2 # -*- coding: utf-8 -*-
3 # This is unit with PPD tests
12 sys.path.append("bin/python")
13 sys.path.append("../lib/subunit/python")
15 import samba.getopt as options
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba.auth import system_session
28 from subunit import SubunitTestRunner
31 parser = optparse.OptionParser("ldap [options] <host>")
32 sambaopts = options.SambaOptions(parser)
33 parser.add_option_group(sambaopts)
34 parser.add_option_group(options.VersionOptions(parser))
36 # use command line creds if available
37 credopts = options.CredentialsOptions(parser)
38 parser.add_option_group(credopts)
39 opts, args = parser.parse_args()
47 lp = sambaopts.get_loadparm()
48 creds = credopts.get_credentials(lp)
54 class AclTests(unittest.TestCase):
56 def delete_force(self, ldb, dn):
59 except LdbError, (num, _):
60 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
62 def find_basedn(self, ldb):
63 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
64 attrs=["defaultNamingContext"])
65 self.assertEquals(len(res), 1)
66 return res[0]["defaultNamingContext"][0]
68 def find_domain_sid(self, ldb):
69 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
74 self.base_dn = self.find_basedn(self.ldb_admin)
75 self.domain_sid = self.find_domain_sid(self.ldb_admin)
76 print "baseDN: %s" % self.base_dn
77 self.SAMBA = False; self.WIN = False
78 res = self.ldb_admin.search(base="",expression="", scope=SCOPE_BASE,
80 if res and "vendorName" in res[0].keys() and res[0]["vendorName"][0].find("Samba Team") != -1:
85 # Modify acluser1 & acluser2 to be excluded from 'Doamin Admin' group
88 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
91 member: """ + self.get_user_dn("acluser1")
92 self.ldb_admin.modify_ldif(ldif)
94 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
97 member: """ + self.get_user_dn("acluser2")
98 self.ldb_admin.modify_ldif(ldif)
99 except LdbError, (num, _):
100 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # LDAP_ENTRY_ALREADY_EXISTS
104 self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
105 self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
106 self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
107 self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
109 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
110 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
111 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
113 self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn)
114 self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
116 self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1"))
118 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
119 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
120 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
121 self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
123 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn)
124 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn)
125 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn)
126 self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn)
128 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
129 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
130 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
131 self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
133 def get_user_dn(self, name):
134 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
136 def modify_desc(self, object_dn, desc):
137 """ Modify security descriptor using either SDDL string
138 or security.descriptor object
140 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
142 dn: """ + object_dn + """
144 replace: nTSecurityDescriptor
146 if isinstance(desc, str):
147 mod += "nTSecurityDescriptor: %s" % desc
148 elif isinstance(desc, security.descriptor):
149 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
150 self.ldb_admin.modify_ldif(mod)
152 # Everything below is used in case of emergency or
153 # double modify verification of some sort
154 assert(isinstance(desc, security.descriptor))
156 f = open(fn, "w"); f.write(mod); f.close()
157 cmd = "ldapmodify -x -h %s -D %s -w %s -f %s" \
158 % (host[7:], self.get_user_dn(creds.get_username()), creds.get_password(), fn)
159 return os.system( cmd ) == 0
161 def add_group_member(self, _ldb, group_dn, member_dn):
162 """ Modify user to ge member of a group
163 e.g. User to be 'Doamin Admin' group member
166 dn: """ + group_dn + """
169 member: """ + member_dn
170 _ldb.modify_ldif(ldif)
172 def create_ou(self, _ldb, ou_dn, desc=None):
175 "ou" : ou_dn.split(",")[0][3:],
176 "objectClass" : "organizationalUnit",
177 "url" : "www.bbc.co.uk",
180 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
181 if isinstance(desc, str):
182 ldif += "nTSecurityDescriptor: %s" % desc
183 elif isinstance(desc, security.descriptor):
184 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
187 def create_user(self, _ldb, user_dn, desc=None):
190 "sAMAccountName" : user_dn.split(",")[0][3:],
191 "objectClass" : "user",
192 "userPassword" : "samba123@",
193 "url" : "www.bbc.co.uk",
196 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
197 if isinstance(desc, str):
198 ldif += "nTSecurityDescriptor: %s" % desc
199 elif isinstance(desc, security.descriptor):
200 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
203 def create_group(self, _ldb, group_dn, desc=None):
206 "objectClass" : "group",
207 "sAMAccountName" : group_dn.split(",")[0][3:],
209 "url" : "www.bbc.co.uk",
212 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
213 if isinstance(desc, str):
214 ldif += "nTSecurityDescriptor: %s" % desc
215 elif isinstance(desc, security.descriptor):
216 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
219 def read_desc(self, object_dn):
220 res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"])
221 desc = res[0]["nTSecurityDescriptor"][0]
222 return ndr_unpack( security.descriptor, desc )
224 def enable_account(self, user_dn):
225 """Enable an account.
226 :param user_dn: Dn of the account to enable.
228 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
230 userAccountControl = res[0]["userAccountControl"][0]
231 userAccountControl = int(userAccountControl)
232 if (userAccountControl & 0x2):
233 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
234 if (userAccountControl & 0x20):
235 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
237 dn: """ + user_dn + """
239 replace: userAccountControl
240 userAccountControl: %s""" % userAccountControl
242 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
243 self.ldb_admin.modify_ldif(mod)
245 def get_ldb_connection(self, target_username, target_password):
246 username_save = creds.get_username(); password_save = creds.get_password()
247 creds.set_username(target_username)
248 creds.set_password(target_password)
249 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
250 creds.set_username(username_save); creds.set_password(password_save)
253 def get_object_sid(self, object_dn):
254 res = self.ldb_admin.search(object_dn)
255 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
257 def dacl_add_ace(self, object_dn, ace):
258 desc = self.read_desc( object_dn )
259 desc_sddl = desc.as_sddl( self.domain_sid )
262 if desc_sddl.find("(") >= 0:
263 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
265 desc_sddl = desc_sddl + ace
266 self.modify_desc(object_dn, desc_sddl)
268 def get_desc_sddl(self, object_dn):
269 """ Return object nTSecutiryDescriptor in SDDL format
271 desc = self.read_desc(object_dn)
272 return desc.as_sddl(self.domain_sid)
276 def test_add_domainadmin_notowner(self):
277 """ 1 Testing OU with the rights of Doman Admin not creator of the OU """
278 # Creating simple user
280 # Create domain admin that will be creator of OU parent-child structure
281 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
282 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
283 self.enable_account(self.get_user_dn("acluser1"))
284 # Create second domain admin that will not be creator of OU parent-child structure
285 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
286 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
287 self.enable_account(self.get_user_dn("acluser2"))
288 # Test if we have any additional groups for users than default ones
290 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
291 % self.get_user_dn("acluser1") )
293 self.assertEqual( res[0]["memberOf"][0], "" )
298 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
299 % self.get_user_dn("acluser2") )
301 self.assertEqual( res[0]["memberOf"][0], "" )
306 # Modify acluser1 & acluser2 to be 'Doamin Admin' group member
307 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
308 self.get_user_dn("acluser1"))
309 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
310 self.get_user_dn("acluser2"))
311 # Create LDAP connection with OUs crator domain admin credentials
312 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
313 # Create LDAP connection with second domain admin credentials that is not creator of the OUs
314 ldb_notowner = self.get_ldb_connection("acluser2", "samba123@")
315 # Make sure top OU is deleted (and so everything under it)
316 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
317 % ("OU=test_add_ou1", self.base_dn) )
318 self.assertEqual( res, [] )
319 # Change descriptor for top level OU
320 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
321 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
322 user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
323 mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
324 self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
325 # Test user and group creation with another domain admin's credentials
326 self.create_user(ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
327 self.create_group(ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
328 # Make sure we HAVE created the two objects -- user and group
329 # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
330 # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
331 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
332 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
333 self.assertTrue( len(res) > 0 )
334 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
335 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
336 self.assertTrue( len(res) > 0 )
338 def test_add_regular_user(self):
339 """ 2 Testing OU with the regular user that has no rights granted over the OU """
340 # Creating simple user
342 # Create domain admin that will be creator of OU parent-child structure
343 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
344 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
345 self.enable_account(self.get_user_dn("acluser1"))
346 # Create regular user that will not be creator of OU parent-child structure
347 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
348 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
349 self.enable_account(self.get_user_dn("acluser2"))
350 # Test if we have any additional groups for users than default ones
352 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
353 % self.get_user_dn("acluser1") )
355 self.assertEqual( res[0]["memberOf"][0], "" )
360 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
361 % self.get_user_dn("acluser2") )
363 self.assertEqual( res[0]["memberOf"][0], "" )
368 # Modify acluser1 to be 'Doamin Admin' group member
369 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
370 self.get_user_dn("acluser1"))
371 # Create LDAP connection with OUs crator domain admin credentials
372 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
373 # Create LDAP connection with a regular user that has the right 'Crate child User objects'
374 ldb_user = self.get_ldb_connection("acluser2", "samba123@")
375 # Make sure top OU is deleted (and so everything under it)
376 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
377 % ("OU=test_add_ou1", self.base_dn) )
378 self.assertEqual( res, [] )
379 # Create a parent-child OU structure with domain admin credentials
380 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
381 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
382 # Test user and group creation with regular user credentials
384 self.create_user(ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
385 self.create_group(ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
386 except LdbError, (num, _):
387 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
390 # Make sure we HAVEN'T created any of two objects -- user or group
391 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
392 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
393 self.assertEqual( res, [])
394 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
395 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
396 self.assertEqual( res, [])
398 def test_add_granted_user(self):
399 """ 3 Testing OU with the rights of regular user granted the right 'Create User child objects' """
400 # Creating simple user
402 # Create domain admin that will be creator of OU parent-child structure
403 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
404 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
405 self.enable_account(self.get_user_dn("acluser1"))
406 # Create second domain admin that will not be creator of OU parent-child structure
407 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
408 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
409 self.enable_account(self.get_user_dn("acluser2"))
410 # Test if we have any additional groups for users than default ones
412 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
413 % self.get_user_dn("acluser1") )
415 self.assertEqual( res[0]["memberOf"][0], "" )
420 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
421 % self.get_user_dn("acluser2") )
423 self.assertEqual( res[0]["memberOf"][0], "" )
428 # Modify acluser1 to be 'Doamin Admin' group member
429 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
430 self.get_user_dn("acluser1"))
431 # Create LDAP connection with OUs crator domain admin credentials
432 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
433 # Create LDAP connection with a regular user that has the right 'Crate child User objects'
434 ldb_guser = self.get_ldb_connection("acluser2", "samba123@")
435 # Make sure top OU is deleted (and so everything under it)
436 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
437 % ("OU=test_add_ou1", self.base_dn) )
438 self.assertEqual( res, [] )
439 # Change descriptor for top level OU
440 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
441 user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
442 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
443 self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
444 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
445 # Test user and group creation with granted user only to one of the objects
446 self.create_user(ldb_guser, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
448 self.create_group(ldb_guser, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
449 except LdbError, (num, _):
450 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
453 # Make sure we HAVE created the one of two objects -- user
454 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
455 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
456 self.assertNotEqual( len(res), 0 )
457 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
458 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
459 self.assertEqual( res, [])
461 def test_add_domainadmin_owner(self):
462 """ 4 Testing OU with the rights of Doman Admin creator of the OU"""
465 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
466 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
467 self.enable_account(self.get_user_dn("acluser1"))
468 # Test if we have any additional groups for user than default
470 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
471 % self.get_user_dn("acluser1") )
473 self.assertEqual( res[0]["memberOf"][0], "" )
478 # Modify acluser1 to be 'Doamin Admin' group member
479 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
480 self.get_user_dn("acluser1"))
481 # Create LDAP connection with OUs crator domain admin credentials
482 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
483 # Make sure top OU is deleted (and so everything under it)
484 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
485 % ("OU=test_add_ou1", self.base_dn) )
486 self.assertEqual( res, [] )
487 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
488 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
489 self.create_user(ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
490 self.create_group(ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
491 # Make sure we have successfully created the two objects -- user and group
492 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
493 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
494 self.assertTrue( len(res) > 0 )
495 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
496 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
497 self.assertTrue( len(res) > 0 )
499 def test_modify_u1(self):
500 """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
503 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
504 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
505 self.enable_account(self.get_user_dn("acluser1"))
507 # Test if we have any additional groups for user than default
509 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
510 % self.get_user_dn("acluser1") )
512 self.assertEqual( res[0]["memberOf"][0], "" )
517 # Create user connectiona that we will test with
518 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
519 # First test object -- User
520 print "Testing modify on User object"
521 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
522 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
523 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
524 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
525 self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
527 dn: """ + self.get_user_dn("test_modify_user1") + """
530 displayName: test_changed"""
531 ldb_user.modify_ldif(ldif)
532 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
533 % self.get_user_dn("test_modify_user1") )
534 self.assertEqual(res[0]["displayName"][0], "test_changed")
535 # Second test object -- Group
536 print "Testing modify on Group object"
537 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
538 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
539 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
540 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
541 self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
543 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
546 displayName: test_changed"""
547 ldb_user.modify_ldif(ldif)
548 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
549 % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
550 self.assertEqual(res[0]["displayName"][0], "test_changed")
551 # Second test object -- Organizational Unit
552 print "Testing modify on OU object"
553 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
554 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
555 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
556 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
557 self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
559 dn: OU=test_modify_ou1,""" + self.base_dn + """
562 displayName: test_changed"""
563 ldb_user.modify_ldif(ldif)
564 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
565 % str("OU=test_modify_ou1," + self.base_dn) )
566 self.assertEqual(res[0]["displayName"][0], "test_changed")
568 def test_modify_u2(self):
569 """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them"""
572 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
573 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
574 self.enable_account(self.get_user_dn("acluser1"))
575 # Test if we have any additional groups for user than default
577 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
578 % self.get_user_dn("acluser1") )
580 self.assertEqual( res[0]["memberOf"][0], "" )
585 # Create user connectiona that we will test with
586 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
587 # First test object -- User
588 print "Testing modify on User object"
589 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
590 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
591 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
592 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
593 self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
594 # Modify on attribute you have rights for
596 dn: """ + self.get_user_dn("test_modify_user1") + """
599 displayName: test_changed"""
600 ldb_user.modify_ldif(ldif)
601 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
602 % self.get_user_dn("test_modify_user1") )
603 self.assertEqual(res[0]["displayName"][0], "test_changed")
604 # Modify on attribute you do not have rights for granted
606 dn: """ + self.get_user_dn("test_modify_user1") + """
609 url: www.samba.org"""
611 ldb_user.modify_ldif(ldif)
612 except LdbError, (num, _):
613 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
615 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
617 # Second test object -- Group
618 print "Testing modify on Group object"
619 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
620 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
621 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
622 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
623 self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
625 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
628 displayName: test_changed"""
629 ldb_user.modify_ldif(ldif)
630 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
631 % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
632 self.assertEqual(res[0]["displayName"][0], "test_changed")
633 # Modify on attribute you do not have rights for granted
635 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
638 url: www.samba.org"""
640 ldb_user.modify_ldif(ldif)
641 except LdbError, (num, _):
642 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
644 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
646 # Second test object -- Organizational Unit
647 print "Testing modify on OU object"
648 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
649 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
650 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
651 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
652 self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
654 dn: OU=test_modify_ou1,""" + self.base_dn + """
657 displayName: test_changed"""
658 ldb_user.modify_ldif(ldif)
659 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
660 % str("OU=test_modify_ou1," + self.base_dn) )
661 self.assertEqual(res[0]["displayName"][0], "test_changed")
662 # Modify on attribute you do not have rights for granted
664 dn: OU=test_modify_ou1,""" + self.base_dn + """
667 url: www.samba.org"""
669 ldb_user.modify_ldif(ldif)
670 except LdbError, (num, _):
671 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
673 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
676 def test_modify_u3(self):
677 """7 Modify one attribute as you have no what so ever rights granted"""
680 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
681 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
682 self.enable_account(self.get_user_dn("acluser1"))
684 # Test if we have any additional groups for user than default
686 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
687 % self.get_user_dn("acluser1") )
689 self.assertEqual( res[0]["memberOf"][0], "" )
694 # Create user connectiona that we will test with
695 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
697 # First test object -- User
698 print "Testing modify on User object"
699 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
700 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
701 # Modify on attribute you do not have rights for granted
703 dn: """ + self.get_user_dn("test_modify_user1") + """
706 url: www.samba.org"""
708 ldb_user.modify_ldif(ldif)
709 except LdbError, (num, _):
710 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
712 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
715 # Second test object -- Group
716 print "Testing modify on Group object"
717 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
718 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
719 # Modify on attribute you do not have rights for granted
721 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
724 url: www.samba.org"""
726 ldb_user.modify_ldif(ldif)
727 except LdbError, (num, _):
728 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
730 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
733 # Second test object -- Organizational Unit
734 print "Testing modify on OU object"
735 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
736 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
737 # Modify on attribute you do not have rights for granted
739 dn: OU=test_modify_ou1,""" + self.base_dn + """
742 url: www.samba.org"""
744 ldb_user.modify_ldif(ldif)
745 except LdbError, (num, _):
746 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
748 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
752 def test_modify_u4(self):
753 """11 Grant WP to PRINCIPAL_SELF and test modify"""
756 self.delete_force(self.ldb_admin, self.get_user_dn("acluser3"))
757 self.create_user(self.ldb_admin, self.get_user_dn("acluser3"))
758 self.enable_account(self.get_user_dn("acluser3"))
759 # Test if we have any additional groups for user than default
761 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
762 % self.get_user_dn("acluser3") )
764 self.assertEqual( res[0]["memberOf"][0], "" )
769 # Create user connection that we will test with
770 ldb_user = self.get_ldb_connection("acluser3", "samba123@")
772 dn: """ + self.get_user_dn("acluser3") + """
774 add: adminDescription
775 adminDescription: blah blah blah"""
777 ldb_user.modify_ldif(ldif)
778 except LdbError, (num, _):
779 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
781 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
784 mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
785 self.dacl_add_ace(self.get_user_dn("acluser3"), mod)
786 # Modify on attribute you have rights for
787 ldb_user.modify_ldif(ldif)
788 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
789 % self.get_user_dn("acluser3"), attrs=["adminDescription"] )
790 self.assertEqual(res[0]["adminDescription"][0], "blah blah blah")
792 #enable these when we have search implemented
793 def _test_search_u1(self):
794 """See if can prohibit user to read another User object"""
795 # Creating simple user to search with
797 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
798 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
799 self.enable_account(self.get_user_dn("acluser1"))
800 ou_dn = "OU=test_search_ou1," + self.base_dn
801 user_dn = "CN=test_search_user1," + ou_dn
803 self.delete_force(self.ldb_admin, ou_dn)
804 self.create_ou(self.ldb_admin, ou_dn)
805 desc = self.read_desc( ou_dn )
806 desc_sddl = desc.as_sddl( self.domain_sid )
807 # Parse descriptor's SDDL and remove all inherited ACEs reffering
808 # to 'Registered Users' or 'Authenticated Users'
809 desc_aces = re.findall("\(.*?\)", desc_sddl)
810 for ace in desc_aces:
811 if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
812 desc_sddl = desc_sddl.replace(ace, "")
813 # Add 'P' in the DACL so it breaks further inheritance
814 desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
815 # Create a security descriptor object and OU with that descriptor
816 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
817 self.delete_force(self.ldb_admin, ou_dn)
818 self.create_ou(self.ldb_admin, ou_dn, desc)
820 self.delete_force(self.ldb_admin, user_dn)
821 self.create_user(self.ldb_admin, user_dn)
822 desc = self.read_desc( user_dn )
823 desc_sddl = desc.as_sddl( self.domain_sid )
824 # Parse security descriptor SDDL and remove all 'Read' ACEs
826 desc_aces = re.findall("\(.*?\)", desc_sddl)
827 for ace in desc_aces:
828 if ("AU" in ace) and ("R" in ace):
829 desc_sddl = desc_sddl.replace(ace, "")
830 # Create user with the edited descriptor
831 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
832 self.delete_force(self.ldb_admin, user_dn)
833 self.create_user(self.ldb_admin, user_dn, desc)
834 # Create user connectiona that we will test with
835 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
836 res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
838 self.assertEqual( res, [] )
840 def _test_search_u2(self):
841 """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object"""
842 # Creating simple user to search with
844 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
845 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
846 self.enable_account(self.get_user_dn("acluser1"))
847 ou_dn = "OU=test_search_ou1," + self.base_dn
848 user_dn = "CN=test_search_user1," + ou_dn
850 self.delete_force(self.ldb_admin, ou_dn)
851 self.create_ou(self.ldb_admin, ou_dn)
852 desc = self.read_desc( ou_dn )
853 desc_sddl = desc.as_sddl( self.domain_sid )
854 # Parse descriptor's SDDL and remove all inherited ACEs reffering
855 # to 'Registered Users' or 'Authenticated Users'
856 desc_aces = re.findall("\(.*?\)", desc_sddl)
857 for ace in desc_aces:
858 if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
859 desc_sddl = desc_sddl.replace(ace, "")
860 # Add 'P' in the DACL so it breaks further inheritance
861 desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
862 # Create a security descriptor object and OU with that descriptor
863 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
864 self.delete_force(self.ldb_admin, ou_dn)
865 self.create_ou(self.ldb_admin, ou_dn, desc)
867 self.delete_force(self.ldb_admin, user_dn)
868 self.create_user(self.ldb_admin, user_dn)
869 # Parse security descriptor SDDL and remove all 'Read' ACEs
871 desc_aces = re.findall("\(.*?\)", desc_sddl)
872 for ace in desc_aces:
873 if ("AU" in ace) and ("R" in ace):
874 desc_sddl = desc_sddl.replace(ace, "")
875 #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)"
877 self.dacl_add_ace(user_dn, mod)
878 # Create user connectiona that we will test with
879 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
880 res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
882 self.assertNotEqual( res, [] )
884 def test_delete_u1(self):
885 """User is prohibited by default to delete another User object"""
886 # Creating simple user to search with
888 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
889 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
890 self.enable_account(self.get_user_dn("acluser1"))
891 # Create user connectiona that we will test with
892 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
893 # Create user that we try to delete
894 self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user"))
895 self.create_user(self.ldb_admin, self.get_user_dn("test_delete_user"))
896 # Here delete User object should ALWAYS through exception
898 ldb_user.delete(self.get_user_dn("test_delete_user"))
899 except LdbError, (num, _):
900 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
904 def test_delete_u2(self):
905 """User's group has RIGHT_DELETE to another User object"""
906 user_dn = self.get_user_dn("test_delete_user1")
907 # Creating simple user to search with
909 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
910 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
911 self.enable_account(self.get_user_dn("acluser1"))
912 # Create user connectiona that we will test with
913 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
914 # Create user that we try to delete
915 self.delete_force(self.ldb_admin, user_dn)
916 self.create_user(self.ldb_admin, user_dn)
918 self.dacl_add_ace(user_dn, mod)
919 # Try to delete User object
920 ldb_user.delete( user_dn )
921 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
923 self.assertEqual( res, [] )
925 def test_delete_u3(self):
926 """User indentified by SID has RIGHT_DELETE to another User object"""
927 user_dn = self.get_user_dn("test_delete_user1")
928 # Creating simple user to search with
930 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
931 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
932 self.enable_account(self.get_user_dn("acluser1"))
933 # Create user connectiona that we will test with
934 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
935 # Create user that we try to delete
936 self.delete_force(self.ldb_admin, user_dn)
937 self.create_user(self.ldb_admin, user_dn)
938 mod = "(A;;SD;;;%s)" % str( self.get_object_sid(self.get_user_dn("acluser1")) )
939 self.dacl_add_ace(user_dn, mod)
940 # Try to delete User object
941 ldb_user.delete( user_dn )
942 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
944 self.assertEqual( res, [] )
946 def test_rename_u1(self):
947 """ 6 Regular user fails to rename 'User object' within single OU"""
948 # Creating simple user to search with
950 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
951 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
952 self.enable_account(self.get_user_dn("acluser1"))
953 # Create OU structure
954 self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
955 self.create_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
956 # Create user connectiona that we will test with
957 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
959 ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \
960 "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
961 except LdbError, (num, _):
962 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
966 def test_rename_u2(self):
967 """ 7 Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU"""
968 ou_dn = "OU=test_rename_ou1," + self.base_dn
969 user_dn = "CN=test_rename_user1," + ou_dn
970 rename_user_dn = "CN=test_rename_user5," + ou_dn
971 # Creating simple user to search with
973 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
974 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
975 self.enable_account(self.get_user_dn("acluser1"))
976 print "Test rename with rights granted to AU"
977 # Create OU structure
978 self.create_ou(self.ldb_admin, ou_dn)
979 self.create_user(self.ldb_admin, user_dn)
981 self.dacl_add_ace(user_dn, mod)
982 # Create user connectiona that we will test with
983 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
984 # Rename 'User object' having WP to AU
985 ldb_user.rename(user_dn, rename_user_dn)
986 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
988 self.assertEqual( res, [] )
989 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
991 self.assertNotEqual( res, [] )
992 print "Test rename with rights granted to 'User object' SID"
993 # Create OU structure
994 self.delete_force(self.ldb_admin, user_dn)
995 self.delete_force(self.ldb_admin, rename_user_dn)
996 self.delete_force(self.ldb_admin, ou_dn)
997 self.create_ou(self.ldb_admin, ou_dn)
998 self.create_user(self.ldb_admin, user_dn)
999 sid = self.get_object_sid(self.get_user_dn("acluser1"))
1000 mod = "(A;;WP;;;%s)" % str(sid)
1001 self.dacl_add_ace(user_dn, mod)
1002 # Create user connectiona that we will test with
1003 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1004 # Rename 'User object' having WP to AU
1005 ldb_user.rename(user_dn, rename_user_dn)
1006 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1008 self.assertEqual( res, [] )
1009 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1011 self.assertNotEqual( res, [] )
1013 def test_rename_u3(self):
1014 """ 8 Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU"""
1015 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1016 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1017 user_dn = "CN=test_rename_user2," + ou1_dn
1018 rename_user_dn = "CN=test_rename_user5," + ou2_dn
1019 # Creating simple user to search with
1021 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1022 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1023 self.enable_account(self.get_user_dn("acluser1"))
1024 print "Test rename with rights granted to AU"
1025 # Create OU structure
1026 self.create_ou(self.ldb_admin, ou1_dn)
1027 self.create_ou(self.ldb_admin, ou2_dn)
1028 self.create_user(self.ldb_admin, user_dn)
1029 mod = "(A;;WPSD;;;AU)"
1030 self.dacl_add_ace(user_dn, mod)
1031 mod = "(A;;CC;;;AU)"
1032 self.dacl_add_ace(ou2_dn, mod)
1033 # Create user connectiona that we will test with
1034 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1035 # Rename 'User object' having SD and CC to AU
1036 ldb_user.rename(user_dn, rename_user_dn)
1037 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1039 self.assertEqual( res, [] )
1040 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1042 self.assertNotEqual( res, [] )
1043 print "Test rename with rights granted to 'User object' SID"
1044 # Create OU structure
1045 self.delete_force(self.ldb_admin, user_dn)
1046 self.delete_force(self.ldb_admin, rename_user_dn)
1047 self.delete_force(self.ldb_admin, ou1_dn)
1048 self.delete_force(self.ldb_admin, ou2_dn)
1049 self.create_ou(self.ldb_admin, ou1_dn)
1050 self.create_ou(self.ldb_admin, ou2_dn)
1051 self.create_user(self.ldb_admin, user_dn)
1052 sid = self.get_object_sid(self.get_user_dn("acluser1"))
1053 mod = "(A;;WPSD;;;%s)" % str(sid)
1054 self.dacl_add_ace(user_dn, mod)
1055 mod = "(A;;CC;;;%s)" % str(sid)
1056 self.dacl_add_ace(ou2_dn, mod)
1057 # Create user connectiona that we will test with
1058 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1059 # Rename 'User object' having SD and CC to AU
1060 ldb_user.rename(user_dn, rename_user_dn)
1061 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1063 self.assertEqual( res, [] )
1064 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1066 self.assertNotEqual( res, [] )
1068 def test_rename_u4(self):
1069 """9 Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU"""
1070 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1071 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1072 user_dn = "CN=test_rename_user2," + ou1_dn
1073 rename_user_dn = "CN=test_rename_user2," + ou2_dn
1074 # Creating simple user to search with
1076 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1077 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1078 self.enable_account(self.get_user_dn("acluser1"))
1079 # Create OU structure
1080 self.create_ou(self.ldb_admin, ou1_dn)
1081 self.create_ou(self.ldb_admin, ou2_dn)
1082 #mod = "(A;CI;DCWP;;;AU)"
1083 mod = "(A;;DC;;;AU)"
1084 self.dacl_add_ace(ou1_dn, mod)
1085 mod = "(A;;CC;;;AU)"
1086 self.dacl_add_ace(ou2_dn, mod)
1087 self.create_user(self.ldb_admin, user_dn)
1088 mod = "(A;;WP;;;AU)"
1089 self.dacl_add_ace(user_dn, mod)
1090 # Create user connectiona that we will test with
1091 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1092 # Rename 'User object' having SD and CC to AU
1093 ldb_user.rename(user_dn, rename_user_dn)
1094 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1096 self.assertEqual( res, [] )
1097 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1099 self.assertNotEqual( res, [] )
1101 def test_rename_u5(self):
1102 """10 Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU"""
1103 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1104 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1105 ou3_dn = "OU=test_rename_ou3," + ou2_dn
1106 user_dn = "CN=test_rename_user2," + ou1_dn
1107 rename_user_dn = "CN=test_rename_user5," + ou3_dn
1108 # Creating simple user to search with
1110 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1111 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1112 self.enable_account(self.get_user_dn("acluser1"))
1113 # Create OU structure
1114 self.create_ou(self.ldb_admin, ou1_dn)
1115 self.create_ou(self.ldb_admin, ou2_dn)
1116 self.create_ou(self.ldb_admin, ou3_dn)
1117 mod = "(A;CI;WPDC;;;AU)"
1118 self.dacl_add_ace(ou1_dn, mod)
1119 mod = "(A;;CC;;;AU)"
1120 self.dacl_add_ace(ou3_dn, mod)
1121 self.create_user(self.ldb_admin, user_dn)
1122 # Create user connectiona that we will test with
1123 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1124 # Rename 'User object' having SD and CC to AU
1125 ldb_user.rename(user_dn, rename_user_dn)
1126 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1128 self.assertEqual( res, [] )
1129 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1131 self.assertNotEqual( res, [] )
1133 # Important unit running information
1135 if not "://" in host:
1136 host = "ldap://%s" % host
1137 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
1139 runner = SubunitTestRunner()
1141 if not runner.run(unittest.makeSuite(AclTests)).wasSuccessful():