 TestProgram(module=__name__, opts=subunitopts)