git.samba.org / kai / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
s4-dsdb/tests/python: Explicitly pass comamnd line LoadParm() instance to system_sess...
[kai/samba.git] / source4 / dsdb / tests / python / passwords.py
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3 # This tests the password changes over LDAP for AD implementations
4 #
5 # Copyright Matthias Dieter Wallnoefer 2010
6 #
7 # Notice: This tests will also work against Windows Server if the connection is
8 # secured enough (SASL with a minimum of 128 Bit encryption) - consider
9 # MS-ADTS 3.1.1.3.1.5
10
11 import optparse
12 import sys
13 import base64
14 import time
15 import os
16
17 sys.path.append("bin/python")
18 import samba
19 samba.ensure_external_module("testtools", "testtools")
20 samba.ensure_external_module("subunit", "subunit/python")
21
22 import samba.getopt as options
23
24 from samba.auth import system_session
25 from samba.credentials import Credentials
26 from ldb import SCOPE_BASE, LdbError
27 from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
28 from ldb import ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS
29 from ldb import ERR_NO_SUCH_ATTRIBUTE
30 from ldb import ERR_CONSTRAINT_VIOLATION
31 from ldb import Message, MessageElement, Dn
32 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
33 from samba import gensec
34 from samba.samdb import SamDB
35 import samba.tests
36 from samba.tests import delete_force
37 from subunit.run import SubunitTestRunner
38 import unittest
39
40 parser = optparse.OptionParser("passwords.py [options] <host>")
41 sambaopts = options.SambaOptions(parser)
42 parser.add_option_group(sambaopts)
43 parser.add_option_group(options.VersionOptions(parser))
44 # use command line creds if available
45 credopts = options.CredentialsOptions(parser)
46 parser.add_option_group(credopts)
47 opts, args = parser.parse_args()
48
49 if len(args) < 1:
50     parser.print_usage()
51     sys.exit(1)
52
53 host = args[0]
54
55 lp = sambaopts.get_loadparm()
56 creds = credopts.get_credentials(lp)
57
58 # Force an encrypted connection
59 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
60
61 #
62 # Tests start here
63 #
64
65 class PasswordTests(samba.tests.TestCase):
66
67     def setUp(self):
68         super(PasswordTests, self).setUp()
69         self.ldb = ldb
70         self.base_dn = ldb.domain_dn()
71
72         # (Re)adds the test user "testuser" with no password atm
73         delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
74         self.ldb.add({
75              "dn": "cn=testuser,cn=users," + self.base_dn,
76              "objectclass": "user",
77              "sAMAccountName": "testuser"})
78
79         # Tests a password change when we don't have any password yet with a
80         # wrong old password
81         try:
82             self.ldb.modify_ldif("""
83 dn: cn=testuser,cn=users,""" + self.base_dn + """
84 changetype: modify
85 delete: userPassword
86 userPassword: noPassword
87 add: userPassword
88 userPassword: thatsAcomplPASS2
89 """)
90             self.fail()
91         except LdbError, (num, msg):
92             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
93             # Windows (2008 at least) seems to have some small bug here: it
94             # returns "0000056A" on longer (always wrong) previous passwords.
95             self.assertTrue('00000056' in msg)
96
97         # Sets the initial user password with a "special" password change
98         # I think that this internally is a password set operation and it can
99         # only be performed by someone which has password set privileges on the
100         # account (at least in s4 we do handle it like that).
101         self.ldb.modify_ldif("""
102 dn: cn=testuser,cn=users,""" + self.base_dn + """
103 changetype: modify
104 delete: userPassword
105 add: userPassword
106 userPassword: thatsAcomplPASS1
107 """)
108
109         # But in the other way around this special syntax doesn't work
110         try:
111             self.ldb.modify_ldif("""
112 dn: cn=testuser,cn=users,""" + self.base_dn + """
113 changetype: modify
114 delete: userPassword
115 userPassword: thatsAcomplPASS1
116 add: userPassword
117 """)
118             self.fail()
119         except LdbError, (num, _):
120             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
121
122         # Enables the user account
123         self.ldb.enable_account("(sAMAccountName=testuser)")
124
125         # Open a second LDB connection with the user credentials. Use the
126         # command line credentials for informations like the domain, the realm
127         # and the workstation.
128         creds2 = Credentials()
129         creds2.set_username("testuser")
130         creds2.set_password("thatsAcomplPASS1")
131         creds2.set_domain(creds.get_domain())
132         creds2.set_realm(creds.get_realm())
133         creds2.set_workstation(creds.get_workstation())
134         creds2.set_gensec_features(creds2.get_gensec_features()
135                                                           | gensec.FEATURE_SEAL)
136         self.ldb2 = SamDB(url=host, credentials=creds2, lp=lp)
137
138     def test_unicodePwd_hash_set(self):
139         print "Performs a password hash set operation on 'unicodePwd' which should be prevented"
140         # Notice: Direct hash password sets should never work
141
142         m = Message()
143         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
144         m["unicodePwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE,
145           "unicodePwd")
146         try:
147             ldb.modify(m)
148             self.fail()
149         except LdbError, (num, _):
150             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
151
152     def test_unicodePwd_hash_change(self):
153         print "Performs a password hash change operation on 'unicodePwd' which should be prevented"
154         # Notice: Direct hash password changes should never work
155
156         # Hash password changes should never work
157         try:
158             self.ldb2.modify_ldif("""
159 dn: cn=testuser,cn=users,""" + self.base_dn + """
160 changetype: modify
161 delete: unicodePwd
162 unicodePwd: XXXXXXXXXXXXXXXX
163 add: unicodePwd
164 unicodePwd: YYYYYYYYYYYYYYYY
165 """)
166             self.fail()
167         except LdbError, (num, _):
168             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
169
170     def test_unicodePwd_clear_set(self):
171         print "Performs a password cleartext set operation on 'unicodePwd'"
172
173         m = Message()
174         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
175         m["unicodePwd"] = MessageElement("\"thatsAcomplPASS2\"".encode('utf-16-le'),
176           FLAG_MOD_REPLACE, "unicodePwd")
177         ldb.modify(m)
178
179     def test_unicodePwd_clear_change(self):
180         print "Performs a password cleartext change operation on 'unicodePwd'"
181
182         self.ldb2.modify_ldif("""
183 dn: cn=testuser,cn=users,""" + self.base_dn + """
184 changetype: modify
185 delete: unicodePwd
186 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
187 add: unicodePwd
188 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
189 """)
190
191         # Wrong old password
192         try:
193             self.ldb2.modify_ldif("""
194 dn: cn=testuser,cn=users,""" + self.base_dn + """
195 changetype: modify
196 delete: unicodePwd
197 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
198 add: unicodePwd
199 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS4\"".encode('utf-16-le')) + """
200 """)
201             self.fail()
202         except LdbError, (num, msg):
203             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
204             self.assertTrue('00000056' in msg)
205
206         # A change to the same password again will not work (password history)
207         try:
208             self.ldb2.modify_ldif("""
209 dn: cn=testuser,cn=users,""" + self.base_dn + """
210 changetype: modify
211 delete: unicodePwd
212 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
213 add: unicodePwd
214 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
215 """)
216             self.fail()
217         except LdbError, (num, msg):
218             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
219             self.assertTrue('0000052D' in msg)
220
221     def test_dBCSPwd_hash_set(self):
222         print "Performs a password hash set operation on 'dBCSPwd' which should be prevented"
223         # Notice: Direct hash password sets should never work
224
225         m = Message()
226         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
227         m["dBCSPwd"] = MessageElement("XXXXXXXXXXXXXXXX", FLAG_MOD_REPLACE,
228           "dBCSPwd")
229         try:
230             ldb.modify(m)
231             self.fail()
232         except LdbError, (num, _):
233             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
234
235     def test_dBCSPwd_hash_change(self):
236         print "Performs a password hash change operation on 'dBCSPwd' which should be prevented"
237         # Notice: Direct hash password changes should never work
238
239         try:
240             self.ldb2.modify_ldif("""
241 dn: cn=testuser,cn=users,""" + self.base_dn + """
242 changetype: modify
243 delete: dBCSPwd
244 dBCSPwd: XXXXXXXXXXXXXXXX
245 add: dBCSPwd
246 dBCSPwd: YYYYYYYYYYYYYYYY
247 """)
248             self.fail()
249         except LdbError, (num, _):
250             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
251
252     def test_userPassword_clear_set(self):
253         print "Performs a password cleartext set operation on 'userPassword'"
254         # Notice: This works only against Windows if "dSHeuristics" has been set
255         # properly
256
257         m = Message()
258         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
259         m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE,
260           "userPassword")
261         ldb.modify(m)
262
263     def test_userPassword_clear_change(self):
264         print "Performs a password cleartext change operation on 'userPassword'"
265         # Notice: This works only against Windows if "dSHeuristics" has been set
266         # properly
267
268         self.ldb2.modify_ldif("""
269 dn: cn=testuser,cn=users,""" + self.base_dn + """
270 changetype: modify
271 delete: userPassword
272 userPassword: thatsAcomplPASS1
273 add: userPassword
274 userPassword: thatsAcomplPASS2
275 """)
276
277         # Wrong old password
278         try:
279             self.ldb2.modify_ldif("""
280 dn: cn=testuser,cn=users,""" + self.base_dn + """
281 changetype: modify
282 delete: userPassword
283 userPassword: thatsAcomplPASS3
284 add: userPassword
285 userPassword: thatsAcomplPASS4
286 """)
287             self.fail()
288         except LdbError, (num, msg):
289             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
290             self.assertTrue('00000056' in msg)
291
292         # A change to the same password again will not work (password history)
293         try:
294             self.ldb2.modify_ldif("""
295 dn: cn=testuser,cn=users,""" + self.base_dn + """
296 changetype: modify
297 delete: userPassword
298 userPassword: thatsAcomplPASS2
299 add: userPassword
300 userPassword: thatsAcomplPASS2
301 """)
302             self.fail()
303         except LdbError, (num, msg):
304             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
305             self.assertTrue('0000052D' in msg)
306
307     def test_clearTextPassword_clear_set(self):
308         print "Performs a password cleartext set operation on 'clearTextPassword'"
309         # Notice: This never works against Windows - only supported by us
310
311         try:
312             m = Message()
313             m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
314             m["clearTextPassword"] = MessageElement("thatsAcomplPASS2".encode('utf-16-le'),
315               FLAG_MOD_REPLACE, "clearTextPassword")
316             ldb.modify(m)
317             # this passes against s4
318         except LdbError, (num, msg):
319             # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
320             if num != ERR_NO_SUCH_ATTRIBUTE:
321                 raise LdbError(num, msg)
322
323     def test_clearTextPassword_clear_change(self):
324         print "Performs a password cleartext change operation on 'clearTextPassword'"
325         # Notice: This never works against Windows - only supported by us
326
327         try:
328             self.ldb2.modify_ldif("""
329 dn: cn=testuser,cn=users,""" + self.base_dn + """
330 changetype: modify
331 delete: clearTextPassword
332 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS1".encode('utf-16-le')) + """
333 add: clearTextPassword
334 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
335 """)
336             # this passes against s4
337         except LdbError, (num, msg):
338             # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
339             if num != ERR_NO_SUCH_ATTRIBUTE:
340                 raise LdbError(num, msg)
341
342         # Wrong old password
343         try:
344             self.ldb2.modify_ldif("""
345 dn: cn=testuser,cn=users,""" + self.base_dn + """
346 changetype: modify
347 delete: clearTextPassword
348 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS3".encode('utf-16-le')) + """
349 add: clearTextPassword
350 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS4".encode('utf-16-le')) + """
351 """)
352             self.fail()
353         except LdbError, (num, msg):
354             # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
355             if num != ERR_NO_SUCH_ATTRIBUTE:
356                 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
357                 self.assertTrue('00000056' in msg)
358
359         # A change to the same password again will not work (password history)
360         try:
361             self.ldb2.modify_ldif("""
362 dn: cn=testuser,cn=users,""" + self.base_dn + """
363 changetype: modify
364 delete: clearTextPassword
365 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
366 add: clearTextPassword
367 clearTextPassword:: """ + base64.b64encode("thatsAcomplPASS2".encode('utf-16-le')) + """
368 """)
369             self.fail()
370         except LdbError, (num, msg):
371             # "NO_SUCH_ATTRIBUTE" is returned by Windows -> ignore it
372             if num != ERR_NO_SUCH_ATTRIBUTE:
373                 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
374                 self.assertTrue('0000052D' in msg)
375
376     def test_failures(self):
377         print "Performs some failure testing"
378
379         try:
380             ldb.modify_ldif("""
381 dn: cn=testuser,cn=users,""" + self.base_dn + """
382 changetype: modify
383 delete: userPassword
384 userPassword: thatsAcomplPASS1
385 """)
386             self.fail()
387         except LdbError, (num, _):
388             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
389
390         try:
391             self.ldb2.modify_ldif("""
392 dn: cn=testuser,cn=users,""" + self.base_dn + """
393 changetype: modify
394 delete: userPassword
395 userPassword: thatsAcomplPASS1
396 """)
397             self.fail()
398         except LdbError, (num, _):
399             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
400
401         try:
402             ldb.modify_ldif("""
403 dn: cn=testuser,cn=users,""" + self.base_dn + """
404 changetype: modify
405 delete: userPassword
406 """)
407             self.fail()
408         except LdbError, (num, _):
409             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
410
411         try:
412             self.ldb2.modify_ldif("""
413 dn: cn=testuser,cn=users,""" + self.base_dn + """
414 changetype: modify
415 delete: userPassword
416 """)
417             self.fail()
418         except LdbError, (num, _):
419             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
420
421         try:
422             ldb.modify_ldif("""
423 dn: cn=testuser,cn=users,""" + self.base_dn + """
424 changetype: modify
425 add: userPassword
426 userPassword: thatsAcomplPASS1
427 """)
428             self.fail()
429         except LdbError, (num, _):
430             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
431
432         try:
433             self.ldb2.modify_ldif("""
434 dn: cn=testuser,cn=users,""" + self.base_dn + """
435 changetype: modify
436 add: userPassword
437 userPassword: thatsAcomplPASS1
438 """)
439             self.fail()
440         except LdbError, (num, _):
441             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
442
443         try:
444             ldb.modify_ldif("""
445 dn: cn=testuser,cn=users,""" + self.base_dn + """
446 changetype: modify
447 delete: userPassword
448 userPassword: thatsAcomplPASS1
449 add: userPassword
450 userPassword: thatsAcomplPASS2
451 userPassword: thatsAcomplPASS2
452 """)
453             self.fail()
454         except LdbError, (num, _):
455             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
456
457         try:
458             self.ldb2.modify_ldif("""
459 dn: cn=testuser,cn=users,""" + self.base_dn + """
460 changetype: modify
461 delete: userPassword
462 userPassword: thatsAcomplPASS1
463 add: userPassword
464 userPassword: thatsAcomplPASS2
465 userPassword: thatsAcomplPASS2
466 """)
467             self.fail()
468         except LdbError, (num, _):
469             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
470
471         try:
472             ldb.modify_ldif("""
473 dn: cn=testuser,cn=users,""" + self.base_dn + """
474 changetype: modify
475 delete: userPassword
476 userPassword: thatsAcomplPASS1
477 userPassword: thatsAcomplPASS1
478 add: userPassword
479 userPassword: thatsAcomplPASS2
480 """)
481             self.fail()
482         except LdbError, (num, _):
483             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
484
485         try:
486             self.ldb2.modify_ldif("""
487 dn: cn=testuser,cn=users,""" + self.base_dn + """
488 changetype: modify
489 delete: userPassword
490 userPassword: thatsAcomplPASS1
491 userPassword: thatsAcomplPASS1
492 add: userPassword
493 userPassword: thatsAcomplPASS2
494 """)
495             self.fail()
496         except LdbError, (num, _):
497             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
498
499         try:
500             ldb.modify_ldif("""
501 dn: cn=testuser,cn=users,""" + self.base_dn + """
502 changetype: modify
503 delete: userPassword
504 userPassword: thatsAcomplPASS1
505 add: userPassword
506 userPassword: thatsAcomplPASS2
507 add: userPassword
508 userPassword: thatsAcomplPASS2
509 """)
510             self.fail()
511         except LdbError, (num, _):
512             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
513
514         try:
515             self.ldb2.modify_ldif("""
516 dn: cn=testuser,cn=users,""" + self.base_dn + """
517 changetype: modify
518 delete: userPassword
519 userPassword: thatsAcomplPASS1
520 add: userPassword
521 userPassword: thatsAcomplPASS2
522 add: userPassword
523 userPassword: thatsAcomplPASS2
524 """)
525             self.fail()
526         except LdbError, (num, _):
527             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
528
529         try:
530             ldb.modify_ldif("""
531 dn: cn=testuser,cn=users,""" + self.base_dn + """
532 changetype: modify
533 delete: userPassword
534 userPassword: thatsAcomplPASS1
535 delete: userPassword
536 userPassword: thatsAcomplPASS1
537 add: userPassword
538 userPassword: thatsAcomplPASS2
539 """)
540             self.fail()
541         except LdbError, (num, _):
542             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
543
544         try:
545             self.ldb2.modify_ldif("""
546 dn: cn=testuser,cn=users,""" + self.base_dn + """
547 changetype: modify
548 delete: userPassword
549 userPassword: thatsAcomplPASS1
550 delete: userPassword
551 userPassword: thatsAcomplPASS1
552 add: userPassword
553 userPassword: thatsAcomplPASS2
554 """)
555             self.fail()
556         except LdbError, (num, _):
557             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
558
559         try:
560             ldb.modify_ldif("""
561 dn: cn=testuser,cn=users,""" + self.base_dn + """
562 changetype: modify
563 delete: userPassword
564 userPassword: thatsAcomplPASS1
565 add: userPassword
566 userPassword: thatsAcomplPASS2
567 replace: userPassword
568 userPassword: thatsAcomplPASS3
569 """)
570             self.fail()
571         except LdbError, (num, _):
572             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
573
574         try:
575             self.ldb2.modify_ldif("""
576 dn: cn=testuser,cn=users,""" + self.base_dn + """
577 changetype: modify
578 delete: userPassword
579 userPassword: thatsAcomplPASS1
580 add: userPassword
581 userPassword: thatsAcomplPASS2
582 replace: userPassword
583 userPassword: thatsAcomplPASS3
584 """)
585             self.fail()
586         except LdbError, (num, _):
587             self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
588
589         # Reverse order does work
590         self.ldb2.modify_ldif("""
591 dn: cn=testuser,cn=users,""" + self.base_dn + """
592 changetype: modify
593 add: userPassword
594 userPassword: thatsAcomplPASS2
595 delete: userPassword
596 userPassword: thatsAcomplPASS1
597 """)
598
599         try:
600             self.ldb2.modify_ldif("""
601 dn: cn=testuser,cn=users,""" + self.base_dn + """
602 changetype: modify
603 delete: userPassword
604 userPassword: thatsAcomplPASS2
605 add: unicodePwd
606 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
607 """)
608              # this passes against s4
609         except LdbError, (num, _):
610             self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
611
612         try:
613             self.ldb2.modify_ldif("""
614 dn: cn=testuser,cn=users,""" + self.base_dn + """
615 changetype: modify
616 delete: unicodePwd
617 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
618 add: userPassword
619 userPassword: thatsAcomplPASS4
620 """)
621              # this passes against s4
622         except LdbError, (num, _):
623             self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
624
625         # Several password changes at once are allowed
626         ldb.modify_ldif("""
627 dn: cn=testuser,cn=users,""" + self.base_dn + """
628 changetype: modify
629 replace: userPassword
630 userPassword: thatsAcomplPASS1
631 userPassword: thatsAcomplPASS2
632 """)
633
634         # Several password changes at once are allowed
635         ldb.modify_ldif("""
636 dn: cn=testuser,cn=users,""" + self.base_dn + """
637 changetype: modify
638 replace: userPassword
639 userPassword: thatsAcomplPASS1
640 userPassword: thatsAcomplPASS2
641 replace: userPassword
642 userPassword: thatsAcomplPASS3
643 replace: userPassword
644 userPassword: thatsAcomplPASS4
645 """)
646
647         # This surprisingly should work
648         delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
649         self.ldb.add({
650              "dn": "cn=testuser2,cn=users," + self.base_dn,
651              "objectclass": "user",
652              "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS2"] })
653
654         # This surprisingly should work
655         delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
656         self.ldb.add({
657              "dn": "cn=testuser2,cn=users," + self.base_dn,
658              "objectclass": "user",
659              "userPassword": ["thatsAcomplPASS1", "thatsAcomplPASS1"] })
660
661     def test_empty_passwords(self):
662         print "Performs some empty passwords testing"
663
664         try:
665             self.ldb.add({
666                  "dn": "cn=testuser2,cn=users," + self.base_dn,
667                  "objectclass": "user",
668                  "unicodePwd": [] })
669             self.fail()
670         except LdbError, (num, _):
671             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
672
673         try:
674             self.ldb.add({
675                  "dn": "cn=testuser2,cn=users," + self.base_dn,
676                  "objectclass": "user",
677                  "dBCSPwd": [] })
678             self.fail()
679         except LdbError, (num, _):
680             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
681
682         try:
683             self.ldb.add({
684                  "dn": "cn=testuser2,cn=users," + self.base_dn,
685                  "objectclass": "user",
686                  "userPassword": [] })
687             self.fail()
688         except LdbError, (num, _):
689             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
690
691         try:
692             self.ldb.add({
693                  "dn": "cn=testuser2,cn=users," + self.base_dn,
694                  "objectclass": "user",
695                  "clearTextPassword": [] })
696             self.fail()
697         except LdbError, (num, _):
698             self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
699                             num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
700
701         delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
702
703         m = Message()
704         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
705         m["unicodePwd"] = MessageElement([], FLAG_MOD_ADD, "unicodePwd")
706         try:
707             ldb.modify(m)
708             self.fail()
709         except LdbError, (num, _):
710             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
711
712         m = Message()
713         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
714         m["dBCSPwd"] = MessageElement([], FLAG_MOD_ADD, "dBCSPwd")
715         try:
716             ldb.modify(m)
717             self.fail()
718         except LdbError, (num, _):
719             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
720
721         m = Message()
722         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
723         m["userPassword"] = MessageElement([], FLAG_MOD_ADD, "userPassword")
724         try:
725             ldb.modify(m)
726             self.fail()
727         except LdbError, (num, _):
728             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
729
730         m = Message()
731         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
732         m["clearTextPassword"] = MessageElement([], FLAG_MOD_ADD, "clearTextPassword")
733         try:
734             ldb.modify(m)
735             self.fail()
736         except LdbError, (num, _):
737             self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
738                             num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
739
740         m = Message()
741         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
742         m["unicodePwd"] = MessageElement([], FLAG_MOD_REPLACE, "unicodePwd")
743         try:
744             ldb.modify(m)
745             self.fail()
746         except LdbError, (num, _):
747             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
748
749         m = Message()
750         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
751         m["dBCSPwd"] = MessageElement([], FLAG_MOD_REPLACE, "dBCSPwd")
752         try:
753             ldb.modify(m)
754             self.fail()
755         except LdbError, (num, _):
756             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
757
758         m = Message()
759         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
760         m["userPassword"] = MessageElement([], FLAG_MOD_REPLACE, "userPassword")
761         try:
762             ldb.modify(m)
763             self.fail()
764         except LdbError, (num, _):
765             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
766
767         m = Message()
768         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
769         m["clearTextPassword"] = MessageElement([], FLAG_MOD_REPLACE, "clearTextPassword")
770         try:
771             ldb.modify(m)
772             self.fail()
773         except LdbError, (num, _):
774             self.assertTrue(num == ERR_UNWILLING_TO_PERFORM or
775                             num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
776
777         m = Message()
778         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
779         m["unicodePwd"] = MessageElement([], FLAG_MOD_DELETE, "unicodePwd")
780         try:
781             ldb.modify(m)
782             self.fail()
783         except LdbError, (num, _):
784             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
785
786         m = Message()
787         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
788         m["dBCSPwd"] = MessageElement([], FLAG_MOD_DELETE, "dBCSPwd")
789         try:
790             ldb.modify(m)
791             self.fail()
792         except LdbError, (num, _):
793             self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
794
795         m = Message()
796         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
797         m["userPassword"] = MessageElement([], FLAG_MOD_DELETE, "userPassword")
798         try:
799             ldb.modify(m)
800             self.fail()
801         except LdbError, (num, _):
802             self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
803
804         m = Message()
805         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
806         m["clearTextPassword"] = MessageElement([], FLAG_MOD_DELETE, "clearTextPassword")
807         try:
808             ldb.modify(m)
809             self.fail()
810         except LdbError, (num, _):
811             self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
812                             num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
813
814     def test_plain_userPassword(self):
815         print "Performs testing about the standard 'userPassword' behaviour"
816
817         # Delete the "dSHeuristics"
818         ldb.set_dsheuristics(None)
819
820         time.sleep(1) # This switching time is strictly needed!
821
822         m = Message()
823         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
824         m["userPassword"] = MessageElement("myPassword", FLAG_MOD_ADD,
825           "userPassword")
826         ldb.modify(m)
827
828         res = ldb.search("cn=testuser,cn=users," + self.base_dn,
829                          scope=SCOPE_BASE, attrs=["userPassword"])
830         self.assertTrue(len(res) == 1)
831         self.assertTrue("userPassword" in res[0])
832         self.assertEquals(res[0]["userPassword"][0], "myPassword")
833
834         m = Message()
835         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
836         m["userPassword"] = MessageElement("myPassword2", FLAG_MOD_REPLACE,
837           "userPassword")
838         ldb.modify(m)
839
840         res = ldb.search("cn=testuser,cn=users," + self.base_dn,
841                          scope=SCOPE_BASE, attrs=["userPassword"])
842         self.assertTrue(len(res) == 1)
843         self.assertTrue("userPassword" in res[0])
844         self.assertEquals(res[0]["userPassword"][0], "myPassword2")
845
846         m = Message()
847         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
848         m["userPassword"] = MessageElement([], FLAG_MOD_DELETE,
849           "userPassword")
850         ldb.modify(m)
851
852         res = ldb.search("cn=testuser,cn=users," + self.base_dn,
853                          scope=SCOPE_BASE, attrs=["userPassword"])
854         self.assertTrue(len(res) == 1)
855         self.assertFalse("userPassword" in res[0])
856
857         # Set the test "dSHeuristics" to deactivate "userPassword" pwd changes
858         ldb.set_dsheuristics("000000000")
859
860         m = Message()
861         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
862         m["userPassword"] = MessageElement("myPassword3", FLAG_MOD_REPLACE,
863           "userPassword")
864         ldb.modify(m)
865
866         res = ldb.search("cn=testuser,cn=users," + self.base_dn,
867                          scope=SCOPE_BASE, attrs=["userPassword"])
868         self.assertTrue(len(res) == 1)
869         self.assertTrue("userPassword" in res[0])
870         self.assertEquals(res[0]["userPassword"][0], "myPassword3")
871
872         # Set the test "dSHeuristics" to deactivate "userPassword" pwd changes
873         ldb.set_dsheuristics("000000002")
874
875         m = Message()
876         m.dn = Dn(ldb, "cn=testuser,cn=users," + self.base_dn)
877         m["userPassword"] = MessageElement("myPassword4", FLAG_MOD_REPLACE,
878           "userPassword")
879         ldb.modify(m)
880
881         res = ldb.search("cn=testuser,cn=users," + self.base_dn,
882                          scope=SCOPE_BASE, attrs=["userPassword"])
883         self.assertTrue(len(res) == 1)
884         self.assertTrue("userPassword" in res[0])
885         self.assertEquals(res[0]["userPassword"][0], "myPassword4")
886
887         # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes)
888         ldb.set_dsheuristics("000000001")
889
890     def test_zero_length(self):
891         # Get the old "minPwdLength"
892         minPwdLength = ldb.get_minPwdLength()
893         # Set it temporarely to "0"
894         ldb.set_minPwdLength("0")
895
896         # Get the old "pwdProperties"
897         pwdProperties = ldb.get_pwdProperties()
898         # Set them temporarely to "0" (to deactivate eventually the complexity)
899         ldb.set_pwdProperties("0")
900
901         ldb.setpassword("(sAMAccountName=testuser)", "")
902
903         # Reset the "pwdProperties" as they were before
904         ldb.set_pwdProperties(pwdProperties)
905
906         # Reset the "minPwdLength" as it was before
907         ldb.set_minPwdLength(minPwdLength)
908
909     def tearDown(self):
910         super(PasswordTests, self).tearDown()
911         delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
912         delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn)
913         # Close the second LDB connection (with the user credentials)
914         self.ldb2 = None
915
916 if not "://" in host:
917     if os.path.isfile(host):
918         host = "tdb://%s" % host
919     else:
920         host = "ldap://%s" % host
921
922 ldb = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp)
923
924 # Gets back the basedn
925 base_dn = ldb.domain_dn()
926
927 # Gets back the configuration basedn
928 configuration_dn = ldb.get_config_basedn().get_linearized()
929
930 # Get the old "dSHeuristics" if it was set
931 dsheuristics = ldb.get_dsheuristics()
932
933 # Set the "dSHeuristics" to activate the correct "userPassword" behaviour
934 ldb.set_dsheuristics("000000001")
935
936 # Get the old "minPwdAge"
937 minPwdAge = ldb.get_minPwdAge()
938
939 # Set it temporarely to "0"
940 ldb.set_minPwdAge("0")
941
942 runner = SubunitTestRunner()
943 rc = 0
944 if not runner.run(unittest.makeSuite(PasswordTests)).wasSuccessful():
945     rc = 1
946
947 # Reset the "dSHeuristics" as they were before
948 ldb.set_dsheuristics(dsheuristics)
949
950 # Reset the "minPwdAge" as it was before
951 ldb.set_minPwdAge(minPwdAge)
952
953 sys.exit(rc)
Kai's WIP code