import optparse
import sys
import time
+import random
+import base64
sys.path.append("bin/python")
+sys.path.append("../lib/subunit/python")
import samba.getopt as options
from samba.auth import system_session
-from ldb import (SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError,
- LDB_ERR_NO_SUCH_OBJECT, LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS,
- LDB_ERR_ENTRY_ALREADY_EXISTS, LDB_ERR_UNWILLING_TO_PERFORM,
- LDB_ERR_NOT_ALLOWED_ON_NON_LEAF, LDB_ERR_OTHER, LDB_ERR_INVALID_DN_SYNTAX)
-from samba import Ldb
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
+from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
+from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
+from ldb import ERR_NO_SUCH_ATTRIBUTE, ERR_INSUFFICIENT_ACCESS_RIGHTS
+from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
+from ldb import Message, MessageElement, Dn, FLAG_MOD_ADD, FLAG_MOD_REPLACE
+from samba import Ldb, param, dom_sid_to_rid
+from samba import UF_NORMAL_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT
+from samba import UF_SERVER_TRUST_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT
+from samba import UF_INTERDOMAIN_TRUST_ACCOUNT
+from samba import UF_PASSWD_NOTREQD, UF_ACCOUNTDISABLE
+from samba import GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
+from samba import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
+from samba import GTYPE_SECURITY_UNIVERSAL_GROUP
+from samba import GTYPE_DISTRIBUTION_GLOBAL_GROUP
+from samba import GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP
+from samba import GTYPE_DISTRIBUTION_UNIVERSAL_GROUP
+from samba import ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST
+from samba import ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP
+from samba import ATYPE_SECURITY_UNIVERSAL_GROUP
+from samba import ATYPE_DISTRIBUTION_GLOBAL_GROUP
+from samba import ATYPE_DISTRIBUTION_LOCAL_GROUP
+from samba import ATYPE_DISTRIBUTION_UNIVERSAL_GROUP
+
from subunit import SubunitTestRunner
-from samba import param
import unittest
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+
parser = optparse.OptionParser("ldap [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
def delete_force(self, ldb, dn):
try:
ldb.delete(dn)
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
def find_basedn(self, ldb):
- res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+ res = ldb.search(base="", expression="", scope=SCOPE_BASE,
attrs=["defaultNamingContext"])
self.assertEquals(len(res), 1)
return res[0]["defaultNamingContext"][0]
self.assertEquals(len(res), 1)
return res[0]["schemaNamingContext"][0]
+ def find_domain_sid(self):
+ res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
+ return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
def setUp(self):
self.ldb = ldb
self.gc_ldb = gc_ldb
self.base_dn = self.find_basedn(ldb)
self.configuration_dn = self.find_configurationdn(ldb)
self.schema_dn = self.find_schemadn(ldb)
+ self.domain_sid = self.find_domain_sid()
print "baseDN: %s\n" % self.base_dn
self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser4,cn=users," + self.base_dn)
self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà ,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
+ self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
+
+ def test_system_only(self):
+ """Test systemOnly objects"""
+ print "Test systemOnly objects"""
+
+ try:
+ self.ldb.add({
+ "dn": "cn=ldaptestobject," + self.base_dn,
+ "objectclass": "configuration"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ self.delete_force(self.ldb, "cn=ldaptestobject," + self.base_dn)
+
+ def test_invalid_attribute(self):
+ """Test adding invalid attributes (not in schema)"""
+ print "Test adding invalid attributes (not in schema)"""
- def test_group_add_invalid_member(self):
- """Testing group add with invalid member"""
try:
self.ldb.add({
- "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn,
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
"objectclass": "group",
- "member": "cn=ldaptestuser,cn=useRs," + self.base_dn})
+ "thisdoesnotexist": "x"})
self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
- def test_all(self):
- """Basic tests"""
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["thisdoesnotexist"] = MessageElement("x", FLAG_MOD_REPLACE,
+ "thisdoesnotexist")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_distinguished_name(self):
+ """Tests the 'distinguishedName' attribute"""
+ print "Tests the 'distinguishedName' attribute"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["distinguishedName"] = MessageElement(
+ "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE,
+ "distinguishedName")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_rdn_name(self):
+ """Tests the RDN"""
+ print "Tests the RDN"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE,
+ "name")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["cn"] = MessageElement("ldaptestuser",
+ FLAG_MOD_REPLACE, "cn")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_rename(self):
+ """Tests the rename operation"""
+ print "Tests the rename operations"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"] })
+
+ ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
+ ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn)
+ try:
+ ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
+
+ self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
+
+ def test_parentGUID(self):
+ """Test parentGUID behaviour"""
+ print "Testing parentGUID behaviour\n"
+ # TODO: This seems to fail on Windows Server. Hidden attribute?
+
+ self.ldb.add({
+ "dn": "cn=parentguidtest,cn=users," + self.base_dn,
+ "objectclass":"user",
+ "samaccountname":"parentguidtest"});
+ res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE,
+ attrs=["parentGUID"]);
+ res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE,
+ attrs=["objectGUID"]);
+ self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]);
+
+ print "Testing parentGUID behaviour on rename\n"
+
+ self.ldb.add({
+ "dn": "cn=testotherusers," + self.base_dn,
+ "objectclass":"container"});
+ res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE,
+ attrs=["objectGUID"]);
+ ldb.rename("cn=parentguidtest,cn=users," + self.base_dn,
+ "cn=parentguidtest,cn=testotherusers," + self.base_dn);
+ res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["parentGUID"]);
+ self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]);
+
+ self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
+
+ def test_groupType_int32(self):
+ """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
+ print "Testing groupType (int32) behaviour\n"
+
+ res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
+ attrs=["groupType"], expression="groupType=2147483653");
+
+ res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
+ attrs=["groupType"], expression="groupType=-2147483643");
+
+ self.assertEquals(len(res1), len(res2))
+
+ self.assertTrue(res1.count > 0)
+
+ self.assertEquals(res1[0]["groupType"][0], "-2147483643")
+
+ def test_groups(self):
+ """This tests the group behaviour (setting, changing) of a user account"""
+ print "Testing group behaviour\n"
+
+ ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ ldb.add({
+ "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["objectSID"])
+ self.assertTrue(len(res1) == 1)
+ group_rid_1 = dom_sid_to_rid(ldb.schema_format_value("objectSID",
+ res1[0]["objectSID"][0]))
+
+ res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["objectSID"])
+ self.assertTrue(len(res1) == 1)
+ group_rid_2 = dom_sid_to_rid(ldb.schema_format_value("objectSID",
+ res1[0]["objectSID"][0]))
+
+ # Try to create a user with an invalid primary group
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "primaryGroupID": "0"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ # Try to Create a user with a valid primary group
+# TODO Some more investigation needed here
+# try:
+# ldb.add({
+# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+# "objectclass": ["user", "person"],
+# "primaryGroupID": str(group_rid_1)})
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquasl(num, ERR_UNWILLING_TO_PERFORM)
+# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"]})
+
+ # Try to add invalid primary group
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
+ "primaryGroupID")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Try to make group 1 primary - should be denied since it is not yet
+ # secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_1),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Make group 1 secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ ldb.modify(m)
+
+ # Make group 1 primary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_1),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ ldb.modify(m)
+
+ # Try to delete group 1 - should be denied
+ try:
+ ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
+
+ # Try to add group 1 also as secondary - should be denied
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
+
+ # Try to add invalid member to group 1 - should be denied
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = MessageElement(
+ "cn=ldaptestuser3,cn=users," + self.base_dn,
+ FLAG_MOD_ADD, "member")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+
+ # Make group 2 secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ ldb.modify(m)
+
+ # Swap the groups
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_2),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ ldb.modify(m)
+
+ # Old primary group should contain a "member" attribute for the user,
+ # the new shouldn't contain anymore one
+ res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["member"])
+ self.assertTrue(len(res1) == 1)
+ self.assertTrue(len(res1[0]["member"]) == 1)
+ self.assertEquals(res1[0]["member"][0].lower(),
+ ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
+
+ res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["member"])
+ self.assertTrue(len(res1) == 1)
+ self.assertFalse("member" in res1[0])
+
+ # Also this should be denied
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestuser1,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "primaryGroupID": "0"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
+
+ def test_primary_group_token(self):
+ """Test the primary group token behaviour (hidden-generated-readonly attribute on groups)"""
+ print "Testing primary group token behaviour\n"
+
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"]})
+
+ ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["primaryGroupToken"])
+ self.assertTrue(len(res1) == 1)
+ self.assertFalse("primaryGroupToken" in res1[0])
+
+ res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
+ scope=SCOPE_BASE)
+ self.assertTrue(len(res1) == 1)
+ self.assertFalse("primaryGroupToken" in res1[0])
+
+ res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
+ self.assertTrue(len(res1) == 1)
+ primary_group_token = int(res1[0]["primaryGroupToken"][0])
+
+ rid = dom_sid_to_rid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0]))
+ self.assertEquals(primary_group_token, rid)
+
+# TODO Has to wait until we support read-only generated attributes correctly
+# m = Message()
+# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+# m["primaryGroupToken"] = "100"
+# try:
+# ldb.modify(m)
+# self.fail()
+# except LdbError, (num, msg):
+
+ self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_all(self):
+ """Basic tests"""
+
print "Testing user add"
+
ldb.add({
- "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn,
- "objectclass": ["user", "person"],
- "cN": "LDAPtestUSER",
- "givenname": "ldap",
- "sn": "testy"})
+ "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "cN": "LDAPtestUSER",
+ "givenname": "ldap",
+ "sn": "testy"})
ldb.add({
"dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn,
"objectclass": "group",
"member": "cn=ldaptestuser,cn=useRs," + self.base_dn})
- self.delete_force(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
ldb.add({
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
"objectclass": "computer",
"cN": "LDAPtestCOMPUTER"})
- self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
ldb.add({"dn": "cn=ldaptest2computer,cn=computers," + self.base_dn,
"objectClass": "computer",
"cn": "LDAPtest2COMPUTER",
- "userAccountControl": "4096",
+ "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT),
"displayname": "ldap testy"})
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
try:
ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
"objectClass": "computer",
"cn": "LDAPtest2COMPUTER"
})
self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_INVALID_DN_SYNTAX)
-
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
- try:
- ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
- "objectClass": "computer",
- "cn": "ldaptestcomputer3",
- "sAMAccountType": "805306368"
- })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
+
try:
ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
"objectClass": "computer",
"cn": "ldaptestcomputer3",
- "userAccountControl": "0"
+ "sAMAccountType": str(ATYPE_NORMAL_ACCOUNT)
})
self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn)
- try:
- ldb.add({"dn": "cn=ldaptestuser7,cn=users," + self.base_dn,
- "objectClass": "user",
- "cn": "LDAPtestuser7",
- "userAccountControl": "0"
- })
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_UNWILLING_TO_PERFORM)
-
- self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn)
-
- ldb.add({"dn": "cn=ldaptestuser7,cn=users," + self.base_dn,
- "objectClass": "user",
- "cn": "LDAPtestuser7",
- "userAccountControl": "2"
- })
-
- self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
- self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn,
"objectClass": "computer",
"cn": "LDAPtestCOMPUTER3"
})
-
+
print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))";
res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))");
self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res))
self.assertTrue("whenCreated" in res[0])
self.assertEquals(res[0]["objectCategory"][0], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn));
self.assertEquals(int(res[0]["primaryGroupID"][0]), 513);
- self.assertEquals(int(res[0]["sAMAccountType"][0]), 805306368);
- self.assertEquals(int(res[0]["userAccountControl"][0]), 546);
+ self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT);
+ self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE);
self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
""")
self.fail()
except LdbError, (num, msg):
- self.assertEquals(num, LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
ldb.modify_ldif("""
dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
""")
self.fail()
except LdbError, (num, msg):
- self.assertEquals(num, LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
print "Testing ranged results"
ldb.modify_ldif("""
changetype: modify
replace: servicePrincipalName
""")
-
+
ldb.modify_ldif("""
dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """
changetype: modify
servicePrincipalName: host/ldaptest2computer29
""")
- res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE,
+ res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE,
attrs=["servicePrincipalName;range=0-*"])
self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
#print len(res[0]["servicePrincipalName;range=0-*"])
# print res[0]["servicePrincipalName;range=0-19"].length
self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20)
-
+
res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"])
self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30)
self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0)
-
+
res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"])
self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)")
self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20)
self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
self.assertEquals(res[0]["cn"][0], "ldaptestuser")
- self.assertEquals(res[0]["name"], "ldaptestuser")
+ self.assertEquals(str(res[0]["name"]), "ldaptestuser")
# Testing ldb.search for (&(anr=testy)(objectClass=user))
res = ldb.search(expression="(&(anr=testy)(objectClass=user))")
self.assertEquals(len(res), 1, "Could not find (&(anr=testy ldap user)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestuser2")
- self.assertEquals(res[0]["name"], "ldaptestuser2")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
+ self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
# Testing ldb.search for (&(anr==testy ldap user2)(objectClass=user))
# res = ldb.search(expression="(&(anr==testy ldap user2)(objectClass=user))")
# self.assertEquals(len(res), 1, "Could not find (&(anr==testy ldap user2)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestuser2")
- self.assertEquals(res[0]["name"], "ldaptestuser2")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
+ self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
# Testing ldb.search for (&(anr==ldap user2)(objectClass=user))
# res = ldb.search(expression="(&(anr==ldap user2)(objectClass=user))")
# self.assertEquals(len(res), 1, "Could not find (&(anr==ldap user2)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestuser2")
- self.assertEquals(res[0]["name"], "ldaptestuser2")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestuser2")
+ self.assertEquals(str(res[0]["name"]), "ldaptestuser2")
# Testing ldb.search for (&(anr==not ldap user2)(objectClass=user))
# res = ldb.search(expression="(&(anr==not ldap user2)(objectClass=user))")
# res = ldb.search(expression="(&(anr==\"testy ldap\")(objectClass=user))")
# self.assertEquals(len(res), 0, "Found (&(anr==\"testy ldap\")(objectClass=user))")
- print "Testing Group Modifies"
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup,cn=users,""" + self.base_dn + """
-changetype: modify
-add: member
-member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
-member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """
-""")
-
- self.delete_force(ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
-
- print "Testing adding non-existent user to a group"
- try:
- ldb.modify_ldif("""
-dn: cn=ldaptestgroup,cn=users,""" + self.base_dn + """
-changetype: modify
-add: member
-member: cn=ldaptestuser3,cn=users,""" + self.base_dn + """
-""")
- self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
-
print "Testing Renames"
- ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
-
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ attrs = ["objectGUID", "objectSid"]
+ print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
+ res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
+ self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn)
+ # Check rename works with extended/alternate DN forms
+ ldb.rename("<SID=" + ldb.schema_format_value("objectSID", res_user[0]["objectSID"][0]) + ">" , "cn=ldaptestUSER3,cn=users," + self.base_dn)
print "Testing ldb.search for (&(cn=ldaptestuser3)(objectClass=user))"
res = ldb.search(expression="(&(cn=ldaptestuser3)(objectClass=user))")
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser3)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestUSER3")
- self.assertEquals(res[0]["name"], "ldaptestUSER3")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
+ self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
#"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))"
res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=*))(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestUSER3")
- self.assertEquals(res[0]["name"], "ldaptestUSER3")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
+ self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
#"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))"
res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
self.assertEquals(len(res), 1, "(&(&(cn=ldaptestuser3)(userAccountControl=546))(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestUSER3")
- self.assertEquals(res[0]["name"], "ldaptestUSER3")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
+ self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
#"Testing ldb.search for (&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))"
res = ldb.search(expression="(&(&(cn=ldaptestuser3)(userAccountControl=547))(objectClass=user))")
res = ldb.search(expression="(distinguishedName=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
self.assertEquals(len(res), 1, "Could not find (dn=CN=ldaptestUSER3,CN=Users," + self.base_dn + ")")
self.assertEquals(str(res[0].dn), ("CN=ldaptestUSER3,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestUSER3")
- self.assertEquals(res[0]["name"], "ldaptestUSER3")
+ self.assertEquals(str(res[0]["cn"]), "ldaptestUSER3")
+ self.assertEquals(str(res[0]["name"]), "ldaptestUSER3")
# ensure we cannot add it again
try:
"cn": "LDAPtestUSER3"})
self.fail()
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_ENTRY_ALREADY_EXISTS)
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
# rename back
ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
- # ensure we cannnot rename it twice
+ # ensure we cannot rename it twice
try:
- ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn,
+ ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn,
"cn=ldaptestuser2,cn=users," + self.base_dn)
self.fail()
- except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
# ensure can now use that name
ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn,
"objectClass": ["person", "user"],
"cn": "LDAPtestUSER3"})
-
- # ensure we now cannnot rename
+
+ # ensure we now cannot rename
try:
ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
self.fail()
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_ENTRY_ALREADY_EXISTS)
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
try:
ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=configuration," + self.base_dn)
self.fail()
ldb.rename("cn=ldaptestgroup,cn=users," + self.base_dn, "cn=ldaptestgroup2,cn=users," + self.base_dn)
- print "Testing subtree Renames"
+ print "Testing subtree renames"
- ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn,
+ ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn,
"objectClass": "container"})
-
- self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn)
- ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn,
+
+ ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn,
"objectClass": ["person", "user"],
"cn": "LDAPtestUSER4"})
changetype: modify
add: member
member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """
+member: cn=ldaptestcomputer,cn=computers,""" + self.base_dn + """
+member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
""")
-
+
print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn
ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn)
print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
try:
- ldb.search("cn=ldaptestcontainer," + self.base_dn,
- expression="(&(cn=ldaptestuser4)(objectClass=user))",
+ res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
+ expression="(&(cn=ldaptestuser4)(objectClass=user))",
scope=SCOPE_SUBTREE)
- self.fail()
+ self.fail(res)
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn
try:
- res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
+ res = ldb.search("cn=ldaptestcontainer," + self.base_dn,
expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL)
self.fail()
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NO_SUCH_OBJECT)
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
print "Testing ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in renamed container"
res = ldb.search("cn=ldaptestcontainer2," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE)
print "Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes"
res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE)
- self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not conistant with subtree renames?")
+ self.assertEquals(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?")
print "Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn
try:
ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn)
self.fail()
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_UNWILLING_TO_PERFORM)
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
print "Testing ldb.rename (into non-existent container) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn
try:
ldb.rename("cn=ldaptestcontainer2," + self.base_dn, "cn=ldaptestcontainer,cn=ldaptestcontainer3," + self.base_dn)
self.fail()
except LdbError, (num, _):
- self.assertTrue(num in (LDB_ERR_UNWILLING_TO_PERFORM, LDB_ERR_OTHER))
+ self.assertTrue(num in (ERR_UNWILLING_TO_PERFORM, ERR_OTHER))
print "Testing delete (should fail, not a leaf node) of renamed cn=ldaptestcontainer2," + self.base_dn
try:
ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
self.fail()
except LdbError, (num, _):
- self.assertEquals(num, LDB_ERR_NOT_ALLOWED_ON_NON_LEAF)
+ self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF)
print "Testing base ldb.search for CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn
res = ldb.search(expression="(objectclass=*)", base=("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn), scope=SCOPE_BASE)
ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn))
print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn
ldb.delete("cn=ldaptestcontainer2," + self.base_dn)
-
- self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn)
+
ldb.add({"dn": "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn, "objectClass": "user"})
- self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà ,cn=users," + self.base_dn)
ldb.add({"dn": "cn=ldaptestutf8user2 èùéìòà ,cn=users," + self.base_dn, "objectClass": "user"})
print "Testing ldb.search for (&(cn=ldaptestuser)(objectClass=user))"
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestuser,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestuser")
- self.assertEquals(res[0]["name"], "ldaptestuser")
- self.assertEquals(res[0]["objectClass"], ["top", "person", "organizationalPerson", "user"])
+ self.assertEquals(str(res[0]["cn"]), "ldaptestuser")
+ self.assertEquals(str(res[0]["name"]), "ldaptestuser")
+ self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user"]))
self.assertTrue("objectGUID" in res[0])
self.assertTrue("whenCreated" in res[0])
- self.assertEquals(res[0]["objectCategory"], ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn))
- self.assertEquals(int(res[0]["sAMAccountType"][0]), 805306368)
- self.assertEquals(int(res[0]["userAccountControl"][0]), 546)
+ self.assertEquals(str(res[0]["objectCategory"]), ("CN=Person,CN=Schema,CN=Configuration," + self.base_dn))
+ self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
+ self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
self.assertEquals(len(res[0]["memberOf"]), 1)
-
+
print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))"
res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))")
print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog"
res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))")
self.assertEquals(len(res3gc), 1)
-
+
self.assertEquals(res[0].dn, res3gc[0].dn)
print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control"
-
+
res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"])
self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog")
-
+
self.assertEquals(res[0].dn, res3control[0].dn)
ldb.delete(res[0].dn)
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestuser)(objectClass=user))")
self.assertEquals(str(res[0].dn), ("CN=ldaptestcomputer,CN=Computers," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestcomputer")
- self.assertEquals(res[0]["name"], "ldaptestcomputer")
- self.assertEquals(res[0]["objectClass"], ["top", "person", "organizationalPerson", "user", "computer"])
+ self.assertEquals(str(res[0]["cn"]), "ldaptestcomputer")
+ self.assertEquals(str(res[0]["name"]), "ldaptestcomputer")
+ self.assertEquals(set(res[0]["objectClass"]), set(["top", "person", "organizationalPerson", "user", "computer"]))
self.assertTrue("objectGUID" in res[0])
self.assertTrue("whenCreated" in res[0])
- self.assertEquals(res[0]["objectCategory"], ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn))
+ self.assertEquals(str(res[0]["objectCategory"]), ("CN=Computer,CN=Schema,CN=Configuration," + self.base_dn))
self.assertEquals(int(res[0]["primaryGroupID"][0]), 513)
- self.assertEquals(int(res[0]["sAMAccountType"][0]), 805306368)
- self.assertEquals(int(res[0]["userAccountControl"][0]), 546)
+ self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_NORMAL_ACCOUNT)
+ self.assertEquals(int(res[0]["userAccountControl"][0]), UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
self.assertEquals(len(res[0]["memberOf"]), 1)
self.assertEquals(res[0].dn, res6[0].dn)
- ldb.delete(res[0].dn)
+ ldb.delete("<GUID=" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + ">")
print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))"
res = ldb.search(expression="(&(cn=ldaptest2computer)(objectClass=user))")
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptest2computer)(objectClass=user))")
- self.assertEquals(res[0].dn, ("CN=ldaptest2computer,CN=Computers," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptest2computer")
- self.assertEquals(res[0]["name"], "ldaptest2computer")
- self.assertEquals(res[0]["objectClass"], ["top", "person", "organizationalPerson", "user", "computer"])
+ self.assertEquals(str(res[0].dn), "CN=ldaptest2computer,CN=Computers," + self.base_dn)
+ self.assertEquals(str(res[0]["cn"]), "ldaptest2computer")
+ self.assertEquals(str(res[0]["name"]), "ldaptest2computer")
+ self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user", "computer"])
self.assertTrue("objectGUID" in res[0])
self.assertTrue("whenCreated" in res[0])
self.assertEquals(res[0]["objectCategory"][0], "CN=Computer,CN=Schema,CN=Configuration," + self.base_dn)
- self.assertEquals(int(res[0]["sAMAccountType"][0]), 805306369)
- self.assertEquals(int(res[0]["userAccountControl"][0]), 4096)
+ self.assertEquals(int(res[0]["sAMAccountType"][0]), ATYPE_WORKSTATION_TRUST)
+ self.assertEquals(int(res[0]["userAccountControl"][0]), UF_WORKSTATION_TRUST_ACCOUNT)
- ldb.delete(res[0].dn)
+ ldb.delete("<SID=" + ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) + ">")
- attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "memberOf"]
+ attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "memberOf", "allowedAttributes", "allowedAttributesEffective"]
print "Testing ldb.search for (&(cn=ldaptestUSer2)(objectClass=user))"
- res = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
- self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
-
- self.assertEquals(res[0].dn, ("CN=ldaptestuser2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestuser2")
- self.assertEquals(res[0]["name"], "ldaptestuser2")
- self.assertEquals(res[0]["objectClass"], ["top", "person", "organizationalPerson", "user"])
- self.assertTrue("objectGUID" in res[0])
- self.assertTrue("whenCreated" in res[0])
- self.assertTrue("nTSecurityDescriptor" in res[0])
- self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
-
- attrs = ["cn", "name", "objectClass", "objectGUID", "whenCreated", "nTSecurityDescriptor", "member"]
+ res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs)
+ self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))")
+
+ self.assertEquals(str(res_user[0].dn), ("CN=ldaptestuser2,CN=Users," + self.base_dn))
+ self.assertEquals(str(res_user[0]["cn"]), "ldaptestuser2")
+ self.assertEquals(str(res_user[0]["name"]), "ldaptestuser2")
+ self.assertEquals(list(res_user[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
+ self.assertTrue("objectSid" in res_user[0])
+ self.assertTrue("objectGUID" in res_user[0])
+ self.assertTrue("whenCreated" in res_user[0])
+ self.assertTrue("nTSecurityDescriptor" in res_user[0])
+ self.assertTrue("allowedAttributes" in res_user[0])
+ self.assertTrue("allowedAttributesEffective" in res_user[0])
+ self.assertEquals(res_user[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper())
+
+ ldaptestuser2_sid = res_user[0]["objectSid"][0]
+ ldaptestuser2_guid = res_user[0]["objectGUID"][0]
+
+ attrs = ["cn", "name", "objectClass", "objectGUID", "objectSID", "whenCreated", "nTSecurityDescriptor", "member", "allowedAttributes", "allowedAttributesEffective"]
print "Testing ldb.search for (&(cn=ldaptestgroup2)(objectClass=group))"
res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
- self.assertEquals(res[0].dn, ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestgroup2")
- self.assertEquals(res[0]["name"], "ldaptestgroup2")
- self.assertEquals(res[0]["objectClass"], ["top", "group"])
- self.assertTrue("objectGuid" not in res[0])
+ self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
+ self.assertEquals(str(res[0]["cn"]), "ldaptestgroup2")
+ self.assertEquals(str(res[0]["name"]), "ldaptestgroup2")
+ self.assertEquals(list(res[0]["objectClass"]), ["top", "group"])
+ self.assertTrue("objectGUID" in res[0])
+ self.assertTrue("objectSid" in res[0])
self.assertTrue("whenCreated" in res[0])
self.assertTrue("nTSecurityDescriptor" in res[0])
- self.assertEquals(res[0]["member"][0].upper(), ("CN=ldaptestuser2,CN=Users," + self.base_dn).upper())
+ self.assertTrue("allowedAttributes" in res[0])
+ self.assertTrue("allowedAttributesEffective" in res[0])
+ memberUP = []
+ for m in res[0]["member"]:
+ memberUP.append(m.upper())
+ self.assertTrue(("CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
+
+ res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs, controls=["extended_dn:1:1"])
+ self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
+
+ print res[0]["member"]
+ memberUP = []
+ for m in res[0]["member"]:
+ memberUP.append(m.upper())
+ print ("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper()
+
+ self.assertTrue(("<GUID=" + ldb.schema_format_value("objectGUID", ldaptestuser2_guid) + ">;<SID=" + ldb.schema_format_value("objectSid", ldaptestuser2_sid) + ">;CN=ldaptestuser2,CN=Users," + self.base_dn).upper() in memberUP)
+ print "Testing Linked attribute behaviours"
ldb.modify_ldif("""
dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
changetype: modify
member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """
member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
""")
-
- print "Testing Linked attribute behaviours"
+
ldb.modify_ldif("""
-dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
+dn: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
+changetype: modify
+replace: member
+member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
+""")
+
+ ldb.modify_ldif("""
+dn: <SID=""" + ldb.schema_format_value("objectSid", res[0]["objectSid"][0]) + """>
changetype: modify
delete: member
""")
dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
changetype: modify
add: member
-member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """
+member: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """>
member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
""")
-
+
ldb.modify_ldif("""
dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
changetype: modify
replace: member
""")
-
+
ldb.modify_ldif("""
dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
changetype: modify
add: member
-member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """
+member: <SID=""" + ldb.schema_format_value("objectSid", res_user[0]["objectSid"][0]) + """>
member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
""")
-
+
ldb.modify_ldif("""
dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """
changetype: modify
delete: member
member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """
""")
-
+
res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))")
- self.assertEquals(res[0].dn, ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
+ self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
self.assertEquals(res[0]["member"][0], ("CN=ldaptestuser2,CN=Users," + self.base_dn))
self.assertEquals(len(res[0]["member"]), 1)
res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs)
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group)) to check linked delete")
- self.assertEquals(res[0].dn, ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
+ self.assertEquals(str(res[0].dn), ("CN=ldaptestgroup2,CN=Users," + self.base_dn))
self.assertTrue("member" not in res[0])
print "Testing ldb.search for (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))"
res = ldb.search(expression="(&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestutf8user ÈÙÉÌÒÀ)(objectClass=user))")
- self.assertEquals(res[0].dn, ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn))
- self.assertEquals(res[0]["cn"], "ldaptestutf8user èùéìòà")
- self.assertEquals(res[0]["name"], "ldaptestutf8user èùéìòà")
- self.assertEquals(res[0]["objectClass"], ["top", "person", "organizationalPerson", "user"])
+ self.assertEquals(str(res[0].dn), ("CN=ldaptestutf8user èùéìòà,CN=Users," + self.base_dn))
+ self.assertEquals(str(res[0]["cn"]), "ldaptestutf8user èùéìòà")
+ self.assertEquals(str(res[0]["name"]), "ldaptestutf8user èùéìòà")
+ self.assertEquals(list(res[0]["objectClass"]), ["top", "person", "organizationalPerson", "user"])
self.assertTrue("objectGUID" in res[0])
self.assertTrue("whenCreated" in res[0])
if gc_ldb is not None:
print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0"
-
+
res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"])
self.assertTrue(len(res) > 0)
print "Testing that we do find configuration elements in the global catlog"
res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0)
-
+
print "Testing that we do find configuration elements and user elements at the same time"
res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0)
res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA")
self.assertTrue(len(res) != 0)
-
+
res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn)
self.assertTrue(len(res) != 0)
-
+
print "Testing objectClass attribute order on "+ self.base_dn
- res = ldb.search(expression="objectClass=domain", base=self.base_dn,
+ res = ldb.search(expression="objectClass=domain", base=self.base_dn,
scope=SCOPE_BASE, attrs=["objectClass"])
self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["objectClass"], ["top", "domain", "domainDNS"])
+ self.assertEquals(list(res[0]["objectClass"]), ["top", "domain", "domainDNS"])
# check enumeration
print "Testing ldb.search for objectCategory=person with domain scope control"
res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
self.assertTrue(len(res) > 0)
-
+
print "Testing ldb.search for objectCategory=user"
res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0)
-
+
print "Testing ldb.search for objectCategory=user with domain scope control"
res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
self.assertTrue(len(res) > 0)
-
+
print "Testing ldb.search for objectCategory=group"
res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"])
self.assertTrue(len(res) > 0)
res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
self.assertTrue(len(res) > 0)
+ self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestuser4,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptest2computer,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà ,cn=users," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
+ self.delete_force(self.ldb, "cn=ldaptestcontainer2," + self.base_dn)
+
+ def test_security_descriptor_add(self):
+ """ Testing ldb.add_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser1"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Test add_ldif() with SDDL security descriptor input
+ #
+ self.delete_force(self.ldb, user_dn)
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor: """ + sddl)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack( security.descriptor, desc )
+ desc_sddl = desc.as_sddl( self.domain_sid )
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test add_ldif() with BASE64 security descriptor
+ #
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_binary = ndr_pack(desc)
+ desc_base64 = base64.b64encode(desc_binary)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor:: """ + desc_base64)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+
+ def test_security_descriptor_add_neg(self):
+ """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID
+ Negative test
+ """
+ user_name = "testdescriptoruser1"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ self.delete_force(self.ldb, user_dn)
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
+ desc_base64 = base64.b64encode( ndr_pack(desc) )
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor:: """ + desc_base64)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ print res
+ self.assertRaises(KeyError, lambda: res[0]["nTSecurityDescriptor"])
+ finally:
+ self.delete_force(self.ldb, user_dn)
+
+ def test_security_descriptor_modify(self):
+ """ Testing ldb.modify_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser2"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Delete user object and test modify_ldif() with SDDL security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ try:
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with SDDL security descriptor input
+ # New desctiptor test
+ #
+ try:
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with BASE64 security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ try:
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_base64 = base64.b64encode(ndr_pack(desc))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with BASE64 security descriptor input
+ # New descriptor test
+ #
+ try:
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_base64 = base64.b64encode(ndr_pack(desc))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
class BaseDnTests(unittest.TestCase):
def setUp(self):
def test_netlogon_highestcommitted_usn(self):
"""Testing for netlogon and highestCommittedUSN via LDAP"""
- res = self.ldb.search("", scope=SCOPE_BASE,
+ res = self.ldb.search("", scope=SCOPE_BASE,
attrs=["netlogon", "highestCommittedUSN"])
self.assertEquals(len(res), 0)
class SchemaTests(unittest.TestCase):
+ def delete_force(self, ldb, dn):
+ try:
+ ldb.delete(dn)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+
def find_schemadn(self, ldb):
res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
self.assertEquals(len(res), 1)
return res[0]["schemaNamingContext"][0]
+ def find_basedn(self, ldb):
+ res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+ attrs=["defaultNamingContext"])
+ self.assertEquals(len(res), 1)
+ return res[0]["defaultNamingContext"][0]
+
def setUp(self):
self.ldb = ldb
self.schema_dn = self.find_schemadn(ldb)
+ self.base_dn = self.find_basedn(ldb)
def test_generated_schema(self):
"""Testing we can read the generated schema via LDAP"""
- res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
+ res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
attrs=["objectClasses", "attributeTypes", "dITContentRules"])
self.assertEquals(len(res), 1)
self.assertTrue("dITContentRules" in res[0])
def test_generated_schema_is_operational(self):
"""Testing we don't get the generated schema via LDAP by default"""
- res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
+ res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE,
attrs=["*"])
self.assertEquals(len(res), 1)
self.assertFalse("dITContentRules" in res[0])
self.assertFalse("objectClasses" in res[0])
self.assertFalse("attributeTypes" in res[0])
-
+
+ def test_schemaUpdateNow(self):
+ """Testing schemaUpdateNow"""
+ class_name = "test-class" + time.strftime("%s", time.gmtime())
+ class_ldap_display_name = class_name.replace("-", "")
+ object_name = "obj" + time.strftime("%s", time.gmtime())
+
+ ldif = """
+dn: CN=%s,%s""" % (class_name, self.schema_dn) + """
+lDAPDisplayName: """ + class_ldap_display_name + """
+objectClass: top
+objectClass: classSchema
+adminDescription: """ + class_name + """
+adminDisplayName: """ + class_name + """
+cn: """ + class_name + """
+objectCategory: CN=Class-Schema,""" + self.schema_dn + """
+defaultObjectCategory: CN=%s,%s""" % (class_name, self.schema_dn) + """
+distinguishedName: CN=%s,%s""" % (class_name, self.schema_dn) + """
+governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
+instanceType: 4
+name: """ + class_name + """
+objectClassCategory: 1
+subClassOf: organizationalPerson
+systemFlags: 16
+rDNAttID: cn
+systemMustContain: cn
+systemOnly: FALSE
+"""
+ self.ldb.add_ldif(ldif)
+ ldif = """
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+"""
+ self.ldb.modify_ldif(ldif)
+ ldif = """
+dn: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """
+objectClass: organizationalPerson
+objectClass: person
+objectClass: """ + class_ldap_display_name + """
+objectClass: top
+cn: """ + object_name + """
+instanceType: 4
+objectCategory: CN=%s,%s"""% (class_name, self.schema_dn) + """
+distinguishedName: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """
+name: """ + object_name + """
+"""
+ self.ldb.add_ldif(ldif)
+ # Search for created objectClass
+ res = []
+ res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
+ self.assertNotEqual(res, [])
+
+ res = []
+ res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"])
+ self.assertNotEqual(res, [])
+ # Delete the object
+ self.delete_force(self.ldb, "cn=%s,cn=Users,%s" % (object_name, self.base_dn))
+
if not "://" in host:
host = "ldap://%s" % host
ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
-gc_ldb = Ldb("%s:3268" % host, credentials=creds,
+gc_ldb = Ldb("%s:3268" % host, credentials=creds,
session_info=system_session(), lp=lp)
runner = SubunitTestRunner()