s4-acl: fixed acl.py test to use correct ldif
[ira/wip.git] / source4 / lib / ldb / tests / python / acl.py
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3 # This is unit with PPD tests
4
5 import getopt
6 import optparse
7 import sys
8 import os
9 import base64
10 import re
11
12 sys.path.append("bin/python")
13 sys.path.append("../lib/subunit/python")
14
15 import samba.getopt as options
16
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
21
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
25
26 from samba.auth import system_session
27 from samba import Ldb
28 from subunit import SubunitTestRunner
29 import unittest
30
31 parser = optparse.OptionParser("ldap [options] <host>")
32 sambaopts = options.SambaOptions(parser)
33 parser.add_option_group(sambaopts)
34 parser.add_option_group(options.VersionOptions(parser))
35
36 # use command line creds if available
37 credopts = options.CredentialsOptions(parser)
38 parser.add_option_group(credopts)
39 opts, args = parser.parse_args()
40
41 if len(args) < 1:
42     parser.print_usage()
43     sys.exit(1)
44
45 host = args[0]
46
47 lp = sambaopts.get_loadparm()
48 creds = credopts.get_credentials(lp)
49
50 #
51 # Tests start here
52 #
53
54 class AclTests(unittest.TestCase):
55
56     def delete_force(self, ldb, dn):
57         try:
58             ldb.delete(dn)
59         except LdbError, (num, _):
60             self.assertEquals(num, ERR_NO_SUCH_OBJECT)
61
62     def find_basedn(self, ldb):
63         res = ldb.search(base="", expression="", scope=SCOPE_BASE,
64                          attrs=["defaultNamingContext"])
65         self.assertEquals(len(res), 1)
66         return res[0]["defaultNamingContext"][0]
67
68     def find_domain_sid(self, ldb):
69         res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70         return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
71
72     def setUp(self):
73         self.ldb_admin = ldb
74         self.base_dn = self.find_basedn(self.ldb_admin)
75         self.domain_sid = self.find_domain_sid(self.ldb_admin)
76         print "baseDN: %s" % self.base_dn
77         self.SAMBA = False; self.WIN = False
78         res = self.ldb_admin.search(base="",expression="", scope=SCOPE_BASE,
79                                     attrs=["vendorName"])
80         if res and "vendorName" in res[0].keys() and res[0]["vendorName"][0].find("Samba Team") != -1:
81             self.SAMBA = True
82         else:
83             self.WIN = True
84         if self.WIN:
85             # Modify acluser1 & acluser2 to be excluded from 'Doamin Admin' group
86             try:
87                 ldif = """
88 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
89 changetype: modify
90 delete: member
91 member: """ + self.get_user_dn("acluser1")
92                 self.ldb_admin.modify_ldif(ldif)
93                 ldif = """
94 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
95 changetype: modify
96 delete: member
97 member: """ + self.get_user_dn("acluser2")
98                 self.ldb_admin.modify_ldif(ldif)
99             except LdbError, (num, _):
100                 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # LDAP_ENTRY_ALREADY_EXISTS
101
102     def tearDown(self):
103         # Add
104         self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
105         self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
106         self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
107         self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
108         # Modify
109         self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
110         self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
111         self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
112         # Search
113         self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn)
114         self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
115         # Delete
116         self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1"))
117         # Rename OU3
118         self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
119         self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
120         self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
121         self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
122         # Rename OU2
123         self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn)
124         self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn)
125         self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn)
126         self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn)
127         # Rename OU1
128         self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
129         self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
130         self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
131         self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
132
133     def get_user_dn(self, name):
134         return "CN=%s,CN=Users,%s" % (name, self.base_dn)
135
136     def modify_desc(self, object_dn, desc):
137         """ Modify security descriptor using either SDDL string
138             or security.descriptor object
139         """     
140         assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
141         mod = """
142 dn: """ + object_dn + """
143 changetype: modify
144 replace: nTSecurityDescriptor
145 """
146         if isinstance(desc, str):
147             mod += "nTSecurityDescriptor: %s" % desc
148         elif isinstance(desc, security.descriptor):
149             mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
150         self.ldb_admin.modify_ldif(mod)
151         return
152         # Everything below is used in case of emergency or 
153         # double modify verification of some sort
154         assert(isinstance(desc, security.descriptor))
155         fn = "/tmp/tmpMod"
156         f = open(fn, "w"); f.write(mod); f.close()
157         cmd = "ldapmodify -x -h %s -D %s -w %s -f %s" \
158                 % (host[7:], self.get_user_dn(creds.get_username()), creds.get_password(), fn)
159         return os.system( cmd ) == 0
160
161     def add_group_member(self, _ldb, group_dn, member_dn):
162         """ Modify user to ge member of a group 
163             e.g. User to be 'Doamin Admin' group member
164         """
165         ldif = """
166 dn: """ + group_dn + """
167 changetype: modify
168 add: member
169 member: """ + member_dn
170         _ldb.modify_ldif(ldif)
171     
172     def create_ou(self, _ldb, ou_dn, desc=None):
173         ou_dict = {
174             "dn" : ou_dn,
175             "ou" : ou_dn.split(",")[0][3:],
176             "objectClass" : "organizationalUnit",
177             "url" : "www.bbc.co.uk",
178         }
179         if desc:
180             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
181             if isinstance(desc, str):
182                 ldif += "nTSecurityDescriptor: %s" % desc
183             elif isinstance(desc, security.descriptor):
184                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
185         _ldb.add(ou_dict)
186
187     def create_user(self, _ldb, user_dn, desc=None):
188         user_dict = {
189             "dn" : user_dn,
190             "sAMAccountName" : user_dn.split(",")[0][3:],
191             "objectClass" : "user",
192             "userPassword" : "samba123@",
193             "url" : "www.bbc.co.uk",
194         }
195         if desc:
196             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
197             if isinstance(desc, str):
198                 ldif += "nTSecurityDescriptor: %s" % desc
199             elif isinstance(desc, security.descriptor):
200                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
201         _ldb.add(user_dict)
202
203     def create_group(self, _ldb, group_dn, desc=None):
204         group_dict = {
205             "dn" : group_dn,
206             "objectClass" : "group",
207             "sAMAccountName" : group_dn.split(",")[0][3:],
208             "groupType" : "4",
209             "url" : "www.bbc.co.uk",
210         }
211         if desc:
212             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
213             if isinstance(desc, str):
214                 ldif += "nTSecurityDescriptor: %s" % desc
215             elif isinstance(desc, security.descriptor):
216                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
217         _ldb.add(group_dict)
218
219     def read_desc(self, object_dn):
220         res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"])
221         desc = res[0]["nTSecurityDescriptor"][0]
222         return ndr_unpack( security.descriptor, desc )
223
224     def enable_account(self,  user_dn):
225         """Enable an account.
226         :param user_dn: Dn of the account to enable.
227         """
228         res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
229         assert len(res) == 1
230         userAccountControl = res[0]["userAccountControl"][0]
231         userAccountControl = int(userAccountControl)
232         if (userAccountControl & 0x2):
233             userAccountControl = userAccountControl & ~0x2 # remove disabled bit
234         if (userAccountControl & 0x20):
235             userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
236         mod = """
237 dn: """ + user_dn + """
238 changetype: modify
239 replace: userAccountControl
240 userAccountControl: %s""" % userAccountControl
241         if self.WIN:
242             mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
243         self.ldb_admin.modify_ldif(mod)
244
245     def get_ldb_connection(self, target_username, target_password):
246         username_save = creds.get_username(); password_save = creds.get_password()
247         creds.set_username(target_username)
248         creds.set_password(target_password)
249         ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
250         creds.set_username(username_save); creds.set_password(password_save)
251         return ldb_target
252
253     def get_object_sid(self, object_dn):
254         res = self.ldb_admin.search(object_dn)
255         return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
256
257     def dacl_add_ace(self, object_dn, ace):
258         desc = self.read_desc( object_dn )
259         desc_sddl = desc.as_sddl( self.domain_sid )
260         if ace in desc_sddl:
261             return
262         if desc_sddl.find("(") >= 0:
263             desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
264         else:
265             desc_sddl = desc_sddl + ace
266         self.modify_desc(object_dn, desc_sddl)
267
268     def get_desc_sddl(self, object_dn):
269         """ Return object nTSecutiryDescriptor in SDDL format
270         """
271         desc = self.read_desc(object_dn)
272         return desc.as_sddl(self.domain_sid)
273     
274     # Testing section
275
276     def test_add_domainadmin_notowner(self):
277         """ 1 Testing OU with the rights of Doman Admin not creator of the OU """
278         # Creating simple user
279         if self.SAMBA:
280             # Create domain admin that will be creator of OU parent-child structure
281             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
282             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
283             self.enable_account(self.get_user_dn("acluser1"))
284             # Create second domain admin that will not be creator of OU parent-child structure
285             self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
286             self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
287             self.enable_account(self.get_user_dn("acluser2"))
288         # Test if we have any additional groups for users than default ones
289         if self.WIN:
290             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
291                     % self.get_user_dn("acluser1") )
292             try:
293                 self.assertEqual( res[0]["memberOf"][0], "" )
294             except KeyError:
295                 pass
296             else:
297                 self.fail()
298             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
299                     % self.get_user_dn("acluser2") )
300             try:
301                 self.assertEqual( res[0]["memberOf"][0], "" )
302             except KeyError:
303                 pass
304             else:
305                 self.fail()
306         # Modify acluser1 & acluser2 to be 'Doamin Admin' group member
307         self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
308                 self.get_user_dn("acluser1"))
309         self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
310                 self.get_user_dn("acluser2"))
311         # Create LDAP connection with OUs crator domain admin credentials
312         ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
313         # Create LDAP connection with second domain admin credentials that is not creator of the OUs
314         ldb_notowner = self.get_ldb_connection("acluser2", "samba123@")
315         # Make sure top OU is deleted (and so everything under it)
316         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
317                 % ("OU=test_add_ou1", self.base_dn) )
318         self.assertEqual( res, [] )
319         # Change descriptor for top level OU
320         self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
321         self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
322         user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
323         mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
324         self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
325         # Test user and group creation with another domain admin's credentials
326         self.create_user(ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
327         self.create_group(ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
328         # Make sure we HAVE created the two objects -- user and group
329         # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
330         # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
331         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
332                 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
333         self.assertTrue( len(res) > 0 )
334         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
335                 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
336         self.assertTrue( len(res) > 0 )
337
338     def test_add_regular_user(self):
339         """ 2 Testing OU with the regular user that has no rights granted over the OU """
340         # Creating simple user
341         if self.SAMBA:
342             # Create domain admin that will be creator of OU parent-child structure
343             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
344             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
345             self.enable_account(self.get_user_dn("acluser1"))
346             # Create regular user that will not be creator of OU parent-child structure
347             self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
348             self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
349             self.enable_account(self.get_user_dn("acluser2"))
350         # Test if we have any additional groups for users than default ones
351         if self.WIN:
352             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
353                     % self.get_user_dn("acluser1") )
354             try:
355                 self.assertEqual( res[0]["memberOf"][0], "" )
356             except KeyError:
357                 pass
358             else:
359                 self.fail()
360             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
361                     % self.get_user_dn("acluser2") )
362             try:
363                 self.assertEqual( res[0]["memberOf"][0], "" )
364             except KeyError:
365                 pass
366             else:
367                 self.fail()
368         # Modify acluser1 to be 'Doamin Admin' group member
369         self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
370                 self.get_user_dn("acluser1"))
371         # Create LDAP connection with OUs crator domain admin credentials
372         ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
373         # Create LDAP connection with a regular user that has the right 'Crate child User objects'
374         ldb_user = self.get_ldb_connection("acluser2", "samba123@")
375         # Make sure top OU is deleted (and so everything under it)
376         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
377                 % ("OU=test_add_ou1", self.base_dn) )
378         self.assertEqual( res, [] )
379         # Create a parent-child OU structure with domain admin credentials
380         self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
381         self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
382         # Test user and group creation with regular user credentials
383         try:
384             self.create_user(ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
385             self.create_group(ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
386         except LdbError, (num, _):
387             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
388         else:
389             self.fail()
390         # Make sure we HAVEN'T created any of two objects -- user or group
391         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
392                 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
393         self.assertEqual( res, [])
394         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
395                 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
396         self.assertEqual( res, [])
397
398     def test_add_granted_user(self):
399         """ 3 Testing OU with the rights of regular user granted the right 'Create User child objects' """
400         # Creating simple user
401         if self.SAMBA:
402             # Create domain admin that will be creator of OU parent-child structure
403             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
404             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
405             self.enable_account(self.get_user_dn("acluser1"))
406             # Create second domain admin that will not be creator of OU parent-child structure
407             self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
408             self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
409             self.enable_account(self.get_user_dn("acluser2"))
410         # Test if we have any additional groups for users than default ones
411         if self.WIN:
412             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
413                     % self.get_user_dn("acluser1") )
414             try:
415                 self.assertEqual( res[0]["memberOf"][0], "" )
416             except KeyError:
417                 pass
418             else:
419                 self.fail()
420             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
421                     % self.get_user_dn("acluser2") )
422             try:
423                 self.assertEqual( res[0]["memberOf"][0], "" )
424             except KeyError:
425                 pass
426             else:
427                 self.fail()
428         # Modify acluser1 to be 'Doamin Admin' group member
429         self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
430                 self.get_user_dn("acluser1"))
431         # Create LDAP connection with OUs crator domain admin credentials
432         ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
433         # Create LDAP connection with a regular user that has the right 'Crate child User objects'
434         ldb_guser = self.get_ldb_connection("acluser2", "samba123@")
435         # Make sure top OU is deleted (and so everything under it)
436         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
437                 % ("OU=test_add_ou1", self.base_dn) )
438         self.assertEqual( res, [] )
439         # Change descriptor for top level OU
440         self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
441         user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
442         mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
443         self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
444         self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
445         # Test user and group creation with granted user only to one of the objects
446         self.create_user(ldb_guser, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
447         try:
448             self.create_group(ldb_guser, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
449         except LdbError, (num, _):
450             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
451         else:
452             self.fail()
453         # Make sure we HAVE created the one of two objects -- user
454         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
455                 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
456         self.assertNotEqual( len(res), 0 )
457         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
458                 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
459         self.assertEqual( res, [])
460
461     def test_add_domainadmin_owner(self):
462         """ 4 Testing OU with the rights of Doman Admin creator of the OU"""
463         # Creating acluser1
464         if self.SAMBA:
465             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
466             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
467             self.enable_account(self.get_user_dn("acluser1"))
468         # Test if we have any additional groups for user than default
469         if self.WIN:
470             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
471                     % self.get_user_dn("acluser1") )
472             try:
473                 self.assertEqual( res[0]["memberOf"][0], "" )
474             except KeyError:
475                 pass
476             else:
477                 self.fail()
478         # Modify acluser1 to be 'Doamin Admin' group member
479         self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
480                 self.get_user_dn("acluser1"))
481         # Create LDAP connection with OUs crator domain admin credentials
482         ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
483         # Make sure top OU is deleted (and so everything under it)
484         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
485                 % ("OU=test_add_ou1", self.base_dn) )
486         self.assertEqual( res, [] )
487         self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
488         self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
489         self.create_user(ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
490         self.create_group(ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
491         # Make sure we have successfully created the two objects -- user and group
492         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
493                 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
494         self.assertTrue( len(res) > 0 )
495         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
496                 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
497         self.assertTrue( len(res) > 0 )
498
499     def test_modify_u1(self):
500         """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
501         # Creating acluser1
502         if self.SAMBA:
503             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
504             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
505             self.enable_account(self.get_user_dn("acluser1"))
506
507         # Test if we have any additional groups for user than default
508         if self.WIN:
509             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
510                     % self.get_user_dn("acluser1") )
511             try:
512                 self.assertEqual( res[0]["memberOf"][0], "" )
513             except KeyError:
514                 pass
515             else:
516                 self.fail()
517         # Create user connectiona that we will test with
518         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
519         # First test object -- User
520         print "Testing modify on User object"
521         self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
522         self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
523         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
524         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
525         self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
526         ldif = """
527 dn: """ + self.get_user_dn("test_modify_user1") + """
528 changetype: modify
529 replace: displayName
530 displayName: test_changed"""
531         ldb_user.modify_ldif(ldif)
532         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
533                                     % self.get_user_dn("test_modify_user1") )
534         self.assertEqual(res[0]["displayName"][0], "test_changed")
535         # Second test object -- Group
536         print "Testing modify on Group object"
537         self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
538         self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
539         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
540         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
541         self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
542         ldif = """
543 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
544 changetype: modify
545 replace: displayName
546 displayName: test_changed"""
547         ldb_user.modify_ldif(ldif)
548         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
549                                     % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
550         self.assertEqual(res[0]["displayName"][0], "test_changed")
551         # Second test object -- Organizational Unit
552         print "Testing modify on OU object"
553         self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
554         self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
555         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
556         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
557         self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
558         ldif = """
559 dn: OU=test_modify_ou1,""" + self.base_dn + """
560 changetype: modify
561 replace: displayName
562 displayName: test_changed"""
563         ldb_user.modify_ldif(ldif)
564         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
565                                     % str("OU=test_modify_ou1," + self.base_dn) )
566         self.assertEqual(res[0]["displayName"][0], "test_changed")
567
568     def test_modify_u2(self):
569         """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them"""
570         # Creating acluser1
571         if self.SAMBA:
572             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
573             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
574             self.enable_account(self.get_user_dn("acluser1"))
575         # Test if we have any additional groups for user than default
576         if self.WIN:
577             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
578                     % self.get_user_dn("acluser1") )
579             try:
580                 self.assertEqual( res[0]["memberOf"][0], "" )
581             except KeyError:
582                 pass
583             else:
584                 self.fail()
585         # Create user connectiona that we will test with
586         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
587         # First test object -- User
588         print "Testing modify on User object"
589         self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
590         self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
591         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
592         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
593         self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
594         # Modify on attribute you have rights for
595         ldif = """
596 dn: """ + self.get_user_dn("test_modify_user1") + """
597 changetype: modify
598 replace: displayName
599 displayName: test_changed"""
600         ldb_user.modify_ldif(ldif)
601         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
602                                     % self.get_user_dn("test_modify_user1") )
603         self.assertEqual(res[0]["displayName"][0], "test_changed")
604         # Modify on attribute you do not have rights for granted
605         ldif = """
606 dn: """ + self.get_user_dn("test_modify_user1") + """
607 changetype: modify
608 replace: url
609 url: www.samba.org"""
610         try:
611             ldb_user.modify_ldif(ldif)
612         except LdbError, (num, _):
613             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
614         else:
615             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
616             self.fail()
617         # Second test object -- Group
618         print "Testing modify on Group object"
619         self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
620         self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
621         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
622         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
623         self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
624         ldif = """
625 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
626 changetype: modify
627 replace: displayName
628 displayName: test_changed"""
629         ldb_user.modify_ldif(ldif)
630         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
631                                     % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
632         self.assertEqual(res[0]["displayName"][0], "test_changed")
633         # Modify on attribute you do not have rights for granted
634         ldif = """
635 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
636 changetype: modify
637 replace: url
638 url: www.samba.org"""
639         try:
640             ldb_user.modify_ldif(ldif)
641         except LdbError, (num, _):
642             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
643         else:
644             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
645             self.fail()
646         # Second test object -- Organizational Unit
647         print "Testing modify on OU object"
648         self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
649         self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
650         user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
651         mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
652         self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
653         ldif = """
654 dn: OU=test_modify_ou1,""" + self.base_dn + """
655 changetype: modify
656 replace: displayName
657 displayName: test_changed"""
658         ldb_user.modify_ldif(ldif)
659         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
660                                     % str("OU=test_modify_ou1," + self.base_dn) )
661         self.assertEqual(res[0]["displayName"][0], "test_changed")
662         # Modify on attribute you do not have rights for granted
663         ldif = """
664 dn: OU=test_modify_ou1,""" + self.base_dn + """
665 changetype: modify
666 replace: url
667 url: www.samba.org"""
668         try:
669             ldb_user.modify_ldif(ldif)
670         except LdbError, (num, _):
671             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
672         else:
673             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
674             self.fail()
675
676     def test_modify_u3(self):
677         """7 Modify one attribute as you have no what so ever rights granted"""
678         # Creating acluser1
679         if self.SAMBA:
680             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
681             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
682             self.enable_account(self.get_user_dn("acluser1"))
683
684         # Test if we have any additional groups for user than default
685         if self.WIN:
686             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
687                     % self.get_user_dn("acluser1") )
688             try:
689                 self.assertEqual( res[0]["memberOf"][0], "" )
690             except KeyError:
691                 pass
692             else:
693                 self.fail()
694         # Create user connectiona that we will test with
695         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
696
697         # First test object -- User
698         print "Testing modify on User object"
699         self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
700         self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
701         # Modify on attribute you do not have rights for granted
702         ldif = """
703 dn: """ + self.get_user_dn("test_modify_user1") + """
704 changetype: modify
705 replace: url
706 url: www.samba.org"""
707         try:
708             ldb_user.modify_ldif(ldif)
709         except LdbError, (num, _):
710             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
711         else:
712             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
713             self.fail()
714
715         # Second test object -- Group
716         print "Testing modify on Group object"
717         self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
718         self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
719         # Modify on attribute you do not have rights for granted
720         ldif = """
721 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
722 changetype: modify
723 replace: url
724 url: www.samba.org"""
725         try:
726             ldb_user.modify_ldif(ldif)
727         except LdbError, (num, _):
728             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
729         else:
730             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
731             self.fail()
732
733         # Second test object -- Organizational Unit
734         print "Testing modify on OU object"
735         self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
736         self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
737         # Modify on attribute you do not have rights for granted
738         ldif = """
739 dn: OU=test_modify_ou1,""" + self.base_dn + """
740 changetype: modify
741 replace: url
742 url: www.samba.org"""
743         try:
744             ldb_user.modify_ldif(ldif)
745         except LdbError, (num, _):
746             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
747         else:
748             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
749             self.fail()
750
751
752     def test_modify_u4(self):
753         """11 Grant WP to PRINCIPAL_SELF and test modify"""
754         # Creating acluser1
755         if self.SAMBA:
756             self.delete_force(self.ldb_admin, self.get_user_dn("acluser3"))
757             self.create_user(self.ldb_admin, self.get_user_dn("acluser3"))
758             self.enable_account(self.get_user_dn("acluser3"))
759         # Test if we have any additional groups for user than default
760         if self.WIN:
761             res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
762                     % self.get_user_dn("acluser3") )
763             try:
764                 self.assertEqual( res[0]["memberOf"][0], "" )
765             except KeyError:
766                 pass
767             else:
768                 self.fail()
769         # Create user connection that we will test with
770         ldb_user = self.get_ldb_connection("acluser3", "samba123@")
771         ldif = """
772 dn: """ + self.get_user_dn("acluser3") + """
773 changetype: modify
774 add: adminDescription
775 adminDescription: blah blah blah"""
776         try:
777             ldb_user.modify_ldif(ldif)
778         except LdbError, (num, _):
779             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
780         else:
781             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
782             self.fail()
783
784         mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
785         self.dacl_add_ace(self.get_user_dn("acluser3"), mod)
786         # Modify on attribute you have rights for
787         ldb_user.modify_ldif(ldif)
788         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
789                                     % self.get_user_dn("acluser3"), attrs=["adminDescription"] )
790         self.assertEqual(res[0]["adminDescription"][0], "blah blah blah")
791
792 #enable these when we have search implemented
793     def _test_search_u1(self):
794         """See if can prohibit user to read another User object"""
795         # Creating simple user to search with
796         if self.SAMBA:
797             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
798             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
799             self.enable_account(self.get_user_dn("acluser1"))
800         ou_dn = "OU=test_search_ou1," + self.base_dn
801         user_dn = "CN=test_search_user1," + ou_dn
802         # Create clean OU
803         self.delete_force(self.ldb_admin, ou_dn)
804         self.create_ou(self.ldb_admin, ou_dn)
805         desc = self.read_desc( ou_dn )
806         desc_sddl = desc.as_sddl( self.domain_sid )
807         # Parse descriptor's SDDL and remove all inherited ACEs reffering
808         # to 'Registered Users' or 'Authenticated Users'
809         desc_aces = re.findall("\(.*?\)", desc_sddl)
810         for ace in desc_aces:
811             if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
812                 desc_sddl = desc_sddl.replace(ace, "")
813         # Add 'P' in the DACL so it breaks further inheritance
814         desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
815         # Create a security descriptor object and OU with that descriptor
816         desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
817         self.delete_force(self.ldb_admin, ou_dn)
818         self.create_ou(self.ldb_admin, ou_dn, desc)
819         # Create clean user
820         self.delete_force(self.ldb_admin, user_dn)
821         self.create_user(self.ldb_admin, user_dn)
822         desc = self.read_desc( user_dn )
823         desc_sddl = desc.as_sddl( self.domain_sid )
824         # Parse security descriptor SDDL and remove all 'Read' ACEs
825         # reffering to AU
826         desc_aces = re.findall("\(.*?\)", desc_sddl)
827         for ace in desc_aces:
828             if ("AU" in ace) and ("R" in ace):
829                 desc_sddl = desc_sddl.replace(ace, "")
830         # Create user with the edited descriptor
831         desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
832         self.delete_force(self.ldb_admin, user_dn)
833         self.create_user(self.ldb_admin, user_dn, desc)
834         # Create user connectiona that we will test with
835         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
836         res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
837                                     % user_dn )
838         self.assertEqual( res, [] )
839
840     def _test_search_u2(self):
841         """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object"""
842         # Creating simple user to search with
843         if self.SAMBA:
844             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
845             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
846             self.enable_account(self.get_user_dn("acluser1"))
847         ou_dn = "OU=test_search_ou1," + self.base_dn
848         user_dn = "CN=test_search_user1," + ou_dn
849         # Create clean OU
850         self.delete_force(self.ldb_admin, ou_dn)
851         self.create_ou(self.ldb_admin, ou_dn)
852         desc = self.read_desc( ou_dn )
853         desc_sddl = desc.as_sddl( self.domain_sid )
854         # Parse descriptor's SDDL and remove all inherited ACEs reffering
855         # to 'Registered Users' or 'Authenticated Users'
856         desc_aces = re.findall("\(.*?\)", desc_sddl)
857         for ace in desc_aces:
858             if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
859                 desc_sddl = desc_sddl.replace(ace, "")
860         # Add 'P' in the DACL so it breaks further inheritance
861         desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
862         # Create a security descriptor object and OU with that descriptor
863         desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
864         self.delete_force(self.ldb_admin, ou_dn)
865         self.create_ou(self.ldb_admin, ou_dn, desc)
866         # Create clean user
867         self.delete_force(self.ldb_admin, user_dn)
868         self.create_user(self.ldb_admin, user_dn)
869         # Parse security descriptor SDDL and remove all 'Read' ACEs
870         # reffering to AU
871         desc_aces = re.findall("\(.*?\)", desc_sddl)
872         for ace in desc_aces:
873             if ("AU" in ace) and ("R" in ace):
874                 desc_sddl = desc_sddl.replace(ace, "")
875         #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)"
876         mod = "(A;;RP;;;AU)"
877         self.dacl_add_ace(user_dn, mod)
878         # Create user connectiona that we will test with
879         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
880         res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
881                                     % user_dn )
882         self.assertNotEqual( res, [] )
883
884     def test_delete_u1(self):
885         """User is prohibited by default to delete another User object"""
886         # Creating simple user to search with
887         if self.SAMBA:
888             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
889             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
890             self.enable_account(self.get_user_dn("acluser1"))
891         # Create user connectiona that we will test with
892         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
893         # Create user that we try to delete
894         self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user"))
895         self.create_user(self.ldb_admin, self.get_user_dn("test_delete_user"))
896         # Here delete User object should ALWAYS through exception
897         try:
898             ldb_user.delete(self.get_user_dn("test_delete_user"))
899         except LdbError, (num, _):
900             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
901         else:
902             self.fail()
903
904     def test_delete_u2(self):
905         """User's group has RIGHT_DELETE to another User object"""
906         user_dn = self.get_user_dn("test_delete_user1")
907         # Creating simple user to search with
908         if self.SAMBA:
909             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
910             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
911             self.enable_account(self.get_user_dn("acluser1"))
912         # Create user connectiona that we will test with
913         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
914         # Create user that we try to delete
915         self.delete_force(self.ldb_admin, user_dn)
916         self.create_user(self.ldb_admin, user_dn)
917         mod = "(A;;SD;;;AU)"
918         self.dacl_add_ace(user_dn, mod)
919         # Try to delete User object
920         ldb_user.delete( user_dn )
921         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
922                 % user_dn )
923         self.assertEqual( res, [] )
924
925     def test_delete_u3(self):
926         """User indentified by SID has RIGHT_DELETE to another User object"""
927         user_dn = self.get_user_dn("test_delete_user1")
928         # Creating simple user to search with
929         if self.SAMBA:
930             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
931             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
932             self.enable_account(self.get_user_dn("acluser1"))
933         # Create user connectiona that we will test with
934         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
935         # Create user that we try to delete
936         self.delete_force(self.ldb_admin, user_dn)
937         self.create_user(self.ldb_admin, user_dn)
938         mod = "(A;;SD;;;%s)" % str( self.get_object_sid(self.get_user_dn("acluser1")) )
939         self.dacl_add_ace(user_dn, mod)
940         # Try to delete User object
941         ldb_user.delete( user_dn )
942         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
943                 % user_dn )
944         self.assertEqual( res, [] )
945
946     def test_rename_u1(self):
947         """ 6 Regular user fails to rename 'User object' within single OU"""
948         # Creating simple user to search with
949         if self.SAMBA:
950             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
951             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
952             self.enable_account(self.get_user_dn("acluser1"))
953         # Create OU structure
954         self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
955         self.create_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
956         # Create user connectiona that we will test with
957         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
958         try:
959             ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \
960                     "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
961         except LdbError, (num, _):
962             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
963         else:
964             self.fail()
965
966     def test_rename_u2(self):
967         """ 7 Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU"""
968         ou_dn = "OU=test_rename_ou1," + self.base_dn
969         user_dn = "CN=test_rename_user1," + ou_dn
970         rename_user_dn = "CN=test_rename_user5," + ou_dn
971         # Creating simple user to search with
972         if self.SAMBA:
973             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
974             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
975             self.enable_account(self.get_user_dn("acluser1"))
976         print "Test rename with rights granted to AU"
977         # Create OU structure
978         self.create_ou(self.ldb_admin, ou_dn)
979         self.create_user(self.ldb_admin, user_dn)
980         mod = "(A;;WP;;;AU)"
981         self.dacl_add_ace(user_dn, mod)
982         # Create user connectiona that we will test with
983         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
984         # Rename 'User object' having WP to AU
985         ldb_user.rename(user_dn, rename_user_dn)
986         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
987                 % user_dn )
988         self.assertEqual( res, [] )
989         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
990                 % rename_user_dn )
991         self.assertNotEqual( res, [] )
992         print "Test rename with rights granted to 'User object' SID"
993         # Create OU structure
994         self.delete_force(self.ldb_admin, user_dn)
995         self.delete_force(self.ldb_admin, rename_user_dn)
996         self.delete_force(self.ldb_admin, ou_dn)
997         self.create_ou(self.ldb_admin, ou_dn)
998         self.create_user(self.ldb_admin, user_dn)
999         sid = self.get_object_sid(self.get_user_dn("acluser1"))
1000         mod = "(A;;WP;;;%s)" % str(sid)
1001         self.dacl_add_ace(user_dn, mod)
1002         # Create user connectiona that we will test with
1003         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1004         # Rename 'User object' having WP to AU
1005         ldb_user.rename(user_dn, rename_user_dn)
1006         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1007                 % user_dn )
1008         self.assertEqual( res, [] )
1009         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1010                 % rename_user_dn )
1011         self.assertNotEqual( res, [] )
1012
1013     def test_rename_u3(self):
1014         """ 8 Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU"""
1015         ou1_dn = "OU=test_rename_ou1," + self.base_dn
1016         ou2_dn = "OU=test_rename_ou2," + self.base_dn
1017         user_dn = "CN=test_rename_user2," + ou1_dn
1018         rename_user_dn = "CN=test_rename_user5," + ou2_dn
1019         # Creating simple user to search with
1020         if self.SAMBA:
1021             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1022             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1023             self.enable_account(self.get_user_dn("acluser1"))
1024         print "Test rename with rights granted to AU"
1025         # Create OU structure
1026         self.create_ou(self.ldb_admin, ou1_dn)
1027         self.create_ou(self.ldb_admin, ou2_dn)
1028         self.create_user(self.ldb_admin, user_dn)
1029         mod = "(A;;WPSD;;;AU)"
1030         self.dacl_add_ace(user_dn, mod)
1031         mod = "(A;;CC;;;AU)"
1032         self.dacl_add_ace(ou2_dn, mod)
1033         # Create user connectiona that we will test with
1034         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1035         # Rename 'User object' having SD and CC to AU
1036         ldb_user.rename(user_dn, rename_user_dn)
1037         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1038                 % user_dn )
1039         self.assertEqual( res, [] )
1040         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1041                 % rename_user_dn )
1042         self.assertNotEqual( res, [] )
1043         print "Test rename with rights granted to 'User object' SID"
1044         # Create OU structure
1045         self.delete_force(self.ldb_admin, user_dn)
1046         self.delete_force(self.ldb_admin, rename_user_dn)
1047         self.delete_force(self.ldb_admin, ou1_dn)
1048         self.delete_force(self.ldb_admin, ou2_dn)
1049         self.create_ou(self.ldb_admin, ou1_dn)
1050         self.create_ou(self.ldb_admin, ou2_dn)
1051         self.create_user(self.ldb_admin, user_dn)
1052         sid = self.get_object_sid(self.get_user_dn("acluser1"))
1053         mod = "(A;;WPSD;;;%s)" % str(sid)
1054         self.dacl_add_ace(user_dn, mod)
1055         mod = "(A;;CC;;;%s)" % str(sid)
1056         self.dacl_add_ace(ou2_dn, mod)
1057         # Create user connectiona that we will test with
1058         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1059         # Rename 'User object' having SD and CC to AU
1060         ldb_user.rename(user_dn, rename_user_dn)
1061         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1062                 % user_dn )
1063         self.assertEqual( res, [] )
1064         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1065                 % rename_user_dn )
1066         self.assertNotEqual( res, [] )
1067
1068     def test_rename_u4(self):
1069         """9 Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU"""
1070         ou1_dn = "OU=test_rename_ou1," + self.base_dn
1071         ou2_dn = "OU=test_rename_ou2," + self.base_dn
1072         user_dn = "CN=test_rename_user2," + ou1_dn
1073         rename_user_dn = "CN=test_rename_user2," + ou2_dn
1074         # Creating simple user to search with
1075         if self.SAMBA:
1076             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1077             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1078             self.enable_account(self.get_user_dn("acluser1"))
1079         # Create OU structure
1080         self.create_ou(self.ldb_admin, ou1_dn)
1081         self.create_ou(self.ldb_admin, ou2_dn)
1082         #mod = "(A;CI;DCWP;;;AU)"
1083         mod = "(A;;DC;;;AU)"
1084         self.dacl_add_ace(ou1_dn, mod)
1085         mod = "(A;;CC;;;AU)"
1086         self.dacl_add_ace(ou2_dn, mod)
1087         self.create_user(self.ldb_admin, user_dn)
1088         mod = "(A;;WP;;;AU)"
1089         self.dacl_add_ace(user_dn, mod)
1090         # Create user connectiona that we will test with
1091         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1092         # Rename 'User object' having SD and CC to AU
1093         ldb_user.rename(user_dn, rename_user_dn)
1094         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1095                 % user_dn )
1096         self.assertEqual( res, [] )
1097         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1098                 % rename_user_dn )
1099         self.assertNotEqual( res, [] )
1100
1101     def test_rename_u5(self):
1102         """10 Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU"""
1103         ou1_dn = "OU=test_rename_ou1," + self.base_dn
1104         ou2_dn = "OU=test_rename_ou2," + self.base_dn
1105         ou3_dn = "OU=test_rename_ou3," + ou2_dn
1106         user_dn = "CN=test_rename_user2," + ou1_dn
1107         rename_user_dn = "CN=test_rename_user5," + ou3_dn
1108         # Creating simple user to search with
1109         if self.SAMBA:
1110             self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1111             self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1112             self.enable_account(self.get_user_dn("acluser1"))
1113         # Create OU structure
1114         self.create_ou(self.ldb_admin, ou1_dn)
1115         self.create_ou(self.ldb_admin, ou2_dn)
1116         self.create_ou(self.ldb_admin, ou3_dn)
1117         mod = "(A;CI;WPDC;;;AU)"
1118         self.dacl_add_ace(ou1_dn, mod)
1119         mod = "(A;;CC;;;AU)"
1120         self.dacl_add_ace(ou3_dn, mod)
1121         self.create_user(self.ldb_admin, user_dn)
1122         # Create user connectiona that we will test with
1123         ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1124         # Rename 'User object' having SD and CC to AU
1125         ldb_user.rename(user_dn, rename_user_dn)
1126         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1127                 % user_dn )
1128         self.assertEqual( res, [] )
1129         res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1130                 % rename_user_dn )
1131         self.assertNotEqual( res, [] )
1132
1133 # Important unit running information
1134
1135 if not "://" in host:
1136     host = "ldap://%s" % host
1137 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
1138
1139 runner = SubunitTestRunner()
1140 rc = 0
1141 if not runner.run(unittest.makeSuite(AclTests)).wasSuccessful():
1142     rc = 1
1143
1144 sys.exit(rc)