2 # -*- coding: utf-8 -*-
12 sys.path.append("bin/python")
13 sys.path.append("../lib/subunit/python")
15 import samba.getopt as options
17 # Some error messages that are being tested
18 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
19 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
20 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22 # For running the test unit
23 from samba.ndr import ndr_pack, ndr_unpack
24 from samba.dcerpc import security
26 from samba.auth import system_session
27 from samba import Ldb, DS_BEHAVIOR_WIN2008
28 from subunit import SubunitTestRunner
31 parser = optparse.OptionParser("ldap [options] <host>")
32 sambaopts = options.SambaOptions(parser)
33 parser.add_option_group(sambaopts)
34 parser.add_option_group(options.VersionOptions(parser))
36 # use command line creds if available
37 credopts = options.CredentialsOptions(parser)
38 parser.add_option_group(credopts)
39 opts, args = parser.parse_args()
47 lp = sambaopts.get_loadparm()
48 creds = credopts.get_credentials(lp)
54 class DescriptorTests(unittest.TestCase):
56 def delete_force(self, ldb, dn):
59 except LdbError, (num, _):
60 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
62 def find_basedn(self, ldb):
63 res = ldb.search(base="", expression="", scope=SCOPE_BASE,
64 attrs=["defaultNamingContext"])
65 self.assertEquals(len(res), 1)
66 return res[0]["defaultNamingContext"][0]
68 def find_configurationdn(self, ldb):
69 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
70 self.assertEquals(len(res), 1)
71 return res[0]["configurationNamingContext"][0]
73 def find_schemadn(self, ldb):
74 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
75 self.assertEquals(len(res), 1)
76 return res[0]["schemaNamingContext"][0]
78 def find_domain_sid(self, ldb):
79 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
80 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
82 def get_users_domain_dn(self, name):
83 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
85 def modify_desc(self, object_dn, desc):
86 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
88 dn: """ + object_dn + """
90 replace: nTSecurityDescriptor
92 if isinstance(desc, str):
93 mod += "nTSecurityDescriptor: %s" % desc
94 elif isinstance(desc, security.descriptor):
95 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
96 self.ldb_admin.modify_ldif(mod)
98 def create_domain_ou(self, _ldb, ou_dn, desc=None):
100 dn: """ + ou_dn + """
101 ou: """ + ou_dn.split(",")[0][3:] + """
102 objectClass: organizationalUnit
106 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
107 if isinstance(desc, str):
108 ldif += "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc, security.descriptor):
110 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
113 def create_domain_user(self, _ldb, user_dn, desc=None):
115 dn: """ + user_dn + """
116 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
118 userPassword: samba123@
122 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
123 if isinstance(desc, str):
124 ldif += "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc, security.descriptor):
126 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
129 def create_domain_group(self, _ldb, group_dn, desc=None):
131 dn: """ + group_dn + """
133 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
138 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
139 if isinstance(desc, str):
140 ldif += "nTSecurityDescriptor: %s" % desc
141 elif isinstance(desc, security.descriptor):
142 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
145 def get_unique_schema_class_name(self):
147 class_name = "test-class%s" % random.randint(1,100000)
148 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
150 self.ldb_admin.search(base=class_dn, attrs=["*"])
151 except LdbError, (num, _):
152 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
155 def create_schema_class(self, _ldb, object_dn, desc=None):
157 dn: """ + object_dn + """
158 objectClass: classSchema
159 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
160 defaultObjectCategory: """ + object_dn + """
161 distinguishedName: """ + object_dn + """
162 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
164 objectClassCategory: 1
165 subClassOf: organizationalPerson
168 systemMustContain: cn
172 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
173 if isinstance(desc, str):
174 ldif += "nTSecurityDescriptor: %s" % desc
175 elif isinstance(desc, security.descriptor):
176 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
179 def create_configuration_container(self, _ldb, object_dn, desc=None):
181 dn: """ + object_dn + """
182 objectClass: container
183 objectCategory: CN=Container,""" + self.schema_dn + """
184 showInAdvancedViewOnly: TRUE
188 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
189 if isinstance(desc, str):
190 ldif += "nTSecurityDescriptor: %s" % desc
191 elif isinstance(desc, security.descriptor):
192 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
195 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
197 dn: """ + object_dn + """
198 objectClass: displaySpecifier
199 showInAdvancedViewOnly: TRUE
202 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
203 if isinstance(desc, str):
204 ldif += "nTSecurityDescriptor: %s" % desc
205 elif isinstance(desc, security.descriptor):
206 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
209 def read_desc(self, object_dn):
210 res = self.ldb_admin.search(base=object_dn, attrs=["nTSecurityDescriptor"])
211 desc = res[0]["nTSecurityDescriptor"][0]
212 return ndr_unpack( security.descriptor, desc )
214 def enable_account(self, user_dn):
215 """Enable an account.
216 :param user_dn: Dn of the account to enable.
218 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
220 userAccountControl = res[0]["userAccountControl"][0]
221 userAccountControl = int(userAccountControl)
222 if (userAccountControl & 0x2):
223 userAccountControl = userAccountControl & ~0x2 # remove disabled bit
224 if (userAccountControl & 0x20):
225 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
227 dn: """ + user_dn + """
229 replace: userAccountControl
230 userAccountControl: %s""" % userAccountControl
232 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
233 self.ldb_admin.modify_ldif(mod)
235 def get_ldb_connection(self, target_username, target_password):
236 username_save = creds.get_username(); password_save = creds.get_password()
237 creds.set_username(target_username)
238 creds.set_password(target_password)
239 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
240 creds.set_username(username_save); creds.set_password(password_save)
243 def get_object_sid(self, object_dn):
244 res = self.ldb_admin.search(object_dn)
245 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
247 def dacl_add_ace(self, object_dn, ace):
248 desc = self.read_desc( object_dn )
249 desc_sddl = desc.as_sddl( self.domain_sid )
252 if desc_sddl.find("(") >= 0:
253 desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
255 desc_sddl = desc_sddl + ace
256 self.modify_desc(object_dn, desc_sddl)
258 def get_desc_sddl(self, object_dn):
259 """ Return object nTSecutiryDescriptor in SDDL format
261 desc = self.read_desc(object_dn)
262 return desc.as_sddl(self.domain_sid)
266 self.base_dn = self.find_basedn(self.ldb_admin)
267 self.configuration_dn = self.find_configurationdn(self.ldb_admin)
268 self.schema_dn = self.find_schemadn(self.ldb_admin)
269 self.domain_sid = self.find_domain_sid(self.ldb_admin)
270 print "baseDN: %s" % self.base_dn
271 self.SAMBA = False; self.WIN2003 = False
272 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
273 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
277 #print "self.SAMBA:", self.SAMBA
278 #print "self.WIN2003:", self.WIN2003
280 ################################################################################################
284 # Default descriptor tests #####################################################################
286 class OwnerGroupDescriptorTests(DescriptorTests):
289 DescriptorTests.setUp(self)
293 user_dn = self.get_users_domain_dn("testuser1")
294 self.create_domain_user(self.ldb_admin, user_dn)
295 self.enable_account(user_dn)
297 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
299 member: """ + user_dn
300 self.ldb_admin.modify_ldif(ldif)
302 user_dn = self.get_users_domain_dn("testuser2")
303 self.create_domain_user(self.ldb_admin, user_dn)
304 self.enable_account(user_dn)
306 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
308 member: """ + user_dn
309 self.ldb_admin.modify_ldif(ldif)
311 user_dn = self.get_users_domain_dn("testuser3")
312 self.create_domain_user(self.ldb_admin, user_dn)
313 self.enable_account(user_dn)
315 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
317 member: """ + user_dn
318 self.ldb_admin.modify_ldif(ldif)
320 user_dn = self.get_users_domain_dn("testuser4")
321 self.create_domain_user(self.ldb_admin, user_dn)
322 self.enable_account(user_dn)
324 user_dn = self.get_users_domain_dn("testuser5")
325 self.create_domain_user(self.ldb_admin, user_dn)
326 self.enable_account(user_dn)
328 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
330 member: """ + user_dn + """
332 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
334 member: """ + user_dn
335 self.ldb_admin.modify_ldif(ldif)
337 user_dn = self.get_users_domain_dn("testuser6")
338 self.create_domain_user(self.ldb_admin, user_dn)
339 self.enable_account(user_dn)
341 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
343 member: """ + user_dn + """
345 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
347 member: """ + user_dn + """
349 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
351 member: """ + user_dn
352 self.ldb_admin.modify_ldif(ldif)
354 user_dn = self.get_users_domain_dn("testuser7")
355 self.create_domain_user(self.ldb_admin, user_dn)
356 self.enable_account(user_dn)
358 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
360 member: """ + user_dn + """
362 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
364 member: """ + user_dn
365 self.ldb_admin.modify_ldif(ldif)
367 user_dn = self.get_users_domain_dn("testuser8")
368 self.create_domain_user(self.ldb_admin, user_dn)
369 self.enable_account(user_dn)
371 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
373 member: """ + user_dn + """
375 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
377 member: """ + user_dn
378 self.ldb_admin.modify_ldif(ldif)
380 # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
381 "ds_behavior_win2003" : {
431 # msDS-Behavior-Version >= 3
432 "ds_behavior_win2008" : {
483 # Discover 'msDS-Behavior-Version'
484 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
485 attrs=['msDS-Behavior-Version'])
486 res = int(res[0]['msDS-Behavior-Version'][0])
487 if res < DS_BEHAVIOR_WIN2008:
488 self.DS_BEHAVIOR = "ds_behavior_win2003"
490 self.DS_BEHAVIOR = "ds_behavior_win2008"
494 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
495 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
496 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
497 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
498 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
499 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
500 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
501 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
503 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
504 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
505 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
506 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
509 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
510 + self.configuration_dn)
511 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
513 def check_user_belongs(self, user_dn, groups=[]):
514 """ Test wether user is member of the expected group(s) """
516 # User is member of at least one additional group
517 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
518 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
521 expected.append(self.get_users_domain_dn(x))
522 expected = [x.upper() for x in sorted(expected)]
523 self.assertEqual(expected, res)
525 # User is not a member of any additional groups but default
526 res = self.ldb_admin.search(user_dn, attrs=["*"])
527 res = [x.upper() for x in res[0].keys()]
528 self.assertFalse( "MEMBEROF" in res)
531 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
533 user_name = "testuser1"
534 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
535 # Open Ldb connection with the tested user
536 _ldb = self.get_ldb_connection("testuser1", "samba123@")
537 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
538 self.delete_force(self.ldb_admin, group_dn)
539 self.create_domain_group(_ldb, group_dn)
540 desc_sddl = self.get_desc_sddl(group_dn)
541 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
542 self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res)
545 """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
547 user_name = "testuser2"
548 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
549 # Open Ldb connection with the tested user
550 _ldb = self.get_ldb_connection(user_name, "samba123@")
551 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
552 self.delete_force(self.ldb_admin, group_dn)
553 self.create_domain_group(_ldb, group_dn)
554 desc_sddl = self.get_desc_sddl(group_dn)
555 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
556 self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res)
559 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
561 user_name = "testuser3"
562 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
563 # Open Ldb connection with the tested user
564 _ldb = self.get_ldb_connection(user_name, "samba123@")
565 object_dn = "OU=test_domain_ou1," + self.base_dn
566 self.delete_force(self.ldb_admin, object_dn)
567 self.create_domain_ou(self.ldb_admin, object_dn)
568 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
569 mod = "(A;;CC;;;%s)" % str(user_sid)
570 self.dacl_add_ace(object_dn, mod)
571 # Create additional object into the first one
572 object_dn = "CN=test_domain_user1," + object_dn
573 self.delete_force(self.ldb_admin, object_dn)
574 self.create_domain_user(_ldb, object_dn)
575 desc_sddl = self.get_desc_sddl(object_dn)
576 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
577 self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res)
580 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
582 user_name = "testuser4"
583 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
584 # Open Ldb connection with the tested user
585 _ldb = self.get_ldb_connection(user_name, "samba123@")
586 object_dn = "OU=test_domain_ou1," + self.base_dn
587 self.delete_force(self.ldb_admin, object_dn)
588 self.create_domain_ou(self.ldb_admin, object_dn)
589 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
590 mod = "(A;;CC;;;%s)" % str(user_sid)
591 self.dacl_add_ace(object_dn, mod)
592 # Create additional object into the first one
593 object_dn = "CN=test_domain_user1," + object_dn
594 self.delete_force(self.ldb_admin, object_dn)
595 self.create_domain_user(_ldb, object_dn)
596 desc_sddl = self.get_desc_sddl(object_dn)
597 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
598 self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res)
601 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
603 user_name = "testuser5"
604 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
605 # Open Ldb connection with the tested user
606 _ldb = self.get_ldb_connection(user_name, "samba123@")
607 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
608 self.delete_force(self.ldb_admin, group_dn)
609 self.create_domain_group(_ldb, group_dn)
610 desc_sddl = self.get_desc_sddl(group_dn)
611 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
612 self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res)
615 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
617 user_name = "testuser6"
618 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
619 # Open Ldb connection with the tested user
620 _ldb = self.get_ldb_connection(user_name, "samba123@")
621 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
622 self.delete_force(self.ldb_admin, group_dn)
623 self.create_domain_group(_ldb, group_dn)
624 desc_sddl = self.get_desc_sddl(group_dn)
625 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
626 self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res)
629 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
631 user_name = "testuser7"
632 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
633 # Open Ldb connection with the tested user
634 _ldb = self.get_ldb_connection(user_name, "samba123@")
635 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
636 self.delete_force(self.ldb_admin, group_dn)
637 self.create_domain_group(_ldb, group_dn)
638 desc_sddl = self.get_desc_sddl(group_dn)
639 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
640 self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res)
643 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
645 user_name = "testuser8"
646 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
647 # Open Ldb connection with the tested user
648 _ldb = self.get_ldb_connection(user_name, "samba123@")
649 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
650 self.delete_force(self.ldb_admin, group_dn)
651 self.create_domain_group(_ldb, group_dn)
652 desc_sddl = self.get_desc_sddl(group_dn)
653 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
654 self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res)
656 # Control descriptor tests #####################################################################
659 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
661 user_name = "testuser1"
662 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
663 # Open Ldb connection with the tested user
664 _ldb = self.get_ldb_connection(user_name, "samba123@")
665 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
666 self.delete_force(self.ldb_admin, group_dn)
667 # Create a custom security descriptor
668 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
669 self.create_domain_group(_ldb, group_dn, desc_sddl)
670 desc_sddl = self.get_desc_sddl(group_dn)
671 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
672 self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res)
675 """ Domain admin group member creates object (custom descriptor) in DOMAIN
677 user_name = "testuser2"
678 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
679 # Open Ldb connection with the tested user
680 _ldb = self.get_ldb_connection(user_name, "samba123@")
681 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
682 self.delete_force(self.ldb_admin, group_dn)
683 # Create a custom security descriptor
684 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
685 self.create_domain_group(_ldb, group_dn, desc_sddl)
686 desc_sddl = self.get_desc_sddl(group_dn)
687 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
688 self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res)
691 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
693 user_name = "testuser3"
694 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
695 # Open Ldb connection with the tested user
696 _ldb = self.get_ldb_connection(user_name, "samba123@")
697 object_dn = "OU=test_domain_ou1," + self.base_dn
698 self.delete_force(self.ldb_admin, object_dn)
699 self.create_domain_ou(self.ldb_admin, object_dn)
700 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
701 mod = "(A;;CC;;;%s)" % str(user_sid)
702 self.dacl_add_ace(object_dn, mod)
703 # Create a custom security descriptor
704 # NB! Problematic owner part won't accept DA only <User Sid> !!!
705 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
706 # Create additional object into the first one
707 object_dn = "CN=test_domain_user1," + object_dn
708 self.delete_force(self.ldb_admin, object_dn)
709 self.create_domain_user(_ldb, object_dn, desc_sddl)
710 desc = self.read_desc(object_dn)
711 desc_sddl = self.get_desc_sddl(object_dn)
712 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
713 self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res)
716 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
718 user_name = "testuser4"
719 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
720 # Open Ldb connection with the tested user
721 _ldb = self.get_ldb_connection(user_name, "samba123@")
722 object_dn = "OU=test_domain_ou1," + self.base_dn
723 self.delete_force(self.ldb_admin, object_dn)
724 self.create_domain_ou(self.ldb_admin, object_dn)
725 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
726 mod = "(A;;CC;;;%s)" % str(user_sid)
727 self.dacl_add_ace(object_dn, mod)
728 # Create a custom security descriptor
729 # NB! Problematic owner part won't accept DA only <User Sid> !!!
730 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
731 # Create additional object into the first one
732 object_dn = "CN=test_domain_user1," + object_dn
733 self.delete_force(self.ldb_admin, object_dn)
734 self.create_domain_user(_ldb, object_dn, desc_sddl)
735 desc = self.read_desc(object_dn)
736 desc_sddl = self.get_desc_sddl(object_dn)
737 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
738 self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res)
741 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
743 user_name = "testuser5"
744 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
745 # Open Ldb connection with the tested user
746 _ldb = self.get_ldb_connection(user_name, "samba123@")
747 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
748 self.delete_force(self.ldb_admin, group_dn)
749 # Create a custom security descriptor
750 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
751 self.create_domain_group(_ldb, group_dn, desc_sddl)
752 desc_sddl = self.get_desc_sddl(group_dn)
753 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
754 self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res)
757 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
759 user_name = "testuser6"
760 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
761 # Open Ldb connection with the tested user
762 _ldb = self.get_ldb_connection(user_name, "samba123@")
763 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
764 self.delete_force(self.ldb_admin, group_dn)
765 # Create a custom security descriptor
766 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
767 self.create_domain_group(_ldb, group_dn, desc_sddl)
768 desc_sddl = self.get_desc_sddl(group_dn)
769 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
770 self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res)
773 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
775 user_name = "testuser7"
776 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
777 # Open Ldb connection with the tested user
778 _ldb = self.get_ldb_connection(user_name, "samba123@")
779 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
780 self.delete_force(self.ldb_admin, group_dn)
781 # Create a custom security descriptor
782 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
783 self.create_domain_group(_ldb, group_dn, desc_sddl)
784 desc_sddl = self.get_desc_sddl(group_dn)
785 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
786 self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res)
789 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
791 user_name = "testuser8"
792 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
793 # Open Ldb connection with the tested user
794 _ldb = self.get_ldb_connection(user_name, "samba123@")
795 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
796 self.delete_force(self.ldb_admin, group_dn)
797 # Create a custom security descriptor
798 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
799 self.create_domain_group(_ldb, group_dn, desc_sddl)
800 desc_sddl = self.get_desc_sddl(group_dn)
801 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
802 self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res)
806 user_name = "Administrator"
807 object_dn = "OU=test_domain_ou1," + self.base_dn
808 self.delete_force(self.ldb_admin, object_dn)
809 self.create_domain_ou(self.ldb_admin, object_dn)
810 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
811 mod = "(D;CI;WP;;;S-1-3-0)"
813 self.dacl_add_ace(object_dn, mod)
814 desc_sddl = self.get_desc_sddl(object_dn)
815 # Create additional object into the first one
816 object_dn = "OU=test_domain_ou2," + object_dn
817 self.delete_force(self.ldb_admin, object_dn)
818 self.create_domain_ou(self.ldb_admin, object_dn)
819 desc_sddl = self.get_desc_sddl(object_dn)
823 # Defalt descriptor tests ##################################################################
826 user_name = "testuser1"
827 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
828 # Open Ldb connection with the tested user
829 _ldb = self.get_ldb_connection(user_name, "samba123@")
830 # Change Schema partition descriptor
831 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
833 self.dacl_add_ace(self.schema_dn, mod)
834 # Create example Schema class
835 class_name = self.get_unique_schema_class_name()
836 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
837 self.create_schema_class(_ldb, class_dn)
838 desc_sddl = self.get_desc_sddl(class_dn)
839 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
840 self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res)
843 user_name = "testuser2"
844 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
845 # Open Ldb connection with the tested user
846 _ldb = self.get_ldb_connection(user_name, "samba123@")
847 # Change Schema partition descriptor
849 self.dacl_add_ace(self.schema_dn, mod)
850 # Create example Schema class
851 class_name = self.get_unique_schema_class_name()
852 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
853 self.create_schema_class(_ldb, class_dn)
854 desc_sddl = self.get_desc_sddl(class_dn)
855 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
856 self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res)
859 user_name = "testuser3"
860 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
861 # Open Ldb connection with the tested user
862 _ldb = self.get_ldb_connection(user_name, "samba123@")
863 # Change Schema partition descriptor
865 self.dacl_add_ace(self.schema_dn, mod)
866 # Create example Schema class
867 class_name = self.get_unique_schema_class_name()
868 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
869 self.create_schema_class(_ldb, class_dn)
870 desc_sddl = self.get_desc_sddl(class_dn)
871 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
872 self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res)
875 user_name = "testuser4"
876 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
877 # Open Ldb connection with the tested user
878 _ldb = self.get_ldb_connection(user_name, "samba123@")
879 #Change Schema partition descriptor
880 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
882 self.dacl_add_ace(self.schema_dn, mod)
883 # Create example Schema class
884 class_name = self.get_unique_schema_class_name()
885 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
886 self.create_schema_class(_ldb, class_dn)
887 desc_sddl = self.get_desc_sddl(class_dn)
888 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
889 self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res)
892 user_name = "testuser5"
893 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
894 # Open Ldb connection with the tested user
895 _ldb = self.get_ldb_connection(user_name, "samba123@")
896 #Change Schema partition descriptor
898 self.dacl_add_ace(self.schema_dn, mod)
899 # Create example Schema class
900 class_name = self.get_unique_schema_class_name()
901 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
902 self.create_schema_class(_ldb, class_dn)
903 desc_sddl = self.get_desc_sddl(class_dn)
904 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
905 self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res)
908 user_name = "testuser6"
909 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
910 # Open Ldb connection with the tested user
911 _ldb = self.get_ldb_connection(user_name, "samba123@")
912 # Change Schema partition descriptor
914 self.dacl_add_ace(self.schema_dn, mod)
915 # Create example Schema class
916 class_name = self.get_unique_schema_class_name()
917 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
918 self.create_schema_class(_ldb, class_dn)
919 desc_sddl = self.get_desc_sddl(class_dn)
920 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
921 self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res)
924 user_name = "testuser7"
925 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
926 # Open Ldb connection with the tested user
927 _ldb = self.get_ldb_connection(user_name, "samba123@")
928 # Change Schema partition descriptor
930 self.dacl_add_ace(self.schema_dn, mod)
931 # Create example Schema class
932 class_name = self.get_unique_schema_class_name()
933 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
934 self.create_schema_class(_ldb, class_dn)
935 desc_sddl = self.get_desc_sddl(class_dn)
936 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
937 self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res)
940 user_name = "testuser8"
941 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
942 # Open Ldb connection with the tested user
943 _ldb = self.get_ldb_connection(user_name, "samba123@")
944 # Change Schema partition descriptor
946 self.dacl_add_ace(self.schema_dn, mod)
947 # Create example Schema class
948 class_name = self.get_unique_schema_class_name()
949 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
950 self.create_schema_class(_ldb, class_dn)
951 desc_sddl = self.get_desc_sddl(class_dn)
952 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
953 self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res)
955 # Custom descriptor tests ##################################################################
958 user_name = "testuser1"
959 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
960 # Open Ldb connection with the tested user
961 _ldb = self.get_ldb_connection(user_name, "samba123@")
962 # Change Schema partition descriptor
964 self.dacl_add_ace(self.schema_dn, mod)
965 # Create a custom security descriptor
966 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
967 # Create example Schema class
968 class_name = self.get_unique_schema_class_name()
969 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
970 self.create_schema_class(_ldb, class_dn, desc_sddl)
971 desc_sddl = self.get_desc_sddl(class_dn)
972 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
973 self.assertEqual("O:DAG:DA", res)
976 user_name = "testuser2"
977 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
978 # Open Ldb connection with the tested user
979 _ldb = self.get_ldb_connection(user_name, "samba123@")
980 # Change Schema partition descriptor
982 self.dacl_add_ace(self.schema_dn, mod)
983 # Create a custom security descriptor
984 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
985 # Create example Schema class
986 class_name = self.get_unique_schema_class_name()
987 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
988 self.create_schema_class(_ldb, class_dn, desc_sddl)
989 desc_sddl = self.get_desc_sddl(class_dn)
990 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
991 self.assertEqual("O:DAG:DA", res)
994 user_name = "testuser3"
995 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
996 # Open Ldb connection with the tested user
997 _ldb = self.get_ldb_connection(user_name, "samba123@")
998 # Create a custom security descriptor
999 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1000 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1001 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1002 # Create example Schema class
1003 class_name = self.get_unique_schema_class_name()
1004 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1005 self.create_schema_class(_ldb, class_dn, desc_sddl)
1006 desc_sddl = self.get_desc_sddl(class_dn)
1007 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1008 self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res)
1011 user_name = "testuser4"
1012 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1013 # Open Ldb connection with the tested user
1014 _ldb = self.get_ldb_connection(user_name, "samba123@")
1015 # Create a custom security descriptor
1016 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1017 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1018 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1019 # Create example Schema class
1020 class_name = self.get_unique_schema_class_name()
1021 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1022 self.create_schema_class(_ldb, class_dn, desc_sddl)
1023 desc_sddl = self.get_desc_sddl(class_dn)
1024 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1025 self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res)
1028 user_name = "testuser5"
1029 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1030 # Open Ldb connection with the tested user
1031 _ldb = self.get_ldb_connection(user_name, "samba123@")
1032 # Change Schema partition descriptor
1033 mod = "(A;;CC;;;AU)"
1034 self.dacl_add_ace(self.schema_dn, mod)
1035 # Create a custom security descriptor
1036 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1037 # Create example Schema class
1038 class_name = self.get_unique_schema_class_name()
1039 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1040 self.create_schema_class(_ldb, class_dn, desc_sddl)
1041 desc_sddl = self.get_desc_sddl(class_dn)
1042 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1043 self.assertEqual("O:DAG:DA", res)
1046 user_name = "testuser6"
1047 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1048 # Open Ldb connection with the tested user
1049 _ldb = self.get_ldb_connection(user_name, "samba123@")
1050 # Change Schema partition descriptor
1051 mod = "(A;;CC;;;AU)"
1052 self.dacl_add_ace(self.schema_dn, mod)
1053 # Create a custom security descriptor
1054 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1055 # Create example Schema class
1056 class_name = self.get_unique_schema_class_name()
1057 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1058 self.create_schema_class(_ldb, class_dn, desc_sddl)
1059 desc_sddl = self.get_desc_sddl(class_dn)
1060 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1061 self.assertEqual("O:DAG:DA", res)
1064 user_name = "testuser7"
1065 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1066 # Open Ldb connection with the tested user
1067 _ldb = self.get_ldb_connection(user_name, "samba123@")
1068 # Change Schema partition descriptor
1069 mod = "(A;;CC;;;AU)"
1070 self.dacl_add_ace(self.schema_dn, mod)
1071 # Create a custom security descriptor
1072 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1073 # Create example Schema class
1074 class_name = self.get_unique_schema_class_name()
1075 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1076 self.create_schema_class(_ldb, class_dn, desc_sddl)
1077 desc_sddl = self.get_desc_sddl(class_dn)
1078 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1079 self.assertEqual("O:DAG:DA", res)
1082 user_name = "testuser8"
1083 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1084 # Open Ldb connection with the tested user
1085 _ldb = self.get_ldb_connection(user_name, "samba123@")
1086 # Change Schema partition descriptor
1087 mod = "(A;;CC;;;AU)"
1088 self.dacl_add_ace(self.schema_dn, mod)
1089 # Create a custom security descriptor
1090 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1091 # Create example Schema class
1092 class_name = self.get_unique_schema_class_name()
1093 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1094 self.create_schema_class(_ldb, class_dn, desc_sddl)
1095 desc_sddl = self.get_desc_sddl(class_dn)
1096 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1097 self.assertEqual("O:DAG:DA", res)
1099 ## Tests for CONFIGURATION
1101 # Defalt descriptor tests ##################################################################
1104 user_name = "testuser1"
1105 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1106 # Open Ldb connection with the tested user
1107 _ldb = self.get_ldb_connection(user_name, "samba123@")
1108 # Create example Configuration container
1109 container_name = "test-container1"
1110 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1111 self.delete_force(self.ldb_admin, object_dn)
1112 self.create_configuration_container(_ldb, object_dn, )
1113 desc_sddl = self.get_desc_sddl(object_dn)
1114 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1115 self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res)
1118 user_name = "testuser2"
1119 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1120 # Open Ldb connection with the tested user
1121 _ldb = self.get_ldb_connection(user_name, "samba123@")
1122 # Create example Configuration container
1123 container_name = "test-container1"
1124 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1125 self.delete_force(self.ldb_admin, object_dn)
1126 self.create_configuration_container(_ldb, object_dn, )
1127 desc_sddl = self.get_desc_sddl(object_dn)
1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1129 self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res)
1132 user_name = "testuser3"
1133 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1134 # Open Ldb connection with the tested user
1135 _ldb = self.get_ldb_connection(user_name, "samba123@")
1136 # Create example Configuration container
1137 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1138 self.delete_force(self.ldb_admin, object_dn)
1139 self.create_configuration_container(self.ldb_admin, object_dn, )
1140 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1141 mod = "(A;;CC;;;AU)"
1142 self.dacl_add_ace(object_dn, mod)
1143 # Create child object with user's credentials
1144 object_dn = "CN=test-specifier1," + object_dn
1145 self.delete_force(self.ldb_admin, object_dn)
1146 self.create_configuration_specifier(_ldb, object_dn)
1147 desc_sddl = self.get_desc_sddl(object_dn)
1148 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1149 self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res)
1152 user_name = "testuser4"
1153 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1154 # Open Ldb connection with the tested user
1155 _ldb = self.get_ldb_connection(user_name, "samba123@")
1156 # Create example Configuration container
1157 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1158 self.delete_force(self.ldb_admin, object_dn)
1159 self.create_configuration_container(self.ldb_admin, object_dn, )
1160 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1161 mod = "(A;;CC;;;AU)"
1162 self.dacl_add_ace(object_dn, mod)
1163 # Create child object with user's credentials
1164 object_dn = "CN=test-specifier1," + object_dn
1165 self.delete_force(self.ldb_admin, object_dn)
1166 self.create_configuration_specifier(_ldb, object_dn)
1167 desc_sddl = self.get_desc_sddl(object_dn)
1168 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1169 self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res)
1172 user_name = "testuser5"
1173 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1174 # Open Ldb connection with the tested user
1175 _ldb = self.get_ldb_connection(user_name, "samba123@")
1176 # Create example Configuration container
1177 container_name = "test-container1"
1178 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1179 self.delete_force(self.ldb_admin, object_dn)
1180 self.create_configuration_container(_ldb, object_dn, )
1181 desc_sddl = self.get_desc_sddl(object_dn)
1182 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1183 self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res)
1186 user_name = "testuser6"
1187 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1188 # Open Ldb connection with the tested user
1189 _ldb = self.get_ldb_connection(user_name, "samba123@")
1190 # Create example Configuration container
1191 container_name = "test-container1"
1192 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1193 self.delete_force(self.ldb_admin, object_dn)
1194 self.create_configuration_container(_ldb, object_dn, )
1195 desc_sddl = self.get_desc_sddl(object_dn)
1196 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1197 self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res)
1200 user_name = "testuser7"
1201 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1202 # Open Ldb connection with the tested user
1203 _ldb = self.get_ldb_connection(user_name, "samba123@")
1204 # Create example Configuration container
1205 container_name = "test-container1"
1206 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1207 self.delete_force(self.ldb_admin, object_dn)
1208 self.create_configuration_container(_ldb, object_dn, )
1209 desc_sddl = self.get_desc_sddl(object_dn)
1210 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1211 self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res)
1214 user_name = "testuser8"
1215 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1216 # Open Ldb connection with the tested user
1217 _ldb = self.get_ldb_connection(user_name, "samba123@")
1218 # Create example Configuration container
1219 container_name = "test-container1"
1220 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1221 self.delete_force(self.ldb_admin, object_dn)
1222 self.create_configuration_container(_ldb, object_dn, )
1223 desc_sddl = self.get_desc_sddl(object_dn)
1224 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1225 self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res)
1227 # Custom descriptor tests ##################################################################
1230 user_name = "testuser1"
1231 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1232 # Open Ldb connection with the tested user
1233 _ldb = self.get_ldb_connection(user_name, "samba123@")
1234 # Create example Configuration container
1235 container_name = "test-container1"
1236 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1237 self.delete_force(self.ldb_admin, object_dn)
1238 # Create a custom security descriptor
1239 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1240 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1241 desc_sddl = self.get_desc_sddl(object_dn)
1242 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1243 self.assertEqual("O:DAG:DA", res)
1246 user_name = "testuser2"
1247 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1248 # Open Ldb connection with the tested user
1249 _ldb = self.get_ldb_connection(user_name, "samba123@")
1250 # Create example Configuration container
1251 container_name = "test-container1"
1252 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1253 self.delete_force(self.ldb_admin, object_dn)
1254 # Create a custom security descriptor
1255 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1256 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1257 desc_sddl = self.get_desc_sddl(object_dn)
1258 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1259 self.assertEqual("O:DAG:DA", res)
1262 user_name = "testuser3"
1263 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1264 # Open Ldb connection with the tested user
1265 _ldb = self.get_ldb_connection(user_name, "samba123@")
1266 # Create example Configuration container
1267 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1268 self.delete_force(self.ldb_admin, object_dn)
1269 self.create_configuration_container(self.ldb_admin, object_dn, )
1270 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1271 mod = "(A;;CC;;;AU)"
1272 self.dacl_add_ace(object_dn, mod)
1273 # Create child object with user's credentials
1274 object_dn = "CN=test-specifier1," + object_dn
1275 self.delete_force(self.ldb_admin, object_dn)
1276 # Create a custom security descriptor
1277 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1278 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1279 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1280 desc_sddl = self.get_desc_sddl(object_dn)
1281 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1282 self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res)
1285 user_name = "testuser4"
1286 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1287 # Open Ldb connection with the tested user
1288 _ldb = self.get_ldb_connection(user_name, "samba123@")
1289 # Create example Configuration container
1290 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1291 self.delete_force(self.ldb_admin, object_dn)
1292 self.create_configuration_container(self.ldb_admin, object_dn, )
1293 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1294 mod = "(A;;CC;;;AU)"
1295 self.dacl_add_ace(object_dn, mod)
1296 # Create child object with user's credentials
1297 object_dn = "CN=test-specifier1," + object_dn
1298 self.delete_force(self.ldb_admin, object_dn)
1299 # Create a custom security descriptor
1300 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1301 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1302 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1303 desc_sddl = self.get_desc_sddl(object_dn)
1304 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1305 self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res)
1308 user_name = "testuser5"
1309 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1310 # Open Ldb connection with the tested user
1311 _ldb = self.get_ldb_connection(user_name, "samba123@")
1312 # Create example Configuration container
1313 container_name = "test-container1"
1314 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1315 self.delete_force(self.ldb_admin, object_dn)
1316 # Create a custom security descriptor
1317 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1318 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1319 desc_sddl = self.get_desc_sddl(object_dn)
1320 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1321 self.assertEqual("O:DAG:DA", res)
1324 user_name = "testuser6"
1325 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1326 # Open Ldb connection with the tested user
1327 _ldb = self.get_ldb_connection(user_name, "samba123@")
1328 # Create example Configuration container
1329 container_name = "test-container1"
1330 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1331 self.delete_force(self.ldb_admin, object_dn)
1332 # Create a custom security descriptor
1333 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1334 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1335 desc_sddl = self.get_desc_sddl(object_dn)
1336 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1337 self.assertEqual("O:DAG:DA", res)
1340 user_name = "testuser7"
1341 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1342 # Open Ldb connection with the tested user
1343 _ldb = self.get_ldb_connection(user_name, "samba123@")
1344 # Create example Configuration container
1345 container_name = "test-container1"
1346 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1347 self.delete_force(self.ldb_admin, object_dn)
1348 # Create a custom security descriptor
1349 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1350 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1351 desc_sddl = self.get_desc_sddl(object_dn)
1352 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1353 self.assertEqual("O:DAG:DA", res)
1356 user_name = "testuser8"
1357 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1358 # Open Ldb connection with the tested user
1359 _ldb = self.get_ldb_connection(user_name, "samba123@")
1360 # Create example Configuration container
1361 container_name = "test-container1"
1362 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1363 self.delete_force(self.ldb_admin, object_dn)
1364 # Create a custom security descriptor
1365 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1366 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1367 desc_sddl = self.get_desc_sddl(object_dn)
1368 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1369 self.assertEqual("O:DAG:DA", res)
1371 ########################################################################################
1372 # Inharitance tests for DACL
1374 class DaclDescriptorTests(DescriptorTests):
1377 DescriptorTests.setUp(self)
1380 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1381 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1383 def create_clean_ou(self, object_dn):
1384 """ Base repeating setup for unittests to follow """
1385 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1386 expression="distinguishedName=%s" % object_dn)
1387 # Make sure top testing OU has been deleted before starting the test
1388 self.assertEqual(res, [])
1389 self.create_domain_ou(self.ldb_admin, object_dn)
1390 desc_sddl = self.get_desc_sddl(object_dn)
1391 # Make sutre there are inheritable ACEs initially
1392 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1393 # Find and remove all inherit ACEs
1394 res = re.findall("\(.*?\)", desc_sddl)
1395 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1397 desc_sddl = desc_sddl.replace(x, "")
1398 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1399 # can propagate from above
1400 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1401 # colon at the end breaks ldif parsing, fix it
1402 res = re.findall(".*?S:", desc_sddl)
1404 desc_sddl = desc_sddl.replace("S:", "")
1405 self.modify_desc(object_dn, desc_sddl)
1406 # Verify all inheritable ACEs are gone
1407 desc_sddl = self.get_desc_sddl(object_dn)
1408 self.assertFalse("CI" in desc_sddl)
1409 self.assertFalse("OI" in desc_sddl)
1412 """ OU with protected flag and child group. See if the group has inherit ACEs.
1414 ou_dn = "OU=test_inherit_ou," + self.base_dn
1415 group_dn = "CN=test_inherit_group," + ou_dn
1416 # Create inheritable-free OU
1417 self.create_clean_ou(ou_dn)
1418 # Create group child object
1419 self.create_domain_group(self.ldb_admin, group_dn)
1420 # Make sure created group object contains NO inherit ACEs
1421 desc_sddl = self.get_desc_sddl(group_dn)
1422 self.assertFalse("ID" in desc_sddl)
1425 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1426 Verify group has custom and default ACEs only.
1428 ou_dn = "OU=test_inherit_ou," + self.base_dn
1429 group_dn = "CN=test_inherit_group," + ou_dn
1430 # Create inheritable-free OU
1431 self.create_clean_ou(ou_dn)
1432 # Create group child object using custom security descriptor
1433 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1434 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1435 # Make sure created group descriptor has NO additional ACEs
1436 desc_sddl = self.get_desc_sddl(group_dn)
1437 print "group descriptor: " + desc_sddl
1438 self.assertEqual(desc_sddl, sddl)
1441 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1442 See if the group has any of the added ACEs.
1444 ou_dn = "OU=test_inherit_ou," + self.base_dn
1445 group_dn = "CN=test_inherit_group," + ou_dn
1446 # Create inheritable-free OU
1447 self.create_clean_ou(ou_dn)
1448 # Add some custom non-inheritable ACEs
1449 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1450 self.dacl_add_ace(ou_dn, mod)
1451 # Verify all inheritable ACEs are gone
1452 desc_sddl = self.get_desc_sddl(ou_dn)
1453 # Create group child object
1454 self.create_domain_group(self.ldb_admin, group_dn)
1455 # Make sure created group object contains NO inherit ACEs
1456 # also make sure the added above non-inheritable ACEs are absant too
1457 desc_sddl = self.get_desc_sddl(group_dn)
1458 self.assertFalse("ID" in desc_sddl)
1459 for x in re.findall("\(.*?\)", mod):
1460 self.assertFalse(x in desc_sddl)
1463 """ OU with protected flag and add 'CI' ACE, child group.
1464 See if the group has the added inherited ACE.
1466 ou_dn = "OU=test_inherit_ou," + self.base_dn
1467 group_dn = "CN=test_inherit_group," + ou_dn
1468 # Create inheritable-free OU
1469 self.create_clean_ou(ou_dn)
1470 # Add some custom 'CI' ACE
1471 mod = "(D;CI;WP;;;DU)"
1472 self.dacl_add_ace(ou_dn, mod)
1473 desc_sddl = self.get_desc_sddl(ou_dn)
1474 # Create group child object
1475 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1476 # Make sure created group object contains only the above inherited ACE
1477 # that we've added manually
1478 desc_sddl = self.get_desc_sddl(group_dn)
1479 mod = mod.replace(";CI;", ";CIID;")
1480 self.assertTrue(mod in desc_sddl)
1483 """ OU with protected flag and add 'OI' ACE, child group.
1484 See if the group has the added inherited ACE.
1486 ou_dn = "OU=test_inherit_ou," + self.base_dn
1487 group_dn = "CN=test_inherit_group," + ou_dn
1488 # Create inheritable-free OU
1489 self.create_clean_ou(ou_dn)
1490 # Add some custom 'CI' ACE
1491 mod = "(D;OI;WP;;;DU)"
1492 self.dacl_add_ace(ou_dn, mod)
1493 desc_sddl = self.get_desc_sddl(ou_dn)
1494 # Create group child object
1495 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1496 # Make sure created group object contains only the above inherited ACE
1497 # that we've added manually
1498 desc_sddl = self.get_desc_sddl(group_dn)
1499 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1500 self.assertTrue(mod in desc_sddl)
1503 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1504 See if the group has the added inherited ACE.
1506 ou_dn = "OU=test_inherit_ou," + self.base_dn
1507 group_dn = "CN=test_inherit_group," + ou_dn
1508 # Create inheritable-free OU
1509 self.create_clean_ou(ou_dn)
1510 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1511 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1512 self.dacl_add_ace(ou_dn, mod)
1513 desc_sddl = self.get_desc_sddl(ou_dn)
1514 # Create group child object
1515 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1516 # Make sure created group object contains only the above inherited ACE
1517 # that we've added manually
1518 desc_sddl = self.get_desc_sddl(group_dn)
1519 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1520 self.assertTrue(mod in desc_sddl)
1523 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1524 See if the group has the added inherited ACE.
1526 ou_dn = "OU=test_inherit_ou," + self.base_dn
1527 group_dn = "CN=test_inherit_group," + ou_dn
1528 # Create inheritable-free OU
1529 self.create_clean_ou(ou_dn)
1530 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1531 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1532 self.dacl_add_ace(ou_dn, mod)
1533 desc_sddl = self.get_desc_sddl(ou_dn)
1534 # Create group child object
1535 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1536 # Make sure created group object contains only the above inherited ACE
1537 # that we've added manually
1538 desc_sddl = self.get_desc_sddl(group_dn)
1539 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1540 self.assertTrue(mod in desc_sddl)
1543 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1544 See if the group has the added inherited ACE.
1546 ou_dn = "OU=test_inherit_ou," + self.base_dn
1547 group_dn = "CN=test_inherit_group," + ou_dn
1548 # Create inheritable-free OU
1549 self.create_clean_ou(ou_dn)
1550 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1551 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1552 self.dacl_add_ace(ou_dn, mod)
1553 desc_sddl = self.get_desc_sddl(ou_dn)
1554 # Create group child object
1555 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1556 # Make sure created group object contains only the above inherited ACE
1557 # that we've added manually
1558 desc_sddl = self.get_desc_sddl(group_dn)
1559 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1560 self.assertTrue(mod in desc_sddl)
1563 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1564 See if the group has the added inherited ACE.
1566 ou_dn = "OU=test_inherit_ou," + self.base_dn
1567 group_dn = "CN=test_inherit_group," + ou_dn
1568 # Create inheritable-free OU
1569 self.create_clean_ou(ou_dn)
1570 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1571 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1572 self.dacl_add_ace(ou_dn, mod)
1573 desc_sddl = self.get_desc_sddl(ou_dn)
1574 # Create group child object
1575 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1576 # Make sure created group object contains only the above inherited ACE
1577 # that we've added manually
1578 desc_sddl = self.get_desc_sddl(group_dn)
1579 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1580 self.assertTrue(mod in desc_sddl)
1583 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1584 See if the group has the added inherited ACE.
1586 ou_dn = "OU=test_inherit_ou," + self.base_dn
1587 group_dn = "CN=test_inherit_group," + ou_dn
1588 # Create inheritable-free OU
1589 self.create_clean_ou(ou_dn)
1590 # Add some custom 'CI' ACE
1591 mod = "(D;CI;WP;;;CO)"
1592 self.dacl_add_ace(ou_dn, mod)
1593 desc_sddl = self.get_desc_sddl(ou_dn)
1594 # Create group child object
1595 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1596 # Make sure created group object contains only the above inherited ACE(s)
1597 # that we've added manually
1598 desc_sddl = self.get_desc_sddl(group_dn)
1599 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1600 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1602 ########################################################################################
1604 if not "://" in host:
1605 host = "ldap://%s" % host
1606 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
1608 runner = SubunitTestRunner()
1610 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1612 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():