source4/auth/credentials/tests/bind.py

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # This is unit with tests for LDAP access checks
   4
   5 import optparse
   6 import sys
   7 import base64
   8 import re
   9 import os
  10 import copy
  11 import time
  12
  13 sys.path.append("bin/python")
  14 import samba
  15 samba.ensure_external_module("testtools", "testtools")
  16 samba.ensure_external_module("subunit", "subunit/python")
  17
  18 import samba.getopt as options
  19
  20 from ldb import (
  21     SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_NO_SUCH_OBJECT)
  22 from samba.dcerpc import security
  23
  24 from samba.auth import system_session
  25 from samba import gensec
  26 from samba.samdb import SamDB
  27 from samba.credentials import Credentials
  28 import samba.tests
  29 from samba.tests import delete_force
  30 from subunit.run import SubunitTestRunner
  31 import unittest
  32
  33 parser = optparse.OptionParser("ldap [options] <host>")
  34 sambaopts = options.SambaOptions(parser)
  35 parser.add_option_group(sambaopts)
  36
  37 # use command line creds if available
  38 credopts = options.CredentialsOptions(parser)
  39 parser.add_option_group(credopts)
  40 opts, args = parser.parse_args()
  41
  42 if len(args) < 1:
  43     parser.print_usage()
  44     sys.exit(1)
  45
  46 host = args[0]
  47 lp = sambaopts.get_loadparm()
  48 creds = credopts.get_credentials(lp)
  49 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
  50 creds_machine = copy.deepcopy(creds)
  51 creds_user1 = copy.deepcopy(creds)
  52 creds_user2 = copy.deepcopy(creds)
  53 creds_user3 = copy.deepcopy(creds)
  54
  55 class BindTests(samba.tests.TestCase):
  56
  57     info_dc = None
  58
  59     def setUp(self):
  60         super(BindTests, self).setUp()
  61         # fetch rootDSEs
  62         if self.info_dc is None:
  63             res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
  64             self.assertEquals(len(res), 1)
  65             BindTests.info_dc = res[0]
  66         # cache some of RootDSE props
  67         self.schema_dn = self.info_dc["schemaNamingContext"][0]
  68         self.domain_dn = self.info_dc["defaultNamingContext"][0]
  69         self.config_dn = self.info_dc["configurationNamingContext"][0]
  70         self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
  71         self.password = "P@ssw0rd"
  72         self.username = "BindTestUser_" + time.strftime("%s", time.gmtime())
  73
  74     def tearDown(self):
  75         super(BindTests, self).tearDown()
  76
  77     def test_computer_account_bind(self):
  78         # create a computer acocount for the test
  79         delete_force(ldb, self.computer_dn)
  80         ldb.add_ldif("""
  81 dn: """ + self.computer_dn + """
  82 cn: CENTOS53
  83 displayName: CENTOS53$
  84 name: CENTOS53
  85 sAMAccountName: CENTOS53$
  86 countryCode: 0
  87 objectClass: computer
  88 objectClass: organizationalPerson
  89 objectClass: person
  90 objectClass: top
  91 objectClass: user
  92 codePage: 0
  93 userAccountControl: 4096
  94 dNSHostName: centos53.alabala.test
  95 operatingSystemVersion: 5.2 (3790)
  96 operatingSystem: Windows Server 2003
  97 """)
  98         ldb.modify_ldif("""
  99 dn: """ + self.computer_dn + """
 100 changetype: modify
 101 replace: unicodePwd
 102 unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
 103 """)
 104
 105         # do a simple bind and search with the machine account
 106         creds_machine.set_bind_dn(self.computer_dn)
 107         creds_machine.set_password(self.password)
 108         print "BindTest with: " + creds_machine.get_bind_dn()
 109         ldb_machine = SamDB(host, credentials=creds_machine, session_info=system_session(), lp=lp)
 110         res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 111
 112     def test_user_account_bind(self):
 113         # create user
 114         ldb.newuser(username=self.username, password=self.password)
 115         ldb_res = ldb.search(base=self.domain_dn,
 116                                       scope=SCOPE_SUBTREE,
 117                                       expression="(samAccountName=%s)" % self.username)
 118         self.assertEquals(len(ldb_res), 1)
 119         user_dn = ldb_res[0]["dn"]
 120
 121         # do a simple bind and search with the user account in format user@realm
 122         creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
 123         creds_user1.set_password(self.password)
 124         print "BindTest with: " + creds_user1.get_bind_dn()
 125         ldb_user1 = SamDB(host, credentials=creds_user1, session_info=system_session(), lp=lp)
 126         res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 127
 128         # do a simple bind and search with the user account in format domain\user
 129         creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username)
 130         creds_user2.set_password(self.password)
 131         print "BindTest with: " + creds_user2.get_bind_dn()
 132         ldb_user2 = SamDB(host, credentials=creds_user2, lp=lp)
 133         res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 134
 135         # do a simple bind and search with the user account DN
 136         creds_user3.set_bind_dn(str(user_dn))
 137         creds_user3.set_password(self.password)
 138         print "BindTest with: " + creds_user3.get_bind_dn()
 139         ldb_user3 = SamDB(host, credentials=creds_user3, session_info=system_session(), lp=lp)
 140         res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 141
 142 if not "://" in host:
 143     host = "ldap://%s" % host
 144 ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp)
 145
 146 runner = SubunitTestRunner()
 147 rc = 0
 148 if not runner.run(unittest.makeSuite(BindTests)).wasSuccessful():
 149     rc = 1
 150
 151 sys.exit(rc)