+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["sAMAccountName"] = MessageElement(["nam1","nam2"], FLAG_MOD_REPLACE,
+ "sAMAccountName")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["sAMAccountName"] = MessageElement("testgroupXX", FLAG_MOD_REPLACE,
+ "sAMAccountName")
+ ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["sAMAccountName"] = MessageElement("testgroupXX2", FLAG_MOD_ADD,
+ "sAMAccountName")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_multi_valued_attributes(self):
+ """Test multi-valued attributes"""
+ print "Test multi-valued attributes"""
+
+# TODO: In this test I added some special tests where I got very unusual
+# results back from a real AD. s4 doesn't match them and I've no idea how to
+# implement those error cases (maybe there exists a special trigger for
+# "description" attributes which handle them)
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "description": "desc2",
+ "objectclass": "group",
+ "description": "desc1"})
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group",
+ "description": ["desc1", "desc2"]})
+
+# m = Message()
+# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
+# "description")
+# try:
+# ldb.modify(m)
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
+ "description")
+ ldb.modify(m)
+
+# m = Message()
+# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+# m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
+# "description")
+# try:
+# ldb.modify(m)
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
+ "description")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
+ "description")
+ ldb.modify(m)
+
+# m = Message()
+# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
+# "description")
+# try:
+# ldb.modify(m)
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+# m = Message()
+# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+# m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
+# "description")
+# try:
+# ldb.modify(m)
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
+ "description")
+ ldb.modify(m)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_empty_messages(self):
+ """Test empty messages"""
+ print "Test empty messages"""
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ try:
+ ldb.add(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_empty_attributes(self):
+ """Test empty attributes"""
+ print "Test empty attributes"""
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["objectClass"] = MessageElement("group", FLAG_MOD_ADD, "objectClass")
+ m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
+
+ try:
+ ldb.add(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement([], FLAG_MOD_ADD, "description")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement([], FLAG_MOD_REPLACE, "description")
+ ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement([], FLAG_MOD_DELETE, "description")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_distinguished_name(self):
+ """Tests the 'distinguishedName' attribute"""
+ print "Tests the 'distinguishedName' attribute"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["distinguishedName"] = MessageElement(
+ "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_ADD,
+ "distinguishedName")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["distinguishedName"] = MessageElement(
+ "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_REPLACE,
+ "distinguishedName")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["distinguishedName"] = MessageElement(
+ "cn=ldaptestuser,cn=users," + self.base_dn, FLAG_MOD_DELETE,
+ "distinguishedName")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+ def test_rdn_name(self):
+ """Tests the RDN"""
+ print "Tests the RDN"""
+
+ try:
+ self.ldb.add({
+ "dn": "description=xyz,cn=users," + self.base_dn,
+ "objectclass": "group"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NAMING_VIOLATION)
+
+ self.delete_force(self.ldb, "description=xyz,cn=users," + self.base_dn)
+
+ self.ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["name"] = MessageElement("cn=ldaptestuser", FLAG_MOD_REPLACE,
+ "name")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
+
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["cn"] = MessageElement("ldaptestuser",
+ FLAG_MOD_REPLACE, "cn")
+
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NOT_ALLOWED_ON_RDN)
+
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
+
+ # this test needs to be disabled until we really understand
+ # what the rDN length constraints are
+ def DISABLED_test_largeRDN(self):
+ """Testing large rDN (limit 64 characters)"""
+ rdn = "CN=a012345678901234567890123456789012345678901234567890123456789012";
+ self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
+ ldif = """
+dn: %s,%s""" % (rdn,self.base_dn) + """
+objectClass: container
+"""
+ self.ldb.add_ldif(ldif)
+ self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
+
+ rdn = "CN=a0123456789012345678901234567890123456789012345678901234567890120";
+ self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
+ try:
+ ldif = """
+dn: %s,%s""" % (rdn,self.base_dn) + """
+objectClass: container
+"""
+ self.ldb.add_ldif(ldif)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+ self.delete_force(self.ldb, "%s,%s" % (rdn, self.base_dn))
+
+ def test_rename(self):
+ """Tests the rename operation"""
+ print "Tests the rename operations"""
+
+ self.ldb.add({
+ "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"] })
+
+ ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn)
+ ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestUSER3,cn=users," + self.base_dn)
+ try:
+ ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, ",cn=users," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INVALID_DN_SYNTAX)
+
+ self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
+
+ def test_parentGUID(self):
+ """Test parentGUID behaviour"""
+ print "Testing parentGUID behaviour\n"
+
+ # TODO: This seems to fail on Windows Server. Hidden attribute?
+
+ self.ldb.add({
+ "dn": "cn=parentguidtest,cn=users," + self.base_dn,
+ "objectclass":"user",
+ "samaccountname":"parentguidtest"});
+ res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE,
+ attrs=["parentGUID"]);
+ res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE,
+ attrs=["objectGUID"]);
+ self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]);
+
+ print "Testing parentGUID behaviour on rename\n"
+
+ self.ldb.add({
+ "dn": "cn=testotherusers," + self.base_dn,
+ "objectclass":"container"});
+ res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE,
+ attrs=["objectGUID"]);
+ ldb.rename("cn=parentguidtest,cn=users," + self.base_dn,
+ "cn=parentguidtest,cn=testotherusers," + self.base_dn);
+ res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn,
+ scope=SCOPE_BASE,
+ attrs=["parentGUID"]);
+ self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]);
+
+ self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn)
+ self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn)
+
+ def test_groupType_int32(self):
+ """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
+ print "Testing groupType (int32) behaviour\n"
+
+ res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
+ attrs=["groupType"], expression="groupType=2147483653");
+
+ res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
+ attrs=["groupType"], expression="groupType=-2147483643");
+
+ self.assertEquals(len(res1), len(res2))
+
+ self.assertTrue(res1.count > 0)
+
+ self.assertEquals(res1[0]["groupType"][0], "-2147483643")
+
+ def test_groups(self):
+ """This tests the group behaviour (setting, changing) of a user account"""
+ print "Testing group behaviour\n"
+
+ ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ ldb.add({
+ "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
+ "objectclass": "group"})
+
+ res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["objectSID"])
+ self.assertTrue(len(res1) == 1)
+ group_rid_1 = dom_sid_to_rid(ldb.schema_format_value("objectSID",
+ res1[0]["objectSID"][0]))
+
+ res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["objectSID"])
+ self.assertTrue(len(res1) == 1)
+ group_rid_2 = dom_sid_to_rid(ldb.schema_format_value("objectSID",
+ res1[0]["objectSID"][0]))
+
+ # Try to create a user with an invalid primary group
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "primaryGroupID": "0"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+ # Try to Create a user with a valid primary group
+# TODO Some more investigation needed here
+# try:
+# ldb.add({
+# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+# "objectclass": ["user", "person"],
+# "primaryGroupID": str(group_rid_1)})
+# self.fail()
+# except LdbError, (num, _):
+# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+# self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
+ ldb.add({
+ "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"]})
+
+ # Try to add invalid primary group
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
+ "primaryGroupID")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Try to make group 1 primary - should be denied since it is not yet
+ # secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_1),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Make group 1 secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ ldb.modify(m)
+
+ # Make group 1 primary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_1),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ ldb.modify(m)
+
+ # Try to delete group 1 - should be denied
+ try:
+ ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
+
+ # Try to add group 1 also as secondary - should be denied
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
+
+ # Try to add invalid member to group 1 - should be denied
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["member"] = MessageElement(
+ "cn=ldaptestuser3,cn=users," + self.base_dn,
+ FLAG_MOD_ADD, "member")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_NO_SUCH_OBJECT)
+
+ # Make group 2 secondary
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
+ m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn
+ ldb.modify(m)
+
+ # Swap the groups
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+ m["primaryGroupID"] = MessageElement(str(group_rid_2),
+ FLAG_MOD_REPLACE, "primaryGroupID")
+ ldb.modify(m)
+
+ # Old primary group should contain a "member" attribute for the user,
+ # the new shouldn't contain anymore one
+ res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["member"])
+ self.assertTrue(len(res1) == 1)
+ self.assertTrue(len(res1[0]["member"]) == 1)
+ self.assertEquals(res1[0]["member"][0].lower(),
+ ("cn=ldaptestuser,cn=users," + self.base_dn).lower())
+
+ res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
+ scope=SCOPE_BASE, attrs=["member"])
+ self.assertTrue(len(res1) == 1)
+ self.assertFalse("member" in res1[0])
+
+ # Also this should be denied
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestuser1,cn=users," + self.base_dn,
+ "objectclass": ["user", "person"],
+ "primaryGroupID": "0"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)