2 # -*- coding: utf-8 -*-
3 # This is unit with PPD tests
12 sys.path.append("bin/python")
13 sys.path.append("../lib/subunit/python")
15 import samba.getopt as options
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba.auth import system_session
28 from subunit import SubunitTestRunner
31 parser = optparse.OptionParser("ldap [options] <host>")
32 sambaopts = options.SambaOptions(parser)
33 parser.add_option_group(sambaopts)
34 parser.add_option_group(options.VersionOptions(parser))
36 # use command line creds if available
37 credopts = options.CredentialsOptions(parser)
38 parser.add_option_group(credopts)
39 opts, args = parser.parse_args()
47 lp = sambaopts.get_loadparm()
48 creds = credopts.get_credentials(lp)
54 class AclTests(unittest.TestCase):
56 def delete_force(self, ldb, dn):
59 except LdbError, (num, _):
60 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
62 def find_basedn(self, ldb):
63 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
64 attrs=["defaultNamingContext"])
65 self.assertEquals(len(res), 1)
66 return res[0]["defaultNamingContext"][0]
68 def find_domain_sid(self, ldb):
69 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
74 self.base_dn = self.find_basedn(self.ldb_admin)
75 self.domain_sid = self.find_domain_sid(self.ldb_admin)
76 print "baseDN: %s" % self.base_dn
77 self.SAMBA = False; self.WIN = False
78 res = self.ldb_admin.search(base="",expression="", scope=SCOPE_BASE,
80 if res and "vendorName" in res[0].keys() and res[0]["vendorName"][0].find("Samba Team") != -1:
85 # Modify acluser1 & acluser2 to be excluded from 'Doamin Admin' group
88 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
91 member: """ + self.get_user_dn("acluser1")
92 self.ldb_admin.modify_ldif(ldif)
94 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
97 member: """ + self.get_user_dn("acluser2")
98 self.ldb_admin.modify_ldif(ldif)
99 except LdbError, (num, _):
100 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # LDAP_ENTRY_ALREADY_EXISTS
104 self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
105 self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
106 self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
107 self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
109 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
110 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
111 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
113 self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn)
114 self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
116 self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1"))
118 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
119 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
120 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
121 self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
123 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn)
124 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn)
125 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn)
126 self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn)
128 self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
129 self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
130 self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
131 self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
133 def get_user_dn(self, name):
134 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
136 def modify_desc(self, object_dn, desc):
137 """ Modify security descriptor using either SDDL string
138 or security.descriptor object
140 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
142 dn: """ + object_dn + """
144 replace: nTSecurityDescriptor
146 if isinstance(desc, str):
147 mod += "nTSecurityDescriptor: %s" % desc
148 elif isinstance(desc, security.descriptor):
149 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
150 self.ldb_admin.modify_ldif(mod)
152 # Everything below is used in case of emergency or
153 # double modify verification of some sort
154 assert(isinstance(desc, security.descriptor))
156 f = open(fn, "w"); f.write(mod); f.close()
157 cmd = "ldapmodify -x -h %s -D %s -w %s -f %s" \
158 % (host[7:], self.get_user_dn(creds.get_username()), creds.get_password(), fn)
159 return os.system( cmd ) == 0
161 def add_group_member(self, _ldb, group_dn, member_dn):
162 """ Modify user to ge member of a group
163 e.g. User to be 'Doamin Admin' group member
166 dn: """ + group_dn + """
168 member: """ + member_dn
169 _ldb.modify_ldif(ldif)
171 def create_ou(self, _ldb, ou_dn, desc=None):
174 "ou" : ou_dn.split(",")[0][3:],
175 "objectClass" : "organizationalUnit",
176 "url" : "www.bbc.co.uk",
179 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
180 if isinstance(desc, str):
181 ldif += "nTSecurityDescriptor: %s" % desc
182 elif isinstance(desc, security.descriptor):
183 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
186 def create_user(self, _ldb, user_dn, desc=None):
189 "sAMAccountName" : user_dn.split(",")[0][3:],
190 "objectClass" : "user",
191 "userPassword" : "samba123@",
192 "url" : "www.bbc.co.uk",
195 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
196 if isinstance(desc, str):
197 ldif += "nTSecurityDescriptor: %s" % desc
198 elif isinstance(desc, security.descriptor):
199 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
202 def create_group(self, _ldb, group_dn, desc=None):
205 "objectClass" : "group",
206 "sAMAccountName" : group_dn.split(",")[0][3:],
208 "url" : "www.bbc.co.uk",
211 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
212 if isinstance(desc, str):
213 ldif += "nTSecurityDescriptor: %s" % desc
214 elif isinstance(desc, security.descriptor):
215 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
218 def read_desc(self, object_dn):
219 res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"])
220 desc = res[0]["nTSecurityDescriptor"][0]
221 return ndr_unpack( security.descriptor, desc )
223 def enable_account(self, user_dn):
224 """Enable an account.
225 :param user_dn: Dn of the account to enable.
227 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
229 userAccountControl = res[0]["userAccountControl"][0]
230 userAccountControl = int(userAccountControl)
231 if (userAccountControl & 0x2):
232 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
233 if (userAccountControl & 0x20):
234 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
236 dn: """ + user_dn + """
238 replace: userAccountControl
239 userAccountControl: %s""" % userAccountControl
241 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
242 self.ldb_admin.modify_ldif(mod)
244 def get_ldb_connection(self, target_username, target_password):
245 username_save = creds.get_username(); password_save = creds.get_password()
246 creds.set_username(target_username)
247 creds.set_password(target_password)
248 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
249 creds.set_username(username_save); creds.set_password(password_save)
252 def get_object_sid(self, object_dn):
253 res = self.ldb_admin.search(object_dn)
254 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
256 def dacl_add_ace(self, object_dn, ace):
257 desc = self.read_desc( object_dn )
258 desc_sddl = desc.as_sddl( self.domain_sid )
261 if desc_sddl.find("(") >= 0:
262 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
264 desc_sddl = desc_sddl + ace
265 self.modify_desc(object_dn, desc_sddl)
267 def get_desc_sddl(self, object_dn):
268 """ Return object nTSecutiryDescriptor in SDDL format
270 desc = self.read_desc(object_dn)
271 return desc.as_sddl(self.domain_sid)
275 def test_add_domainadmin_notowner(self):
276 """ 1 Testing OU with the rights of Doman Admin not creator of the OU """
277 # Creating simple user
279 # Create domain admin that will be creator of OU parent-child structure
280 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
281 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
282 self.enable_account(self.get_user_dn("acluser1"))
283 # Create second domain admin that will not be creator of OU parent-child structure
284 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
285 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
286 self.enable_account(self.get_user_dn("acluser2"))
287 # Test if we have any additional groups for users than default ones
289 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
290 % self.get_user_dn("acluser1") )
292 self.assertEqual( res[0]["memberOf"][0], "" )
297 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
298 % self.get_user_dn("acluser2") )
300 self.assertEqual( res[0]["memberOf"][0], "" )
305 # Modify acluser1 & acluser2 to be 'Doamin Admin' group member
306 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
307 self.get_user_dn("acluser1"))
308 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
309 self.get_user_dn("acluser2"))
310 # Create LDAP connection with OUs crator domain admin credentials
311 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
312 # Create LDAP connection with second domain admin credentials that is not creator of the OUs
313 ldb_notowner = self.get_ldb_connection("acluser2", "samba123@")
314 # Make sure top OU is deleted (and so everything under it)
315 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
316 % ("OU=test_add_ou1", self.base_dn) )
317 self.assertEqual( res, [] )
318 # Change descriptor for top level OU
319 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
320 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
321 user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
322 mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
323 self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
324 # Test user and group creation with another domain admin's credentials
325 self.create_user(ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
326 self.create_group(ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
327 # Make sure we HAVE created the two objects -- user and group
328 # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
329 # !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
330 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
331 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
332 self.assertTrue( len(res) > 0 )
333 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
334 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
335 self.assertTrue( len(res) > 0 )
337 def test_add_regular_user(self):
338 """ 2 Testing OU with the regular user that has no rights granted over the OU """
339 # Creating simple user
341 # Create domain admin that will be creator of OU parent-child structure
342 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
343 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
344 self.enable_account(self.get_user_dn("acluser1"))
345 # Create regular user that will not be creator of OU parent-child structure
346 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
347 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
348 self.enable_account(self.get_user_dn("acluser2"))
349 # Test if we have any additional groups for users than default ones
351 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
352 % self.get_user_dn("acluser1") )
354 self.assertEqual( res[0]["memberOf"][0], "" )
359 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
360 % self.get_user_dn("acluser2") )
362 self.assertEqual( res[0]["memberOf"][0], "" )
367 # Modify acluser1 to be 'Doamin Admin' group member
368 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
369 self.get_user_dn("acluser1"))
370 # Create LDAP connection with OUs crator domain admin credentials
371 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
372 # Create LDAP connection with a regular user that has the right 'Crate child User objects'
373 ldb_user = self.get_ldb_connection("acluser2", "samba123@")
374 # Make sure top OU is deleted (and so everything under it)
375 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
376 % ("OU=test_add_ou1", self.base_dn) )
377 self.assertEqual( res, [] )
378 # Create a parent-child OU structure with domain admin credentials
379 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
380 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
381 # Test user and group creation with regular user credentials
383 self.create_user(ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
384 self.create_group(ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
385 except LdbError, (num, _):
386 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
389 # Make sure we HAVEN'T created any of two objects -- user or group
390 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
391 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
392 self.assertEqual( res, [])
393 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
394 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
395 self.assertEqual( res, [])
397 def test_add_granted_user(self):
398 """ 3 Testing OU with the rights of regular user granted the right 'Create User child objects' """
399 # Creating simple user
401 # Create domain admin that will be creator of OU parent-child structure
402 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
403 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
404 self.enable_account(self.get_user_dn("acluser1"))
405 # Create second domain admin that will not be creator of OU parent-child structure
406 self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
407 self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
408 self.enable_account(self.get_user_dn("acluser2"))
409 # Test if we have any additional groups for users than default ones
411 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
412 % self.get_user_dn("acluser1") )
414 self.assertEqual( res[0]["memberOf"][0], "" )
419 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
420 % self.get_user_dn("acluser2") )
422 self.assertEqual( res[0]["memberOf"][0], "" )
427 # Modify acluser1 to be 'Doamin Admin' group member
428 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
429 self.get_user_dn("acluser1"))
430 # Create LDAP connection with OUs crator domain admin credentials
431 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
432 # Create LDAP connection with a regular user that has the right 'Crate child User objects'
433 ldb_guser = self.get_ldb_connection("acluser2", "samba123@")
434 # Make sure top OU is deleted (and so everything under it)
435 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
436 % ("OU=test_add_ou1", self.base_dn) )
437 self.assertEqual( res, [] )
438 # Change descriptor for top level OU
439 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
440 user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
441 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
442 self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
443 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
444 # Test user and group creation with granted user only to one of the objects
445 self.create_user(ldb_guser, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
447 self.create_group(ldb_guser, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
448 except LdbError, (num, _):
449 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
452 # Make sure we HAVE created the one of two objects -- user
453 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
454 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
455 self.assertNotEqual( len(res), 0 )
456 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
457 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
458 self.assertEqual( res, [])
460 def test_add_domainadmin_owner(self):
461 """ 4 Testing OU with the rights of Doman Admin creator of the OU"""
464 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
465 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
466 self.enable_account(self.get_user_dn("acluser1"))
467 # Test if we have any additional groups for user than default
469 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
470 % self.get_user_dn("acluser1") )
472 self.assertEqual( res[0]["memberOf"][0], "" )
477 # Modify acluser1 to be 'Doamin Admin' group member
478 self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
479 self.get_user_dn("acluser1"))
480 # Create LDAP connection with OUs crator domain admin credentials
481 ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
482 # Make sure top OU is deleted (and so everything under it)
483 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
484 % ("OU=test_add_ou1", self.base_dn) )
485 self.assertEqual( res, [] )
486 self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
487 self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
488 self.create_user(ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
489 self.create_group(ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
490 # Make sure we have successfully created the two objects -- user and group
491 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
492 % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
493 self.assertTrue( len(res) > 0 )
494 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
495 % ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
496 self.assertTrue( len(res) > 0 )
498 def test_modify_u1(self):
499 """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
502 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
503 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
504 self.enable_account(self.get_user_dn("acluser1"))
506 # Test if we have any additional groups for user than default
508 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
509 % self.get_user_dn("acluser1") )
511 self.assertEqual( res[0]["memberOf"][0], "" )
516 # Create user connectiona that we will test with
517 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
518 # First test object -- User
519 print "Testing modify on User object"
520 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
521 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
522 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
523 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
524 self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
526 dn: """ + self.get_user_dn("test_modify_user1") + """
529 displayName: test_changed"""
530 ldb_user.modify_ldif(ldif)
531 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
532 % self.get_user_dn("test_modify_user1") )
533 self.assertEqual(res[0]["displayName"][0], "test_changed")
534 # Second test object -- Group
535 print "Testing modify on Group object"
536 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
537 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
538 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
539 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
540 self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
542 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
545 displayName: test_changed"""
546 ldb_user.modify_ldif(ldif)
547 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
548 % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
549 self.assertEqual(res[0]["displayName"][0], "test_changed")
550 # Second test object -- Organizational Unit
551 print "Testing modify on OU object"
552 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
553 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
554 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
555 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
556 self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
558 dn: OU=test_modify_ou1,""" + self.base_dn + """
561 displayName: test_changed"""
562 ldb_user.modify_ldif(ldif)
563 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
564 % str("OU=test_modify_ou1," + self.base_dn) )
565 self.assertEqual(res[0]["displayName"][0], "test_changed")
567 def test_modify_u2(self):
568 """6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them"""
571 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
572 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
573 self.enable_account(self.get_user_dn("acluser1"))
574 # Test if we have any additional groups for user than default
576 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
577 % self.get_user_dn("acluser1") )
579 self.assertEqual( res[0]["memberOf"][0], "" )
584 # Create user connectiona that we will test with
585 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
586 # First test object -- User
587 print "Testing modify on User object"
588 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
589 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
590 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
591 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
592 self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
593 # Modify on attribute you have rights for
595 dn: """ + self.get_user_dn("test_modify_user1") + """
598 displayName: test_changed"""
599 ldb_user.modify_ldif(ldif)
600 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
601 % self.get_user_dn("test_modify_user1") )
602 self.assertEqual(res[0]["displayName"][0], "test_changed")
603 # Modify on attribute you do not have rights for granted
605 dn: """ + self.get_user_dn("test_modify_user1") + """
608 url: www.samba.org"""
610 ldb_user.modify_ldif(ldif)
611 except LdbError, (num, _):
612 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
614 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
616 # Second test object -- Group
617 print "Testing modify on Group object"
618 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
619 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
620 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
621 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
622 self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
624 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
627 displayName: test_changed"""
628 ldb_user.modify_ldif(ldif)
629 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
630 % str("CN=test_modify_group1,CN=Users," + self.base_dn) )
631 self.assertEqual(res[0]["displayName"][0], "test_changed")
632 # Modify on attribute you do not have rights for granted
634 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
637 url: www.samba.org"""
639 ldb_user.modify_ldif(ldif)
640 except LdbError, (num, _):
641 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
643 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
645 # Second test object -- Organizational Unit
646 print "Testing modify on OU object"
647 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
648 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
649 user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
650 mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
651 self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
653 dn: OU=test_modify_ou1,""" + self.base_dn + """
656 displayName: test_changed"""
657 ldb_user.modify_ldif(ldif)
658 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
659 % str("OU=test_modify_ou1," + self.base_dn) )
660 self.assertEqual(res[0]["displayName"][0], "test_changed")
661 # Modify on attribute you do not have rights for granted
663 dn: OU=test_modify_ou1,""" + self.base_dn + """
666 url: www.samba.org"""
668 ldb_user.modify_ldif(ldif)
669 except LdbError, (num, _):
670 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
672 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
675 def test_modify_u3(self):
676 """7 Modify one attribute as you have no what so ever rights granted"""
679 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
680 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
681 self.enable_account(self.get_user_dn("acluser1"))
683 # Test if we have any additional groups for user than default
685 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
686 % self.get_user_dn("acluser1") )
688 self.assertEqual( res[0]["memberOf"][0], "" )
693 # Create user connectiona that we will test with
694 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
696 # First test object -- User
697 print "Testing modify on User object"
698 self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
699 self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
700 # Modify on attribute you do not have rights for granted
702 dn: """ + self.get_user_dn("test_modify_user1") + """
705 url: www.samba.org"""
707 ldb_user.modify_ldif(ldif)
708 except LdbError, (num, _):
709 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
711 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
714 # Second test object -- Group
715 print "Testing modify on Group object"
716 self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
717 self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
718 # Modify on attribute you do not have rights for granted
720 dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
723 url: www.samba.org"""
725 ldb_user.modify_ldif(ldif)
726 except LdbError, (num, _):
727 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
729 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
732 # Second test object -- Organizational Unit
733 print "Testing modify on OU object"
734 self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
735 self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
736 # Modify on attribute you do not have rights for granted
738 dn: OU=test_modify_ou1,""" + self.base_dn + """
741 url: www.samba.org"""
743 ldb_user.modify_ldif(ldif)
744 except LdbError, (num, _):
745 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
747 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
751 def test_modify_u4(self):
752 """11 Grant WP to PRINCIPAL_SELF and test modify"""
755 self.delete_force(self.ldb_admin, self.get_user_dn("acluser3"))
756 self.create_user(self.ldb_admin, self.get_user_dn("acluser3"))
757 self.enable_account(self.get_user_dn("acluser3"))
758 # Test if we have any additional groups for user than default
760 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
761 % self.get_user_dn("acluser3") )
763 self.assertEqual( res[0]["memberOf"][0], "" )
768 # Create user connection that we will test with
769 ldb_user = self.get_ldb_connection("acluser3", "samba123@")
771 dn: """ + self.get_user_dn("acluser3") + """
773 add: adminDescription
774 adminDescription: blah blah blah"""
776 ldb_user.modify_ldif(ldif)
777 except LdbError, (num, _):
778 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
780 # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
783 mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
784 self.dacl_add_ace(self.get_user_dn("acluser3"), mod)
785 # Modify on attribute you have rights for
786 ldb_user.modify_ldif(ldif)
787 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
788 % self.get_user_dn("acluser3"), attrs=["adminDescription"] )
789 self.assertEqual(res[0]["adminDescription"][0], "blah blah blah")
791 #enable these when we have search implemented
792 def _test_search_u1(self):
793 """See if can prohibit user to read another User object"""
794 # Creating simple user to search with
796 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
797 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
798 self.enable_account(self.get_user_dn("acluser1"))
799 ou_dn = "OU=test_search_ou1," + self.base_dn
800 user_dn = "CN=test_search_user1," + ou_dn
802 self.delete_force(self.ldb_admin, ou_dn)
803 self.create_ou(self.ldb_admin, ou_dn)
804 desc = self.read_desc( ou_dn )
805 desc_sddl = desc.as_sddl( self.domain_sid )
806 # Parse descriptor's SDDL and remove all inherited ACEs reffering
807 # to 'Registered Users' or 'Authenticated Users'
808 desc_aces = re.findall("\(.*?\)", desc_sddl)
809 for ace in desc_aces:
810 if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
811 desc_sddl = desc_sddl.replace(ace, "")
812 # Add 'P' in the DACL so it breaks further inheritance
813 desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
814 # Create a security descriptor object and OU with that descriptor
815 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
816 self.delete_force(self.ldb_admin, ou_dn)
817 self.create_ou(self.ldb_admin, ou_dn, desc)
819 self.delete_force(self.ldb_admin, user_dn)
820 self.create_user(self.ldb_admin, user_dn)
821 desc = self.read_desc( user_dn )
822 desc_sddl = desc.as_sddl( self.domain_sid )
823 # Parse security descriptor SDDL and remove all 'Read' ACEs
825 desc_aces = re.findall("\(.*?\)", desc_sddl)
826 for ace in desc_aces:
827 if ("AU" in ace) and ("R" in ace):
828 desc_sddl = desc_sddl.replace(ace, "")
829 # Create user with the edited descriptor
830 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
831 self.delete_force(self.ldb_admin, user_dn)
832 self.create_user(self.ldb_admin, user_dn, desc)
833 # Create user connectiona that we will test with
834 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
835 res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
837 self.assertEqual( res, [] )
839 def _test_search_u2(self):
840 """User's group ACEs cleared and after that granted RIGHT_DS_READ_PROPERTY to another User object"""
841 # Creating simple user to search with
843 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
844 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
845 self.enable_account(self.get_user_dn("acluser1"))
846 ou_dn = "OU=test_search_ou1," + self.base_dn
847 user_dn = "CN=test_search_user1," + ou_dn
849 self.delete_force(self.ldb_admin, ou_dn)
850 self.create_ou(self.ldb_admin, ou_dn)
851 desc = self.read_desc( ou_dn )
852 desc_sddl = desc.as_sddl( self.domain_sid )
853 # Parse descriptor's SDDL and remove all inherited ACEs reffering
854 # to 'Registered Users' or 'Authenticated Users'
855 desc_aces = re.findall("\(.*?\)", desc_sddl)
856 for ace in desc_aces:
857 if ("I" in ace) and (("RU" in ace) or ("AU" in ace)):
858 desc_sddl = desc_sddl.replace(ace, "")
859 # Add 'P' in the DACL so it breaks further inheritance
860 desc_sddl = desc_sddl.replace("D:AI(", "D:PAI(")
861 # Create a security descriptor object and OU with that descriptor
862 desc = security.descriptor.from_sddl( desc_sddl, self.domain_sid )
863 self.delete_force(self.ldb_admin, ou_dn)
864 self.create_ou(self.ldb_admin, ou_dn, desc)
866 self.delete_force(self.ldb_admin, user_dn)
867 self.create_user(self.ldb_admin, user_dn)
868 # Parse security descriptor SDDL and remove all 'Read' ACEs
870 desc_aces = re.findall("\(.*?\)", desc_sddl)
871 for ace in desc_aces:
872 if ("AU" in ace) and ("R" in ace):
873 desc_sddl = desc_sddl.replace(ace, "")
874 #mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)"
876 self.dacl_add_ace(user_dn, mod)
877 # Create user connectiona that we will test with
878 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
879 res = ldb_user.search( self.base_dn, expression="(distinguishedName=%s)" \
881 self.assertNotEqual( res, [] )
883 def test_delete_u1(self):
884 """User is prohibited by default to delete another User object"""
885 # Creating simple user to search with
887 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
888 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
889 self.enable_account(self.get_user_dn("acluser1"))
890 # Create user connectiona that we will test with
891 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
892 # Create user that we try to delete
893 self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user"))
894 self.create_user(self.ldb_admin, self.get_user_dn("test_delete_user"))
895 # Here delete User object should ALWAYS through exception
897 ldb_user.delete(self.get_user_dn("test_delete_user"))
898 except LdbError, (num, _):
899 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
903 def test_delete_u2(self):
904 """User's group has RIGHT_DELETE to another User object"""
905 user_dn = self.get_user_dn("test_delete_user1")
906 # Creating simple user to search with
908 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
909 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
910 self.enable_account(self.get_user_dn("acluser1"))
911 # Create user connectiona that we will test with
912 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
913 # Create user that we try to delete
914 self.delete_force(self.ldb_admin, user_dn)
915 self.create_user(self.ldb_admin, user_dn)
917 self.dacl_add_ace(user_dn, mod)
918 # Try to delete User object
919 ldb_user.delete( user_dn )
920 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
922 self.assertEqual( res, [] )
924 def test_delete_u3(self):
925 """User indentified by SID has RIGHT_DELETE to another User object"""
926 user_dn = self.get_user_dn("test_delete_user1")
927 # Creating simple user to search with
929 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
930 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
931 self.enable_account(self.get_user_dn("acluser1"))
932 # Create user connectiona that we will test with
933 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
934 # Create user that we try to delete
935 self.delete_force(self.ldb_admin, user_dn)
936 self.create_user(self.ldb_admin, user_dn)
937 mod = "(A;;SD;;;%s)" % str( self.get_object_sid(self.get_user_dn("acluser1")) )
938 self.dacl_add_ace(user_dn, mod)
939 # Try to delete User object
940 ldb_user.delete( user_dn )
941 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
943 self.assertEqual( res, [] )
945 def test_rename_u1(self):
946 """ 6 Regular user fails to rename 'User object' within single OU"""
947 # Creating simple user to search with
949 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
950 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
951 self.enable_account(self.get_user_dn("acluser1"))
952 # Create OU structure
953 self.create_ou(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
954 self.create_user(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
955 # Create user connectiona that we will test with
956 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
958 ldb_user.rename("CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn, \
959 "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
960 except LdbError, (num, _):
961 self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
965 def test_rename_u2(self):
966 """ 7 Grant WRITE_PROPERTY to AU so regular user can rename 'User object' within single OU"""
967 ou_dn = "OU=test_rename_ou1," + self.base_dn
968 user_dn = "CN=test_rename_user1," + ou_dn
969 rename_user_dn = "CN=test_rename_user5," + ou_dn
970 # Creating simple user to search with
972 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
973 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
974 self.enable_account(self.get_user_dn("acluser1"))
975 print "Test rename with rights granted to AU"
976 # Create OU structure
977 self.create_ou(self.ldb_admin, ou_dn)
978 self.create_user(self.ldb_admin, user_dn)
980 self.dacl_add_ace(user_dn, mod)
981 # Create user connectiona that we will test with
982 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
983 # Rename 'User object' having WP to AU
984 ldb_user.rename(user_dn, rename_user_dn)
985 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
987 self.assertEqual( res, [] )
988 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
990 self.assertNotEqual( res, [] )
991 print "Test rename with rights granted to 'User object' SID"
992 # Create OU structure
993 self.delete_force(self.ldb_admin, user_dn)
994 self.delete_force(self.ldb_admin, rename_user_dn)
995 self.delete_force(self.ldb_admin, ou_dn)
996 self.create_ou(self.ldb_admin, ou_dn)
997 self.create_user(self.ldb_admin, user_dn)
998 sid = self.get_object_sid(self.get_user_dn("acluser1"))
999 mod = "(A;;WP;;;%s)" % str(sid)
1000 self.dacl_add_ace(user_dn, mod)
1001 # Create user connectiona that we will test with
1002 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1003 # Rename 'User object' having WP to AU
1004 ldb_user.rename(user_dn, rename_user_dn)
1005 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1007 self.assertEqual( res, [] )
1008 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1010 self.assertNotEqual( res, [] )
1012 def test_rename_u3(self):
1013 """ 8 Rename 'User object' cross OU with WP, SD and CC right granted on reg. user to AU"""
1014 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1015 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1016 user_dn = "CN=test_rename_user2," + ou1_dn
1017 rename_user_dn = "CN=test_rename_user5," + ou2_dn
1018 # Creating simple user to search with
1020 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1021 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1022 self.enable_account(self.get_user_dn("acluser1"))
1023 print "Test rename with rights granted to AU"
1024 # Create OU structure
1025 self.create_ou(self.ldb_admin, ou1_dn)
1026 self.create_ou(self.ldb_admin, ou2_dn)
1027 self.create_user(self.ldb_admin, user_dn)
1028 mod = "(A;;WPSD;;;AU)"
1029 self.dacl_add_ace(user_dn, mod)
1030 mod = "(A;;CC;;;AU)"
1031 self.dacl_add_ace(ou2_dn, mod)
1032 # Create user connectiona that we will test with
1033 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1034 # Rename 'User object' having SD and CC to AU
1035 ldb_user.rename(user_dn, rename_user_dn)
1036 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1038 self.assertEqual( res, [] )
1039 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1041 self.assertNotEqual( res, [] )
1042 print "Test rename with rights granted to 'User object' SID"
1043 # Create OU structure
1044 self.delete_force(self.ldb_admin, user_dn)
1045 self.delete_force(self.ldb_admin, rename_user_dn)
1046 self.delete_force(self.ldb_admin, ou1_dn)
1047 self.delete_force(self.ldb_admin, ou2_dn)
1048 self.create_ou(self.ldb_admin, ou1_dn)
1049 self.create_ou(self.ldb_admin, ou2_dn)
1050 self.create_user(self.ldb_admin, user_dn)
1051 sid = self.get_object_sid(self.get_user_dn("acluser1"))
1052 mod = "(A;;WPSD;;;%s)" % str(sid)
1053 self.dacl_add_ace(user_dn, mod)
1054 mod = "(A;;CC;;;%s)" % str(sid)
1055 self.dacl_add_ace(ou2_dn, mod)
1056 # Create user connectiona that we will test with
1057 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1058 # Rename 'User object' having SD and CC to AU
1059 ldb_user.rename(user_dn, rename_user_dn)
1060 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1062 self.assertEqual( res, [] )
1063 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1065 self.assertNotEqual( res, [] )
1067 def test_rename_u4(self):
1068 """9 Rename 'User object' cross OU with WP, DC and CC right granted on OU & user to AU"""
1069 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1070 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1071 user_dn = "CN=test_rename_user2," + ou1_dn
1072 rename_user_dn = "CN=test_rename_user2," + ou2_dn
1073 # Creating simple user to search with
1075 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1076 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1077 self.enable_account(self.get_user_dn("acluser1"))
1078 # Create OU structure
1079 self.create_ou(self.ldb_admin, ou1_dn)
1080 self.create_ou(self.ldb_admin, ou2_dn)
1081 #mod = "(A;CI;DCWP;;;AU)"
1082 mod = "(A;;DC;;;AU)"
1083 self.dacl_add_ace(ou1_dn, mod)
1084 mod = "(A;;CC;;;AU)"
1085 self.dacl_add_ace(ou2_dn, mod)
1086 self.create_user(self.ldb_admin, user_dn)
1087 mod = "(A;;WP;;;AU)"
1088 self.dacl_add_ace(user_dn, mod)
1089 # Create user connectiona that we will test with
1090 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1091 # Rename 'User object' having SD and CC to AU
1092 ldb_user.rename(user_dn, rename_user_dn)
1093 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1095 self.assertEqual( res, [] )
1096 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1098 self.assertNotEqual( res, [] )
1100 def test_rename_u5(self):
1101 """10 Rename 'User object' cross OU (second level) with WP, DC and CC right granted on OU to AU"""
1102 ou1_dn = "OU=test_rename_ou1," + self.base_dn
1103 ou2_dn = "OU=test_rename_ou2," + self.base_dn
1104 ou3_dn = "OU=test_rename_ou3," + ou2_dn
1105 user_dn = "CN=test_rename_user2," + ou1_dn
1106 rename_user_dn = "CN=test_rename_user5," + ou3_dn
1107 # Creating simple user to search with
1109 self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
1110 self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
1111 self.enable_account(self.get_user_dn("acluser1"))
1112 # Create OU structure
1113 self.create_ou(self.ldb_admin, ou1_dn)
1114 self.create_ou(self.ldb_admin, ou2_dn)
1115 self.create_ou(self.ldb_admin, ou3_dn)
1116 mod = "(A;CI;WPDC;;;AU)"
1117 self.dacl_add_ace(ou1_dn, mod)
1118 mod = "(A;;CC;;;AU)"
1119 self.dacl_add_ace(ou3_dn, mod)
1120 self.create_user(self.ldb_admin, user_dn)
1121 # Create user connectiona that we will test with
1122 ldb_user = self.get_ldb_connection("acluser1", "samba123@")
1123 # Rename 'User object' having SD and CC to AU
1124 ldb_user.rename(user_dn, rename_user_dn)
1125 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1127 self.assertEqual( res, [] )
1128 res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
1130 self.assertNotEqual( res, [] )
1132 # Important unit running information
1134 if not "://" in host:
1135 host = "ldap://%s" % host
1136 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
1138 runner = SubunitTestRunner()
1140 if not runner.run(unittest.makeSuite(AclTests)).wasSuccessful():