source4/dsdb/tests/python/dirsync.py

   1 #!/usr/bin/env python
   2 #
   3 # Unit tests for dirsync control
   4 # Copyright (C) Matthieu Patou <mat@matws.net> 2011
   5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2014
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation; either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19
  20
  21 from __future__ import print_function
  22 import optparse
  23 import sys
  24 sys.path.insert(0, "bin/python")
  25 import samba
  26 from samba.tests.subunitrun import TestProgram, SubunitOptions
  27
  28 import samba.getopt as options
  29 import base64
  30
  31 from ldb import LdbError, SCOPE_BASE
  32 from ldb import Message, MessageElement, Dn
  33 from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE
  34 from samba.dcerpc import security, misc, drsblobs, security
  35 from samba.ndr import ndr_unpack, ndr_pack
  36
  37 from samba.auth import system_session
  38 from samba import gensec, sd_utils
  39 from samba.samdb import SamDB
  40 from samba.credentials import Credentials, DONT_USE_KERBEROS
  41 import samba.tests
  42 from samba.tests import delete_force
  43
  44 parser = optparse.OptionParser("dirsync.py [options] <host>")
  45 sambaopts = options.SambaOptions(parser)
  46 parser.add_option_group(sambaopts)
  47 parser.add_option_group(options.VersionOptions(parser))
  48
  49 # use command line creds if available
  50 credopts = options.CredentialsOptions(parser)
  51 parser.add_option_group(credopts)
  52 subunitopts = SubunitOptions(parser)
  53 parser.add_option_group(subunitopts)
  54 opts, args = parser.parse_args()
  55
  56 if len(args) < 1:
  57     parser.print_usage()
  58     sys.exit(1)
  59
  60 host = args.pop()
  61 if not "://" in host:
  62     ldaphost = "ldap://%s" % host
  63     ldapshost = "ldaps://%s" % host
  64 else:
  65     ldaphost = host
  66     start = host.rindex("://")
  67     host = host.lstrip(start + 3)
  68
  69 lp = sambaopts.get_loadparm()
  70 creds = credopts.get_credentials(lp)
  71
  72 #
  73 # Tests start here
  74 #
  75
  76
  77 class DirsyncBaseTests(samba.tests.TestCase):
  78
  79     def setUp(self):
  80         super(DirsyncBaseTests, self).setUp()
  81         self.ldb_admin = SamDB(ldapshost, credentials=creds, session_info=system_session(lp), lp=lp)
  82         self.base_dn = self.ldb_admin.domain_dn()
  83         self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
  84         self.user_pass = samba.generate_random_password(12, 16)
  85         self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
  86         self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
  87         # used for anonymous login
  88         print("baseDN: %s" % self.base_dn)
  89
  90     def get_user_dn(self, name):
  91         return "CN=%s,CN=Users,%s" % (name, self.base_dn)
  92
  93     def get_ldb_connection(self, target_username, target_password):
  94         creds_tmp = Credentials()
  95         creds_tmp.set_username(target_username)
  96         creds_tmp.set_password(target_password)
  97         creds_tmp.set_domain(creds.get_domain())
  98         creds_tmp.set_realm(creds.get_realm())
  99         creds_tmp.set_workstation(creds.get_workstation())
 100         creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
 101                                       | gensec.FEATURE_SEAL)
 102         creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)  # kinit is too expensive to use in a tight loop
 103         ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
 104         return ldb_target
 105
 106
 107 # tests on ldap add operations
 108 class SimpleDirsyncTests(DirsyncBaseTests):
 109
 110     def setUp(self):
 111         super(SimpleDirsyncTests, self).setUp()
 112         # Regular user
 113         self.dirsync_user = "test_dirsync_user"
 114         self.simple_user = "test_simple_user"
 115         self.admin_user = "test_admin_user"
 116         self.ouname = None
 117
 118         self.ldb_admin.newuser(self.dirsync_user, self.user_pass)
 119         self.ldb_admin.newuser(self.simple_user, self.user_pass)
 120         self.ldb_admin.newuser(self.admin_user, self.user_pass)
 121         self.desc_sddl = self.sd_utils.get_sd_as_sddl(self.base_dn)
 122
 123         user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.dirsync_user))
 124         mod = "(OA;;CR;%s;;%s)" % (security.GUID_DRS_GET_CHANGES,
 125                                    str(user_sid))
 126         self.sd_utils.dacl_add_ace(self.base_dn, mod)
 127
 128         # add admins to the Domain Admins group
 129         self.ldb_admin.add_remove_group_members("Domain Admins", [self.admin_user],
 130                                                 add_members_operation=True)
 131
 132     def tearDown(self):
 133         super(SimpleDirsyncTests, self).tearDown()
 134         delete_force(self.ldb_admin, self.get_user_dn(self.dirsync_user))
 135         delete_force(self.ldb_admin, self.get_user_dn(self.simple_user))
 136         delete_force(self.ldb_admin, self.get_user_dn(self.admin_user))
 137         if self.ouname:
 138             delete_force(self.ldb_admin, self.ouname)
 139         self.sd_utils.modify_sd_on_dn(self.base_dn, self.desc_sddl)
 140         try:
 141             self.ldb_admin.deletegroup("testgroup")
 142         except Exception:
 143             pass
 144
 145     # def test_dirsync_errors(self):
 146
 147     def test_dirsync_supported(self):
 148         """Test the basic of the dirsync is supported"""
 149         self.ldb_dirsync = self.get_ldb_connection(self.dirsync_user, self.user_pass)
 150         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
 151         res = self.ldb_admin.search(self.base_dn, expression="samaccountname=*", controls=["dirsync:1:0:1"])
 152         res = self.ldb_dirsync.search(self.base_dn, expression="samaccountname=*", controls=["dirsync:1:0:1"])
 153         try:
 154             self.ldb_simple.search(self.base_dn,
 155                                    expression="samaccountname=*",
 156                                    controls=["dirsync:1:0:1"])
 157         except LdbError as l:
 158             self.assertTrue(str(l).find("LDAP_INSUFFICIENT_ACCESS_RIGHTS") != -1)
 159
 160     def test_parentGUID_referrals(self):
 161         res2 = self.ldb_admin.search(self.base_dn, scope=SCOPE_BASE, attrs=["objectGUID"])
 162
 163         res = self.ldb_admin.search(self.base_dn,
 164                                     expression="name=Configuration",
 165                                     controls=["dirsync:1:0:1"])
 166         self.assertEqual(res2[0].get("objectGUID"), res[0].get("parentGUID"))
 167
 168     def test_ok_not_rootdc(self):
 169         """Test if it's ok to do dirsync on another NC that is not the root DC"""
 170         self.ldb_admin.search(self.ldb_admin.get_config_basedn(),
 171                               expression="samaccountname=*",
 172                               controls=["dirsync:1:0:1"])
 173
 174     def test_dirsync_errors(self):
 175         """Test if dirsync returns the correct LDAP errors in case of pb"""
 176         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
 177         self.ldb_dirsync = self.get_ldb_connection(self.dirsync_user, self.user_pass)
 178         try:
 179             self.ldb_simple.search(self.base_dn,
 180                                    expression="samaccountname=*",
 181                                    controls=["dirsync:1:0:1"])
 182         except LdbError as l:
 183             print(l)
 184             self.assertTrue(str(l).find("LDAP_INSUFFICIENT_ACCESS_RIGHTS") != -1)
 185
 186         try:
 187             self.ldb_simple.search("CN=Users,%s" % self.base_dn,
 188                                    expression="samaccountname=*",
 189                                    controls=["dirsync:1:0:1"])
 190         except LdbError as l:
 191             print(l)
 192             self.assertTrue(str(l).find("LDAP_INSUFFICIENT_ACCESS_RIGHTS") != -1)
 193
 194         try:
 195             self.ldb_simple.search("CN=Users,%s" % self.base_dn,
 196                                    expression="samaccountname=*",
 197                                    controls=["dirsync:1:1:1"])
 198         except LdbError as l:
 199             print(l)
 200             self.assertTrue(str(l).find("LDAP_UNWILLING_TO_PERFORM") != -1)
 201
 202         try:
 203             self.ldb_dirsync.search("CN=Users,%s" % self.base_dn,
 204                                     expression="samaccountname=*",
 205                                     controls=["dirsync:1:0:1"])
 206         except LdbError as l:
 207             print(l)
 208             self.assertTrue(str(l).find("LDAP_INSUFFICIENT_ACCESS_RIGHTS") != -1)
 209
 210         try:
 211             self.ldb_admin.search("CN=Users,%s" % self.base_dn,
 212                                   expression="samaccountname=*",
 213                                   controls=["dirsync:1:0:1"])
 214         except LdbError as l:
 215             print(l)
 216             self.assertTrue(str(l).find("LDAP_INSUFFICIENT_ACCESS_RIGHTS") != -1)
 217
 218         try:
 219             self.ldb_admin.search("CN=Users,%s" % self.base_dn,
 220                                   expression="samaccountname=*",
 221                                   controls=["dirsync:1:1:1"])
 222         except LdbError as l:
 223             print(l)
 224             self.assertTrue(str(l).find("LDAP_UNWILLING_TO_PERFORM") != -1)
 225
 226     def test_dirsync_attributes(self):
 227         """Check behavior with some attributes """
 228         res = self.ldb_admin.search(self.base_dn,
 229                                     expression="samaccountname=*",
 230                                     controls=["dirsync:1:0:1"])
 231         # Check that nTSecurityDescriptor is returned as it's the case when doing dirsync
 232         self.assertTrue(res.msgs[0].get("ntsecuritydescriptor") is not None)
 233         # Check that non replicated attributes are not returned
 234         self.assertTrue(res.msgs[0].get("badPwdCount") is None)
 235         # Check that non forward link are not returned
 236         self.assertTrue(res.msgs[0].get("memberof") is None)
 237
 238         # Asking for instanceType will return also objectGUID
 239         res = self.ldb_admin.search(self.base_dn,
 240                                     expression="samaccountname=Administrator",
 241                                     attrs=["instanceType"],
 242                                     controls=["dirsync:1:0:1"])
 243         self.assertTrue(res.msgs[0].get("objectGUID") is not None)
 244         self.assertTrue(res.msgs[0].get("instanceType") is not None)
 245
 246         # We don't return an entry if asked for objectGUID
 247         res = self.ldb_admin.search(self.base_dn,
 248                                     expression="(distinguishedName=%s)" % str(self.base_dn),
 249                                     attrs=["objectGUID"],
 250                                     controls=["dirsync:1:0:1"])
 251         self.assertEquals(len(res.msgs), 0)
 252
 253         # a request on the root of a NC didn't return parentGUID
 254         res = self.ldb_admin.search(self.base_dn,
 255                                     expression="(distinguishedName=%s)" % str(self.base_dn),
 256                                     attrs=["name"],
 257                                     controls=["dirsync:1:0:1"])
 258         self.assertTrue(res.msgs[0].get("objectGUID") is not None)
 259         self.assertTrue(res.msgs[0].get("name") is not None)
 260         self.assertTrue(res.msgs[0].get("parentGUID") is None)
 261         self.assertTrue(res.msgs[0].get("instanceType") is not None)
 262
 263         # Asking for name will return also objectGUID and parentGUID
 264         # and instanceType and of course name
 265         res = self.ldb_admin.search(self.base_dn,
 266                                     expression="samaccountname=Administrator",
 267                                     attrs=["name"],
 268                                     controls=["dirsync:1:0:1"])
 269         self.assertTrue(res.msgs[0].get("objectGUID") is not None)
 270         self.assertTrue(res.msgs[0].get("name") is not None)
 271         self.assertTrue(res.msgs[0].get("parentGUID") is not None)
 272         self.assertTrue(res.msgs[0].get("instanceType") is not None)
 273
 274         # Asking for dn will not return not only DN but more like if attrs=*
 275         # parentGUID should be returned
 276         res = self.ldb_admin.search(self.base_dn,
 277                                     expression="samaccountname=Administrator",
 278                                     attrs=["dn"],
 279                                     controls=["dirsync:1:0:1"])
 280         count = len(res.msgs[0])
 281         res2 = self.ldb_admin.search(self.base_dn,
 282                                      expression="samaccountname=Administrator",
 283                                      controls=["dirsync:1:0:1"])
 284         count2 = len(res2.msgs[0])
 285         self.assertEqual(count, count2)
 286
 287         # Asking for cn will return nothing on objects that have CN as RDN
 288         res = self.ldb_admin.search(self.base_dn,
 289                                     expression="samaccountname=Administrator",
 290                                     attrs=["cn"],
 291                                     controls=["dirsync:1:0:1"])
 292         self.assertEqual(len(res.msgs), 0)
 293         # Asking for parentGUID will return nothing too
 294         res = self.ldb_admin.search(self.base_dn,
 295                                     expression="samaccountname=Administrator",
 296                                     attrs=["parentGUID"],
 297                                     controls=["dirsync:1:0:1"])
 298         self.assertEqual(len(res.msgs), 0)
 299         ouname = "OU=testou,%s" % self.base_dn
 300         self.ouname = ouname
 301         self.ldb_admin.create_ou(ouname)
 302         delta = Message()
 303         delta.dn = Dn(self.ldb_admin, str(ouname))
 304         delta["cn"] = MessageElement("test ou",
 305                                      FLAG_MOD_ADD,
 306                                      "cn")
 307         self.ldb_admin.modify(delta)
 308         res = self.ldb_admin.search(self.base_dn,
 309                                     expression="name=testou",
 310                                     attrs=["cn"],
 311                                     controls=["dirsync:1:0:1"])
 312
 313         self.assertEqual(len(res.msgs), 1)
 314         self.assertEqual(len(res.msgs[0]), 3)
 315         delete_force(self.ldb_admin, ouname)
 316
 317     def test_dirsync_with_controls(self):
 318         """Check that dirsync return correct informations when dealing with the NC"""
 319         res = self.ldb_admin.search(self.base_dn,
 320                                     expression="(distinguishedName=%s)" % str(self.base_dn),
 321                                     attrs=["name"],
 322                                     controls=["dirsync:1:0:10000", "extended_dn:1", "show_deleted:1"])
 323
 324     def test_dirsync_basenc(self):
 325         """Check that dirsync return correct informations when dealing with the NC"""
 326         res = self.ldb_admin.search(self.base_dn,
 327                                     expression="(distinguishedName=%s)" % str(self.base_dn),
 328                                     attrs=["name"],
 329                                     controls=["dirsync:1:0:10000"])
 330         self.assertEqual(len(res.msgs), 1)
 331         self.assertEqual(len(res.msgs[0]), 3)
 332
 333         res = self.ldb_admin.search(self.base_dn,
 334                                     expression="(distinguishedName=%s)" % str(self.base_dn),
 335                                     attrs=["ntSecurityDescriptor"],
 336                                     controls=["dirsync:1:0:10000"])
 337         self.assertEqual(len(res.msgs), 1)
 338         self.assertEqual(len(res.msgs[0]), 3)
 339
 340     def test_dirsync_othernc(self):
 341         """Check that dirsync return information for entries that are normaly referrals (ie. other NCs)"""
 342         res = self.ldb_admin.search(self.base_dn,
 343                                     expression="(objectclass=configuration)",
 344                                     attrs=["name"],
 345                                     controls=["dirsync:1:0:10000"])
 346         self.assertEqual(len(res.msgs), 1)
 347         self.assertEqual(len(res.msgs[0]), 4)
 348
 349         res = self.ldb_admin.search(self.base_dn,
 350                                     expression="(objectclass=configuration)",
 351                                     attrs=["ntSecurityDescriptor"],
 352                                     controls=["dirsync:1:0:10000"])
 353         self.assertEqual(len(res.msgs), 1)
 354         self.assertEqual(len(res.msgs[0]), 3)
 355
 356         res = self.ldb_admin.search(self.base_dn,
 357                                     expression="(objectclass=domaindns)",
 358                                     attrs=["ntSecurityDescriptor"],
 359                                     controls=["dirsync:1:0:10000"])
 360         nb = len(res.msgs)
 361
 362         # only sub nc returns a result when asked for objectGUID
 363         res = self.ldb_admin.search(self.base_dn,
 364                                     expression="(objectclass=domaindns)",
 365                                     attrs=["objectGUID"],
 366                                     controls=["dirsync:1:0:0"])
 367         self.assertEqual(len(res.msgs), nb - 1)
 368         if nb > 1:
 369             self.assertTrue(res.msgs[0].get("objectGUID") is not None)
 370         else:
 371             res = self.ldb_admin.search(self.base_dn,
 372                                         expression="(objectclass=configuration)",
 373                                         attrs=["objectGUID"],
 374                                         controls=["dirsync:1:0:0"])
 375
 376     def test_dirsync_send_delta(self):
 377         """Check that dirsync return correct delta when sending the last cookie"""
 378         res = self.ldb_admin.search(self.base_dn,
 379                                     expression="(&(samaccountname=test*)(!(isDeleted=*)))",
 380                                     controls=["dirsync:1:0:10000"])
 381         ctl = str(res.controls[0]).split(":")
 382         ctl[1] = "1"
 383         ctl[2] = "0"
 384         ctl[3] = "10000"
 385         control = str(":".join(ctl))
 386         res = self.ldb_admin.search(self.base_dn,
 387                                     expression="(&(samaccountname=test*)(!(isDeleted=*)))",
 388                                     controls=[control])
 389         self.assertEqual(len(res), 0)
 390
 391         res = self.ldb_admin.search(self.base_dn,
 392                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 393                                     controls=["dirsync:1:0:100000"])
 394
 395         ctl = str(res.controls[0]).split(":")
 396         ctl[1] = "1"
 397         ctl[2] = "0"
 398         ctl[3] = "10000"
 399         control2 = str(":".join(ctl))
 400
 401         # Let's create an OU
 402         ouname = "OU=testou2,%s" % self.base_dn
 403         self.ouname = ouname
 404         self.ldb_admin.create_ou(ouname)
 405         res = self.ldb_admin.search(self.base_dn,
 406                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 407                                     controls=[control2])
 408         self.assertEqual(len(res), 1)
 409         ctl = str(res.controls[0]).split(":")
 410         ctl[1] = "1"
 411         ctl[2] = "0"
 412         ctl[3] = "10000"
 413         control3 = str(":".join(ctl))
 414
 415         delta = Message()
 416         delta.dn = Dn(self.ldb_admin, str(ouname))
 417
 418         delta["cn"] = MessageElement("test ou",
 419                                      FLAG_MOD_ADD,
 420                                      "cn")
 421         self.ldb_admin.modify(delta)
 422         res = self.ldb_admin.search(self.base_dn,
 423                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 424                                     controls=[control3])
 425
 426         self.assertEqual(len(res.msgs), 1)
 427         # 3 attributes: instanceType, cn and objectGUID
 428         self.assertEqual(len(res.msgs[0]), 3)
 429
 430         delta = Message()
 431         delta.dn = Dn(self.ldb_admin, str(ouname))
 432         delta["cn"] = MessageElement([],
 433                                      FLAG_MOD_DELETE,
 434                                      "cn")
 435         self.ldb_admin.modify(delta)
 436         res = self.ldb_admin.search(self.base_dn,
 437                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 438                                     controls=[control3])
 439
 440         self.assertEqual(len(res.msgs), 1)
 441         # So we won't have much attribute returned but instanceType and GUID
 442         # are.
 443         # 3 attributes: instanceType and objectGUID and cn but empty
 444         self.assertEqual(len(res.msgs[0]), 3)
 445         ouname = "OU=newouname,%s" % self.base_dn
 446         self.ldb_admin.rename(str(res[0].dn), str(Dn(self.ldb_admin, ouname)))
 447         self.ouname = ouname
 448         ctl = str(res.controls[0]).split(":")
 449         ctl[1] = "1"
 450         ctl[2] = "0"
 451         ctl[3] = "10000"
 452         control4 = str(":".join(ctl))
 453         res = self.ldb_admin.search(self.base_dn,
 454                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 455                                     controls=[control3])
 456
 457         self.assertTrue(res[0].get("parentGUID") is not None)
 458         self.assertTrue(res[0].get("name") is not None)
 459         delete_force(self.ldb_admin, ouname)
 460
 461     def test_dirsync_linkedattributes(self):
 462         """Check that dirsync returnd deleted objects too"""
 463         # Let's search for members
 464         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
 465         res = self.ldb_simple.search(self.base_dn,
 466                                      expression="(name=Administrators)",
 467                                      controls=["dirsync:1:1:1"])
 468
 469         self.assertTrue(len(res[0].get("member")) > 0)
 470         size = len(res[0].get("member"))
 471
 472         ctl = str(res.controls[0]).split(":")
 473         ctl[1] = "1"
 474         ctl[2] = "1"
 475         ctl[3] = "10000"
 476         control1 = str(":".join(ctl))
 477         self.ldb_admin.add_remove_group_members("Administrators", [self.simple_user],
 478                                                 add_members_operation=True)
 479
 480         res = self.ldb_simple.search(self.base_dn,
 481                                      expression="(name=Administrators)",
 482                                      controls=[control1])
 483
 484         self.assertEqual(len(res[0].get("member")), size + 1)
 485         ctl = str(res.controls[0]).split(":")
 486         ctl[1] = "1"
 487         ctl[2] = "1"
 488         ctl[3] = "10000"
 489         control1 = str(":".join(ctl))
 490
 491         # remove the user from the group
 492         self.ldb_admin.add_remove_group_members("Administrators", [self.simple_user],
 493                                                 add_members_operation=False)
 494
 495         res = self.ldb_simple.search(self.base_dn,
 496                                      expression="(name=Administrators)",
 497                                      controls=[control1])
 498
 499         self.assertEqual(len(res[0].get("member")), size)
 500
 501         self.ldb_admin.newgroup("testgroup")
 502         self.ldb_admin.add_remove_group_members("testgroup", [self.simple_user],
 503                                                 add_members_operation=True)
 504
 505         res = self.ldb_admin.search(self.base_dn,
 506                                     expression="(name=testgroup)",
 507                                     controls=["dirsync:1:0:1"])
 508
 509         self.assertEqual(len(res[0].get("member")), 1)
 510         self.assertTrue(res[0].get("member") != "")
 511
 512         ctl = str(res.controls[0]).split(":")
 513         ctl[1] = "1"
 514         ctl[2] = "0"
 515         ctl[3] = "1"
 516         control1 = str(":".join(ctl))
 517
 518         # Check that reasking the same question but with an updated cookie
 519         # didn't return any results.
 520         print(control1)
 521         res = self.ldb_admin.search(self.base_dn,
 522                                     expression="(name=testgroup)",
 523                                     controls=[control1])
 524         self.assertEqual(len(res), 0)
 525
 526         ctl = str(res.controls[0]).split(":")
 527         ctl[1] = "1"
 528         ctl[2] = "1"
 529         ctl[3] = "10000"
 530         control1 = str(":".join(ctl))
 531
 532         self.ldb_admin.add_remove_group_members("testgroup", [self.simple_user],
 533                                                 add_members_operation=False)
 534
 535         res = self.ldb_admin.search(self.base_dn,
 536                                     expression="(name=testgroup)",
 537                                     attrs=["member"],
 538                                     controls=[control1])
 539
 540         self.ldb_admin.deletegroup("testgroup")
 541         self.assertEqual(len(res[0].get("member")), 0)
 542
 543     def test_dirsync_deleted_items(self):
 544         """Check that dirsync returnd deleted objects too"""
 545         # Let's create an OU
 546         ouname = "OU=testou3,%s" % self.base_dn
 547         self.ouname = ouname
 548         self.ldb_admin.create_ou(ouname)
 549         res = self.ldb_admin.search(self.base_dn,
 550                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 551                                     controls=["dirsync:1:0:1"])
 552         guid = None
 553         for e in res:
 554             if str(e["name"]) == "testou3":
 555                 guid = str(ndr_unpack(misc.GUID, e.get("objectGUID")[0]))
 556
 557         ctl = str(res.controls[0]).split(":")
 558         ctl[1] = "1"
 559         ctl[2] = "0"
 560         ctl[3] = "10000"
 561         control1 = str(":".join(ctl))
 562
 563         # So now delete the object and check that
 564         # we can see the object but deleted when admin
 565         delete_force(self.ldb_admin, ouname)
 566
 567         res = self.ldb_admin.search(self.base_dn,
 568                                     expression="(objectClass=organizationalUnit)",
 569                                     controls=[control1])
 570         self.assertEqual(len(res), 1)
 571         guid2 = str(ndr_unpack(misc.GUID, res[0].get("objectGUID")[0]))
 572         self.assertEqual(guid2, guid)
 573         self.assertTrue(res[0].get("isDeleted"))
 574         self.assertTrue(res[0].get("name") is not None)
 575
 576     def test_cookie_from_others(self):
 577         res = self.ldb_admin.search(self.base_dn,
 578                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 579                                     controls=["dirsync:1:0:1"])
 580         ctl = str(res.controls[0]).split(":")
 581         cookie = ndr_unpack(drsblobs.ldapControlDirSyncCookie, base64.b64decode(str(ctl[4])))
 582         cookie.blob.guid1 = misc.GUID("128a99bf-abcd-1234-abcd-1fb625e530db")
 583         controls = ["dirsync:1:0:0:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')]
 584         res = self.ldb_admin.search(self.base_dn,
 585                                     expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 586                                     controls=controls)
 587
 588
 589 class ExtendedDirsyncTests(SimpleDirsyncTests):
 590
 591     def test_dirsync_linkedattributes(self):
 592         flag_incr_linked = 2147483648
 593         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
 594         res = self.ldb_admin.search(self.base_dn,
 595                                     attrs=["member"],
 596                                     expression="(name=Administrators)",
 597                                     controls=["dirsync:1:%d:1" % flag_incr_linked])
 598
 599         self.assertTrue(res[0].get("member;range=1-1") is not None)
 600         self.assertTrue(len(res[0].get("member;range=1-1")) > 0)
 601         size = len(res[0].get("member;range=1-1"))
 602
 603         ctl = str(res.controls[0]).split(":")
 604         ctl[1] = "1"
 605         ctl[2] = "%d" % flag_incr_linked
 606         ctl[3] = "10000"
 607         control1 = str(":".join(ctl))
 608         self.ldb_admin.add_remove_group_members("Administrators", [self.simple_user],
 609                                                 add_members_operation=True)
 610         self.ldb_admin.add_remove_group_members("Administrators", [self.dirsync_user],
 611                                                 add_members_operation=True)
 612
 613         res = self.ldb_admin.search(self.base_dn,
 614                                     expression="(name=Administrators)",
 615                                     controls=[control1])
 616
 617         self.assertEqual(len(res[0].get("member;range=1-1")), 2)
 618         ctl = str(res.controls[0]).split(":")
 619         ctl[1] = "1"
 620         ctl[2] = "%d" % flag_incr_linked
 621         ctl[3] = "10000"
 622         control1 = str(":".join(ctl))
 623
 624         # remove the user from the group
 625         self.ldb_admin.add_remove_group_members("Administrators", [self.simple_user],
 626                                                 add_members_operation=False)
 627
 628         res = self.ldb_admin.search(self.base_dn,
 629                                     expression="(name=Administrators)",
 630                                     controls=[control1])
 631
 632         self.assertEqual(res[0].get("member;range=1-1"), None)
 633         self.assertEqual(len(res[0].get("member;range=0-0")), 1)
 634
 635         ctl = str(res.controls[0]).split(":")
 636         ctl[1] = "1"
 637         ctl[2] = "%d" % flag_incr_linked
 638         ctl[3] = "10000"
 639         control2 = str(":".join(ctl))
 640
 641         self.ldb_admin.add_remove_group_members("Administrators", [self.dirsync_user],
 642                                                 add_members_operation=False)
 643
 644         res = self.ldb_admin.search(self.base_dn,
 645                                     expression="(name=Administrators)",
 646                                     controls=[control2])
 647
 648         self.assertEqual(res[0].get("member;range=1-1"), None)
 649         self.assertEqual(len(res[0].get("member;range=0-0")), 1)
 650
 651         res = self.ldb_admin.search(self.base_dn,
 652                                     expression="(name=Administrators)",
 653                                     controls=[control1])
 654
 655         self.assertEqual(res[0].get("member;range=1-1"), None)
 656         self.assertEqual(len(res[0].get("member;range=0-0")), 2)
 657
 658     def test_dirsync_deleted_items(self):
 659         """Check that dirsync returnd deleted objects too"""
 660         # Let's create an OU
 661         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
 662         ouname = "OU=testou3,%s" % self.base_dn
 663         self.ouname = ouname
 664         self.ldb_admin.create_ou(ouname)
 665
 666         # Specify LDAP_DIRSYNC_OBJECT_SECURITY
 667         res = self.ldb_simple.search(self.base_dn,
 668                                      expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))",
 669                                      controls=["dirsync:1:1:1"])
 670
 671         guid = None
 672         for e in res:
 673             if str(e["name"]) == "testou3":
 674                 guid = str(ndr_unpack(misc.GUID, e.get("objectGUID")[0]))
 675
 676         self.assertTrue(guid is not None)
 677         ctl = str(res.controls[0]).split(":")
 678         ctl[1] = "1"
 679         ctl[2] = "1"
 680         ctl[3] = "10000"
 681         control1 = str(":".join(ctl))
 682
 683         # So now delete the object and check that
 684         # we can see the object but deleted when admin
 685         # we just see the objectGUID when simple user
 686         delete_force(self.ldb_admin, ouname)
 687
 688         res = self.ldb_simple.search(self.base_dn,
 689                                      expression="(objectClass=organizationalUnit)",
 690                                      controls=[control1])
 691         self.assertEqual(len(res), 1)
 692         guid2 = str(ndr_unpack(misc.GUID, res[0].get("objectGUID")[0]))
 693         self.assertEqual(guid2, guid)
 694         self.assertEqual(str(res[0].dn), "")
 695
 696
 697 if not getattr(opts, "listtests", False):
 698     lp = sambaopts.get_loadparm()
 699     samba.tests.cmdline_credentials = credopts.get_credentials(lp)
 700
 701
 702 TestProgram(module=__name__, opts=subunitopts)