2
# -*- coding: utf-8 -*-
3
# This is a port of the original in testprogs/ejs/ldap.js
9
sys.path.insert(0, "bin/python")
11
samba.ensure_external_module("testtools", "testtools")
12
samba.ensure_external_module("subunit", "subunit/python")
14
import samba.getopt as options
16
from samba.auth import system_session
17
from ldb import SCOPE_BASE, LdbError
18
from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19
from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM
20
from ldb import ERR_OTHER, ERR_NO_SUCH_ATTRIBUTE
21
from ldb import ERR_OBJECT_CLASS_VIOLATION
22
from ldb import ERR_CONSTRAINT_VIOLATION
23
from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
24
from ldb import Message, MessageElement, Dn
25
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
26
from samba.samdb import SamDB
27
from samba.dsdb import (UF_NORMAL_ACCOUNT, UF_ACCOUNTDISABLE,
28
UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
29
UF_PARTIAL_SECRETS_ACCOUNT, UF_TEMP_DUPLICATE_ACCOUNT,
30
UF_PASSWD_NOTREQD, ATYPE_NORMAL_ACCOUNT,
31
GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
32
GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GROUP,
33
GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP, GTYPE_DISTRIBUTION_GLOBAL_GROUP,
34
GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
35
ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_UNIVERSAL_GROUP,
36
ATYPE_SECURITY_LOCAL_GROUP, ATYPE_DISTRIBUTION_GLOBAL_GROUP,
37
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP, ATYPE_DISTRIBUTION_LOCAL_GROUP,
38
ATYPE_WORKSTATION_TRUST)
39
from samba.dcerpc.security import (DOMAIN_RID_USERS, DOMAIN_RID_DOMAIN_MEMBERS,
40
DOMAIN_RID_DCS, DOMAIN_RID_READONLY_DCS)
42
from subunit.run import SubunitTestRunner
45
from samba.dcerpc import security
46
from samba.tests import delete_force
48
parser = optparse.OptionParser("sam.py [options] <host>")
49
sambaopts = options.SambaOptions(parser)
50
parser.add_option_group(sambaopts)
51
parser.add_option_group(options.VersionOptions(parser))
52
# use command line creds if available
53
credopts = options.CredentialsOptions(parser)
54
parser.add_option_group(credopts)
55
opts, args = parser.parse_args()
63
lp = sambaopts.get_loadparm()
64
creds = credopts.get_credentials(lp)
66
class SamTests(unittest.TestCase):
69
super(SamTests, self).setUp()
71
self.base_dn = ldb.domain_dn()
73
print "baseDN: %s\n" % self.base_dn
75
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
76
delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
77
delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
78
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
79
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
80
delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
82
def test_users_groups(self):
83
"""This tests the SAM users and groups behaviour"""
84
print "Testing users and groups behaviour\n"
87
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
88
"objectclass": "group"})
91
"dn": "cn=ldaptestgroup2,cn=users," + self.base_dn,
92
"objectclass": "group"})
94
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
95
scope=SCOPE_BASE, attrs=["objectSID"])
96
self.assertTrue(len(res1) == 1)
97
group_rid_1 = security.dom_sid(ldb.schema_format_value("objectSID",
98
res1[0]["objectSID"][0])).split()[1]
100
res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn,
101
scope=SCOPE_BASE, attrs=["objectSID"])
102
self.assertTrue(len(res1) == 1)
103
group_rid_2 = security.dom_sid(ldb.schema_format_value("objectSID",
104
res1[0]["objectSID"][0])).split()[1]
106
# Try to create a user with an invalid account name
109
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
110
"objectclass": "user",
111
"sAMAccountName": "administrator"})
113
except LdbError, (num, _):
114
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
115
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
117
# Try to create a user with an invalid account name
120
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
121
"objectclass": "user",
122
"sAMAccountName": []})
124
except LdbError, (num, _):
125
self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
126
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
128
# Try to create a user with an invalid primary group
131
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
132
"objectclass": "user",
133
"primaryGroupID": "0"})
135
except LdbError, (num, _):
136
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
137
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
139
# Try to Create a user with a valid primary group
142
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
143
"objectclass": "user",
144
"primaryGroupID": str(group_rid_1)})
146
except LdbError, (num, _):
147
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
148
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
150
# Test to see how we should behave when the user account doesn't
153
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
154
m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
159
except LdbError, (num, _):
160
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
162
# Test to see how we should behave when the account isn't a user
164
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
165
m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
170
except LdbError, (num, _):
171
self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
173
# Test default primary groups on add operations
176
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
177
"objectclass": "user"})
179
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
180
scope=SCOPE_BASE, attrs=["primaryGroupID"])
181
self.assertTrue(len(res1) == 1)
182
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
184
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
187
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
188
"objectclass": "user",
189
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD) })
191
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
192
scope=SCOPE_BASE, attrs=["primaryGroupID"])
193
self.assertTrue(len(res1) == 1)
194
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
196
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
198
# unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
199
# since such accounts aren't directly creatable (ACCESS_DENIED)
202
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
203
"objectclass": "computer",
204
"userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
206
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
207
scope=SCOPE_BASE, attrs=["primaryGroupID"])
208
self.assertTrue(len(res1) == 1)
209
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
211
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
214
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
215
"objectclass": "computer",
216
"userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
218
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
219
scope=SCOPE_BASE, attrs=["primaryGroupID"])
220
self.assertTrue(len(res1) == 1)
221
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
223
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
225
# Read-only DC accounts are only creatable by
226
# UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
227
# we have a fallback in the assertion)
229
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
230
"objectclass": "computer",
231
"userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
233
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
234
scope=SCOPE_BASE, attrs=["primaryGroupID"])
235
self.assertTrue(len(res1) == 1)
236
self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
237
res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
239
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
241
# Test default primary groups on modify operations
244
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
245
"objectclass": "user"})
248
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
249
m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
250
"userAccountControl")
253
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
254
scope=SCOPE_BASE, attrs=["primaryGroupID"])
255
self.assertTrue(len(res1) == 1)
256
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
258
# unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
259
# since such accounts aren't directly creatable (ACCESS_DENIED)
261
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
264
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
265
"objectclass": "computer"})
267
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
268
scope=SCOPE_BASE, attrs=["primaryGroupID"])
269
self.assertTrue(len(res1) == 1)
270
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS))
273
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
274
m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
275
"userAccountControl")
278
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
279
scope=SCOPE_BASE, attrs=["primaryGroupID"])
280
self.assertTrue(len(res1) == 1)
281
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS))
284
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
285
m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
286
"userAccountControl")
289
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
290
scope=SCOPE_BASE, attrs=["primaryGroupID"])
291
self.assertTrue(len(res1) == 1)
292
self.assertEquals(res1[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS))
294
# Read-only DC accounts are only creatable by
295
# UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
296
# we have a fallback in the assertion)
298
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
299
m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
300
"userAccountControl")
303
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
304
scope=SCOPE_BASE, attrs=["primaryGroupID"])
305
self.assertTrue(len(res1) == 1)
306
self.assertTrue(res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS) or
307
res1[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS))
309
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
311
# Recreate account for further tests
314
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
315
"objectclass": "user"})
317
# Try to set an invalid account name
319
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
320
m["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE,
325
except LdbError, (num, _):
326
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
328
# But to reset the actual "sAMAccountName" should still be possible
329
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
330
scope=SCOPE_BASE, attrs=["sAMAccountName"])
331
self.assertTrue(len(res1) == 1)
333
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
334
m["sAMAccountName"] = MessageElement(res1[0]["sAMAccountName"][0], FLAG_MOD_REPLACE,
338
# And another (free) name should be possible as well
340
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
341
m["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE,
345
# We should be able to reset our actual primary group
347
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
348
m["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS), FLAG_MOD_REPLACE,
352
# Try to add invalid primary group
354
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
355
m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE,
360
except LdbError, (num, _):
361
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
363
# Try to make group 1 primary - should be denied since it is not yet
366
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
367
m["primaryGroupID"] = MessageElement(str(group_rid_1),
368
FLAG_MOD_REPLACE, "primaryGroupID")
372
except LdbError, (num, _):
373
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
375
# Make group 1 secondary
377
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
378
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
379
FLAG_MOD_REPLACE, "member")
382
# Make group 1 primary
384
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
385
m["primaryGroupID"] = MessageElement(str(group_rid_1),
386
FLAG_MOD_REPLACE, "primaryGroupID")
389
# Try to delete group 1 - should be denied
391
ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn)
393
except LdbError, (num, _):
394
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
396
# Try to add group 1 also as secondary - should be denied
398
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
399
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
400
FLAG_MOD_ADD, "member")
404
except LdbError, (num, _):
405
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
407
# Try to add invalid member to group 1 - should be denied
409
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
410
m["member"] = MessageElement(
411
"cn=ldaptestuser3,cn=users," + self.base_dn,
412
FLAG_MOD_ADD, "member")
416
except LdbError, (num, _):
417
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
419
# Make group 2 secondary
421
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
422
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
423
FLAG_MOD_ADD, "member")
428
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
429
m["primaryGroupID"] = MessageElement(str(group_rid_2),
430
FLAG_MOD_REPLACE, "primaryGroupID")
433
# Swap the groups (does not really make sense but does the same)
435
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
436
m["primaryGroupID"] = MessageElement(str(group_rid_1),
437
FLAG_MOD_REPLACE, "primaryGroupID")
438
m["primaryGroupID"] = MessageElement(str(group_rid_2),
439
FLAG_MOD_REPLACE, "primaryGroupID")
442
# Old primary group should contain a "member" attribute for the user,
443
# the new shouldn't contain anymore one
444
res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn,
445
scope=SCOPE_BASE, attrs=["member"])
446
self.assertTrue(len(res1) == 1)
447
self.assertTrue(len(res1[0]["member"]) == 1)
448
self.assertEquals(res1[0]["member"][0].lower(),
449
("cn=ldaptestuser,cn=users," + self.base_dn).lower())
451
res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn,
452
scope=SCOPE_BASE, attrs=["member"])
453
self.assertTrue(len(res1) == 1)
454
self.assertFalse("member" in res1[0])
456
# Primary group member
458
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
459
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
460
FLAG_MOD_DELETE, "member")
464
except LdbError, (num, _):
465
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
467
# Delete invalid group member
469
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
470
m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
471
FLAG_MOD_DELETE, "member")
475
except LdbError, (num, _):
476
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
478
# Also this should be denied
481
"dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
482
"objectclass": "user",
483
"primaryGroupID": "0"})
485
except LdbError, (num, _):
486
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
488
# Recreate user accounts
490
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
493
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
494
"objectclass": "user"})
497
"dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
498
"objectclass": "user"})
501
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
502
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
503
FLAG_MOD_ADD, "member")
508
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
509
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
510
FLAG_MOD_ADD, "member")
514
except LdbError, (num, _):
515
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
517
# Already added, but as <SID=...>
518
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
519
scope=SCOPE_BASE, attrs=["objectSid"])
520
self.assertTrue(len(res1) == 1)
521
sid_bin = res1[0]["objectSid"][0]
522
sid_str = ("<SID=" + ldb.schema_format_value("objectSid", sid_bin) + ">").upper()
525
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
526
m["member"] = MessageElement(sid_str, FLAG_MOD_ADD, "member")
530
except LdbError, (num, _):
531
self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS)
535
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
536
m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
537
FLAG_MOD_REPLACE, "member")
541
except LdbError, (num, _):
542
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
546
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
547
m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
548
"cn=ldaptestuser1,cn=users," + self.base_dn],
549
FLAG_MOD_REPLACE, "member")
553
except LdbError, (num, _):
554
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
558
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
559
m["member"] = MessageElement("cn=ldaptestuser,cn=users," + self.base_dn,
560
FLAG_MOD_REPLACE, "member")
561
m["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self.base_dn,
562
FLAG_MOD_ADD, "member")
566
except LdbError, (num, _):
567
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
570
m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
571
m["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self.base_dn,
572
"cn=ldaptestuser2,cn=users," + self.base_dn],
573
FLAG_MOD_REPLACE, "member")
576
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
577
delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
578
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
579
delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
581
# Make also a small test for accounts with special DNs ("," in this case)
583
"dn": "cn=ldaptest\,specialuser,cn=users," + self.base_dn,
584
"objectclass": "user"})
585
delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
587
def test_sam_attributes(self):
588
"""Test the behaviour of special attributes of SAM objects"""
589
print "Testing the behaviour of special attributes of SAM objects\n"""
592
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
593
"objectclass": "user"})
595
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
596
"objectclass": "group"})
599
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
600
m["groupType"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
605
except LdbError, (num, _):
606
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
608
# Delete protection tests
610
for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
611
"sAMAccountName", "groupType"]:
614
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
615
m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
619
except LdbError, (num, _):
620
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
623
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
624
m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
628
except LdbError, (num, _):
629
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
632
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
633
m["primaryGroupID"] = MessageElement("513", FLAG_MOD_ADD,
638
except LdbError, (num, _):
639
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
642
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
643
m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
644
"userAccountControl")
648
except LdbError, (num, _):
649
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
652
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
653
m["objectSid"] = MessageElement("xxxxxxxxxxxxxxxx", FLAG_MOD_ADD,
658
except LdbError, (num, _):
659
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
662
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
663
m["sAMAccountType"] = MessageElement("0", FLAG_MOD_ADD,
668
except LdbError, (num, _):
669
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
672
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
673
m["sAMAccountName"] = MessageElement("test", FLAG_MOD_ADD,
678
except LdbError, (num, _):
679
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
681
# Delete protection tests
683
for attr in ["nTSecurityDescriptor", "objectSid", "sAMAccountType",
684
"sAMAccountName", "primaryGroupID", "userAccountControl",
685
"accountExpires", "badPasswordTime", "badPwdCount",
686
"codePage", "countryCode", "lastLogoff", "lastLogon",
687
"logonCount", "pwdLastSet"]:
690
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
691
m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
695
except LdbError, (num, _):
696
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
699
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
700
m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
704
except LdbError, (num, _):
705
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
707
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
708
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
710
def test_primary_group_token_constructed(self):
711
"""Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
712
print "Testing primary group token behaviour and other constructed attributes\n"
716
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
717
"objectclass": "group",
718
"primaryGroupToken": "100"})
720
except LdbError, (num, _):
721
self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
722
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
725
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
726
"objectclass": "user"})
729
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
730
"objectclass": "group"})
732
# Testing for one invalid, and one valid operational attribute, but also the things they are built from
733
res1 = ldb.search(self.base_dn,
734
scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName", "objectClass", "objectSid"])
735
self.assertTrue(len(res1) == 1)
736
self.assertFalse("primaryGroupToken" in res1[0])
737
self.assertTrue("canonicalName" in res1[0])
738
self.assertTrue("objectClass" in res1[0])
739
self.assertTrue("objectSid" in res1[0])
741
res1 = ldb.search(self.base_dn,
742
scope=SCOPE_BASE, attrs=["primaryGroupToken", "canonicalName"])
743
self.assertTrue(len(res1) == 1)
744
self.assertFalse("primaryGroupToken" in res1[0])
745
self.assertFalse("objectSid" in res1[0])
746
self.assertFalse("objectClass" in res1[0])
747
self.assertTrue("canonicalName" in res1[0])
749
res1 = ldb.search("cn=users," + self.base_dn,
750
scope=SCOPE_BASE, attrs=["primaryGroupToken"])
751
self.assertTrue(len(res1) == 1)
752
self.assertFalse("primaryGroupToken" in res1[0])
754
res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn,
755
scope=SCOPE_BASE, attrs=["primaryGroupToken"])
756
self.assertTrue(len(res1) == 1)
757
self.assertFalse("primaryGroupToken" in res1[0])
759
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
761
self.assertTrue(len(res1) == 1)
762
self.assertFalse("primaryGroupToken" in res1[0])
764
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
765
scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"])
766
self.assertTrue(len(res1) == 1)
767
primary_group_token = int(res1[0]["primaryGroupToken"][0])
769
rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
770
self.assertEquals(primary_group_token, rid)
773
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
774
m["primaryGroupToken"] = "100"
778
except LdbError, (num, _):
779
self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
781
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
782
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
784
def test_tokenGroups(self):
785
"""Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
786
print "Testing tokenGroups behaviour\n"
788
# The domain object shouldn't contain any "tokenGroups" entry
789
res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups"])
790
self.assertTrue(len(res) == 1)
791
self.assertFalse("tokenGroups" in res[0])
793
# The domain administrator should contain "tokenGroups" entries
794
# (the exact number depends on the domain/forest function level and the
795
# DC software versions)
796
res = ldb.search("cn=Administrator,cn=Users," + self.base_dn,
797
scope=SCOPE_BASE, attrs=["tokenGroups"])
798
self.assertTrue(len(res) == 1)
799
self.assertTrue("tokenGroups" in res[0])
802
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
803
"objectclass": "user"})
805
# This testuser should contain at least two "tokenGroups" entries
806
# (exactly two on an unmodified "Domain Users" and "Users" group)
807
res = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
808
scope=SCOPE_BASE, attrs=["tokenGroups"])
809
self.assertTrue(len(res) == 1)
810
self.assertTrue(len(res[0]["tokenGroups"]) >= 2)
812
# one entry which we need to find should point to domains "Domain Users"
813
# group and another entry should point to the builtin "Users"group
814
domain_users_group_found = False
815
users_group_found = False
816
for sid in res[0]["tokenGroups"]:
817
rid = security.dom_sid(ldb.schema_format_value("objectSID", sid)).split()[1]
819
domain_users_group_found = True
821
users_group_found = True
823
self.assertTrue(domain_users_group_found)
824
self.assertTrue(users_group_found)
826
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
828
def test_groupType(self):
829
"""Test the groupType behaviour"""
830
print "Testing groupType behaviour\n"
832
# You can never create or change to a
833
# "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP"
840
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
841
"objectclass": "group",
844
except LdbError, (num, _):
845
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
846
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
850
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
851
"objectclass": "group",
852
"groupType": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
854
except LdbError, (num, _):
855
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
856
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
859
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
860
"objectclass": "group",
861
"groupType": str(GTYPE_SECURITY_GLOBAL_GROUP)})
863
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
864
scope=SCOPE_BASE, attrs=["sAMAccountType"])
865
self.assertTrue(len(res1) == 1)
866
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
867
ATYPE_SECURITY_GLOBAL_GROUP)
868
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
871
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
872
"objectclass": "group",
873
"groupType": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
875
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
876
scope=SCOPE_BASE, attrs=["sAMAccountType"])
877
self.assertTrue(len(res1) == 1)
878
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
879
ATYPE_SECURITY_UNIVERSAL_GROUP)
880
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
883
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
884
"objectclass": "group",
885
"groupType": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
887
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
888
scope=SCOPE_BASE, attrs=["sAMAccountType"])
889
self.assertTrue(len(res1) == 1)
890
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
891
ATYPE_SECURITY_LOCAL_GROUP)
892
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
895
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
896
"objectclass": "group",
897
"groupType": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
899
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
900
scope=SCOPE_BASE, attrs=["sAMAccountType"])
901
self.assertTrue(len(res1) == 1)
902
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
903
ATYPE_DISTRIBUTION_GLOBAL_GROUP)
904
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
907
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
908
"objectclass": "group",
909
"groupType": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
911
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
912
scope=SCOPE_BASE, attrs=["sAMAccountType"])
913
self.assertTrue(len(res1) == 1)
914
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
915
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
916
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
919
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
920
"objectclass": "group",
921
"groupType": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
923
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
924
scope=SCOPE_BASE, attrs=["sAMAccountType"])
925
self.assertTrue(len(res1) == 1)
926
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
927
ATYPE_DISTRIBUTION_LOCAL_GROUP)
928
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
933
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
934
"objectclass": "group"})
936
# We can change in this direction: global <-> universal <-> local
937
# On each step also the group type itself (security/distribution) is
940
# After creation we should have a "security global group"
941
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
942
scope=SCOPE_BASE, attrs=["sAMAccountType"])
943
self.assertTrue(len(res1) == 1)
944
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
945
ATYPE_SECURITY_GLOBAL_GROUP)
950
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
951
m["groupType"] = MessageElement("0",
952
FLAG_MOD_REPLACE, "groupType")
955
except LdbError, (num, _):
956
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
960
# Default is "global group"
963
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
964
m["groupType"] = MessageElement(
965
str(GTYPE_SECURITY_GLOBAL_GROUP),
966
FLAG_MOD_REPLACE, "groupType")
969
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
970
scope=SCOPE_BASE, attrs=["sAMAccountType"])
971
self.assertTrue(len(res1) == 1)
972
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
973
ATYPE_SECURITY_GLOBAL_GROUP)
975
# Change to "local" (shouldn't work)
979
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
980
m["groupType"] = MessageElement(
981
str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
982
FLAG_MOD_REPLACE, "groupType")
985
except LdbError, (num, _):
986
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
988
# Change to "universal"
991
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
992
m["groupType"] = MessageElement(
993
str(GTYPE_SECURITY_UNIVERSAL_GROUP),
994
FLAG_MOD_REPLACE, "groupType")
997
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
998
scope=SCOPE_BASE, attrs=["sAMAccountType"])
999
self.assertTrue(len(res1) == 1)
1000
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1001
ATYPE_SECURITY_UNIVERSAL_GROUP)
1003
# Change back to "global"
1006
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1007
m["groupType"] = MessageElement(
1008
str(GTYPE_SECURITY_GLOBAL_GROUP),
1009
FLAG_MOD_REPLACE, "groupType")
1012
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1013
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1014
self.assertTrue(len(res1) == 1)
1015
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1016
ATYPE_SECURITY_GLOBAL_GROUP)
1018
# Change back to "universal"
1021
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1022
m["groupType"] = MessageElement(
1023
str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1024
FLAG_MOD_REPLACE, "groupType")
1027
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1028
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1029
self.assertTrue(len(res1) == 1)
1030
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1031
ATYPE_SECURITY_UNIVERSAL_GROUP)
1036
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1037
m["groupType"] = MessageElement(
1038
str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1039
FLAG_MOD_REPLACE, "groupType")
1042
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1043
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1044
self.assertTrue(len(res1) == 1)
1045
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1046
ATYPE_SECURITY_LOCAL_GROUP)
1048
# Change to "global" (shouldn't work)
1052
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1053
m["groupType"] = MessageElement(
1054
str(GTYPE_SECURITY_GLOBAL_GROUP),
1055
FLAG_MOD_REPLACE, "groupType")
1058
except LdbError, (num, _):
1059
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1061
# Change to "builtin local" (shouldn't work)
1065
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1066
m["groupType"] = MessageElement(
1067
str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1068
FLAG_MOD_REPLACE, "groupType")
1071
except LdbError, (num, _):
1072
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1075
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1077
# Change back to "universal"
1080
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1081
m["groupType"] = MessageElement(
1082
str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1083
FLAG_MOD_REPLACE, "groupType")
1086
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1087
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1088
self.assertTrue(len(res1) == 1)
1089
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1090
ATYPE_SECURITY_UNIVERSAL_GROUP)
1092
# Change to "builtin local" (shouldn't work)
1096
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1097
m["groupType"] = MessageElement(
1098
str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1099
FLAG_MOD_REPLACE, "groupType")
1102
except LdbError, (num, _):
1103
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1105
# Change back to "global"
1108
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1109
m["groupType"] = MessageElement(
1110
str(GTYPE_SECURITY_GLOBAL_GROUP),
1111
FLAG_MOD_REPLACE, "groupType")
1114
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1115
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1116
self.assertTrue(len(res1) == 1)
1117
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1118
ATYPE_SECURITY_GLOBAL_GROUP)
1120
# Change to "builtin local" (shouldn't work)
1124
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1125
m["groupType"] = MessageElement(
1126
str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1127
FLAG_MOD_REPLACE, "groupType")
1130
except LdbError, (num, _):
1131
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1133
# Distribution groups
1135
# Default is "global group"
1138
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1139
m["groupType"] = MessageElement(
1140
str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1141
FLAG_MOD_REPLACE, "groupType")
1144
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1145
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1146
self.assertTrue(len(res1) == 1)
1147
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1148
ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1150
# Change to local (shouldn't work)
1154
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1155
m["groupType"] = MessageElement(
1156
str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1157
FLAG_MOD_REPLACE, "groupType")
1160
except LdbError, (num, _):
1161
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1163
# Change to "universal"
1166
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1167
m["groupType"] = MessageElement(
1168
str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1169
FLAG_MOD_REPLACE, "groupType")
1172
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1173
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1174
self.assertTrue(len(res1) == 1)
1175
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1176
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1178
# Change back to "global"
1181
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1182
m["groupType"] = MessageElement(
1183
str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1184
FLAG_MOD_REPLACE, "groupType")
1187
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1188
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1189
self.assertTrue(len(res1) == 1)
1190
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1191
ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1193
# Change back to "universal"
1196
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1197
m["groupType"] = MessageElement(
1198
str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1199
FLAG_MOD_REPLACE, "groupType")
1202
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1203
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1204
self.assertTrue(len(res1) == 1)
1205
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1206
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1211
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1212
m["groupType"] = MessageElement(
1213
str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1214
FLAG_MOD_REPLACE, "groupType")
1217
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1218
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1219
self.assertTrue(len(res1) == 1)
1220
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1221
ATYPE_DISTRIBUTION_LOCAL_GROUP)
1223
# Change to "global" (shouldn't work)
1227
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1228
m["groupType"] = MessageElement(
1229
str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1230
FLAG_MOD_REPLACE, "groupType")
1233
except LdbError, (num, _):
1234
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1236
# Change back to "universal"
1238
# Try to add invalid member to group 1 - should be denied
1240
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1241
m["member"] = MessageElement(
1242
"cn=ldaptestuser3,cn=users," + self.base_dn,
1243
FLAG_MOD_ADD, "member")
1247
except LdbError, (num, _):
1248
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1250
# Make group 2 secondary
1252
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1253
m["groupType"] = MessageElement(
1254
str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1255
FLAG_MOD_REPLACE, "groupType")
1258
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1259
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1260
self.assertTrue(len(res1) == 1)
1261
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1262
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1264
# Change back to "global"
1267
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1268
m["groupType"] = MessageElement(
1269
str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1270
FLAG_MOD_REPLACE, "groupType")
1273
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1274
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1275
self.assertTrue(len(res1) == 1)
1276
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1277
ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1279
# Both group types: this performs only random checks - all possibilities
1280
# would require too much code.
1282
# Default is "global group"
1285
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1286
m["groupType"] = MessageElement(
1287
str(GTYPE_SECURITY_GLOBAL_GROUP),
1288
FLAG_MOD_REPLACE, "groupType")
1291
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1292
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1293
self.assertTrue(len(res1) == 1)
1294
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1295
ATYPE_SECURITY_GLOBAL_GROUP)
1297
# Change to "local" (shouldn't work)
1301
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1302
m["groupType"] = MessageElement(
1303
str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1304
FLAG_MOD_REPLACE, "groupType")
1307
except LdbError, (num, _):
1308
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1310
# Change to "universal"
1313
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1314
m["groupType"] = MessageElement(
1315
str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1316
FLAG_MOD_REPLACE, "groupType")
1319
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1320
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1321
self.assertTrue(len(res1) == 1)
1322
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1323
ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1325
# Change back to "global"
1328
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1329
m["groupType"] = MessageElement(
1330
str(GTYPE_SECURITY_GLOBAL_GROUP),
1331
FLAG_MOD_REPLACE, "groupType")
1334
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1335
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1336
self.assertTrue(len(res1) == 1)
1337
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1338
ATYPE_SECURITY_GLOBAL_GROUP)
1340
# Change back to "universal"
1343
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1344
m["groupType"] = MessageElement(
1345
str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1346
FLAG_MOD_REPLACE, "groupType")
1349
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1350
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1351
self.assertTrue(len(res1) == 1)
1352
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1353
ATYPE_SECURITY_UNIVERSAL_GROUP)
1358
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1359
m["groupType"] = MessageElement(
1360
str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1361
FLAG_MOD_REPLACE, "groupType")
1364
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1365
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1366
self.assertTrue(len(res1) == 1)
1367
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1368
ATYPE_DISTRIBUTION_LOCAL_GROUP)
1370
# Change to "global" (shouldn't work)
1374
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1375
m["groupType"] = MessageElement(
1376
str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1377
FLAG_MOD_REPLACE, "groupType")
1380
except LdbError, (num, _):
1381
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1383
# Change back to "universal"
1386
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1387
m["groupType"] = MessageElement(
1388
str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1389
FLAG_MOD_REPLACE, "groupType")
1392
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1393
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1394
self.assertTrue(len(res1) == 1)
1395
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1396
ATYPE_SECURITY_UNIVERSAL_GROUP)
1398
# Change back to "global"
1401
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1402
m["groupType"] = MessageElement(
1403
str(GTYPE_SECURITY_GLOBAL_GROUP),
1404
FLAG_MOD_REPLACE, "groupType")
1407
res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
1408
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1409
self.assertTrue(len(res1) == 1)
1410
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1411
ATYPE_SECURITY_GLOBAL_GROUP)
1413
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
1415
def test_userAccountControl(self):
1416
"""Test the userAccountControl behaviour"""
1417
print "Testing userAccountControl behaviour\n"
1419
# With a user object
1423
# As user you can only set a normal account.
1424
# The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1426
# With SYSTEM rights you can set a interdomain trust account.
1431
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1432
"objectclass": "user",
1433
"userAccountControl": "0"})
1435
except LdbError, (num, _):
1436
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1437
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1439
# This has to wait until s4 supports it (needs a password module change)
1442
# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1443
# "objectclass": "user",
1444
# "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1446
# except LdbError, (num, _):
1447
# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1448
# delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1451
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1452
"objectclass": "user",
1453
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1455
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1457
attrs=["sAMAccountType", "userAccountControl"])
1458
self.assertTrue(len(res1) == 1)
1459
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1460
ATYPE_NORMAL_ACCOUNT)
1461
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1462
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1466
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1467
"objectclass": "user",
1468
"userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1470
except LdbError, (num, _):
1471
self.assertEquals(num, ERR_OTHER)
1472
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1474
# This isn't supported yet in s4
1477
# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1478
# "objectclass": "user",
1479
# "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1481
# except LdbError, (num, _):
1482
# self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1483
# delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1487
# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1488
# "objectclass": "user",
1489
# "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1490
# except LdbError, (num, _):
1491
# self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1492
# delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1494
# This isn't supported yet in s4 - needs ACL module adaption
1497
# "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1498
# "objectclass": "user",
1499
# "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1501
# except LdbError, (num, _):
1502
# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1503
# delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1508
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
1509
"objectclass": "user"})
1511
# After creation we should have a normal account
1512
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1514
attrs=["sAMAccountType", "userAccountControl"])
1515
self.assertTrue(len(res1) == 1)
1516
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1517
ATYPE_NORMAL_ACCOUNT)
1518
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1520
# As user you can only switch from a normal account to a workstation
1521
# trust account and back.
1522
# The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1524
# With SYSTEM rights you can switch to a interdomain trust account.
1529
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1530
m["userAccountControl"] = MessageElement("0",
1531
FLAG_MOD_REPLACE, "userAccountControl")
1533
except LdbError, (num, _):
1534
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1536
# This has to wait until s4 supports it (needs a password module change)
1539
# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1540
# m["userAccountControl"] = MessageElement(
1541
# str(UF_NORMAL_ACCOUNT),
1542
# FLAG_MOD_REPLACE, "userAccountControl")
1544
# except LdbError, (num, _):
1545
# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1548
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1549
m["userAccountControl"] = MessageElement(
1550
str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1551
FLAG_MOD_REPLACE, "userAccountControl")
1554
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1556
attrs=["sAMAccountType", "userAccountControl"])
1557
self.assertTrue(len(res1) == 1)
1558
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1559
ATYPE_NORMAL_ACCOUNT)
1560
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1564
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1565
m["userAccountControl"] = MessageElement(
1566
str(UF_TEMP_DUPLICATE_ACCOUNT),
1567
FLAG_MOD_REPLACE, "userAccountControl")
1570
except LdbError, (num, _):
1571
self.assertEquals(num, ERR_OTHER)
1573
# This isn't supported yet in s4
1576
# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1577
# m["userAccountControl"] = MessageElement(
1578
# str(UF_SERVER_TRUST_ACCOUNT),
1579
# FLAG_MOD_REPLACE, "userAccountControl")
1582
# except LdbError, (num, _):
1583
# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1586
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1587
m["userAccountControl"] = MessageElement(
1588
str(UF_WORKSTATION_TRUST_ACCOUNT),
1589
FLAG_MOD_REPLACE, "userAccountControl")
1592
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1593
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1594
self.assertTrue(len(res1) == 1)
1595
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1596
ATYPE_WORKSTATION_TRUST)
1599
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1600
m["userAccountControl"] = MessageElement(
1601
str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1602
FLAG_MOD_REPLACE, "userAccountControl")
1605
res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
1606
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1607
self.assertTrue(len(res1) == 1)
1608
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1609
ATYPE_NORMAL_ACCOUNT)
1611
# This isn't supported yet in s4 - needs ACL module adaption
1614
# m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1615
# m["userAccountControl"] = MessageElement(
1616
# str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1617
# FLAG_MOD_REPLACE, "userAccountControl")
1620
# except LdbError, (num, _):
1621
# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1623
# With a computer object
1627
# As computer you can set a normal account and a server trust account.
1628
# The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1630
# With SYSTEM rights you can set a interdomain trust account.
1635
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1636
"objectclass": "computer",
1637
"userAccountControl": "0"})
1639
except LdbError, (num, _):
1640
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1641
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1643
# This has to wait until s4 supports it (needs a password module change)
1646
# "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1647
# "objectclass": "computer",
1648
# "userAccountControl": str(UF_NORMAL_ACCOUNT)})
1650
# except LdbError, (num, _):
1651
# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1652
# delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1655
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1656
"objectclass": "computer",
1657
"userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1659
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1661
attrs=["sAMAccountType", "userAccountControl"])
1662
self.assertTrue(len(res1) == 1)
1663
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1664
ATYPE_NORMAL_ACCOUNT)
1665
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1666
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1670
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1671
"objectclass": "computer",
1672
"userAccountControl": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1674
except LdbError, (num, _):
1675
self.assertEquals(num, ERR_OTHER)
1676
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1679
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1680
"objectclass": "computer",
1681
"userAccountControl": str(UF_SERVER_TRUST_ACCOUNT)})
1683
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1684
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1685
self.assertTrue(len(res1) == 1)
1686
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1687
ATYPE_WORKSTATION_TRUST)
1688
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1692
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1693
"objectclass": "computer",
1694
"userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1695
except LdbError, (num, _):
1696
self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1697
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1699
# This isn't supported yet in s4 - needs ACL module adaption
1702
# "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1703
# "objectclass": "computer",
1704
# "userAccountControl": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1706
# except LdbError, (num, _):
1707
# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1708
# delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1713
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1714
"objectclass": "computer"})
1716
# After creation we should have a normal account
1717
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1719
attrs=["sAMAccountType", "userAccountControl"])
1720
self.assertTrue(len(res1) == 1)
1721
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1722
ATYPE_NORMAL_ACCOUNT)
1723
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE != 0)
1725
# As computer you can switch from a normal account to a workstation
1726
# or server trust account and back (also swapping between trust
1727
# accounts is allowed).
1728
# The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1730
# With SYSTEM rights you can switch to a interdomain trust account.
1735
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1736
m["userAccountControl"] = MessageElement("0",
1737
FLAG_MOD_REPLACE, "userAccountControl")
1739
except LdbError, (num, _):
1740
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1742
# This has to wait until s4 supports it (needs a password module change)
1745
# m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1746
# m["userAccountControl"] = MessageElement(
1747
# str(UF_NORMAL_ACCOUNT),
1748
# FLAG_MOD_REPLACE, "userAccountControl")
1750
# except LdbError, (num, _):
1751
# self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1754
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1755
m["userAccountControl"] = MessageElement(
1756
str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1757
FLAG_MOD_REPLACE, "userAccountControl")
1760
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1762
attrs=["sAMAccountType", "userAccountControl"])
1763
self.assertTrue(len(res1) == 1)
1764
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1765
ATYPE_NORMAL_ACCOUNT)
1766
self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
1770
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1771
m["userAccountControl"] = MessageElement(
1772
str(UF_TEMP_DUPLICATE_ACCOUNT),
1773
FLAG_MOD_REPLACE, "userAccountControl")
1776
except LdbError, (num, _):
1777
self.assertEquals(num, ERR_OTHER)
1780
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1781
m["userAccountControl"] = MessageElement(
1782
str(UF_SERVER_TRUST_ACCOUNT),
1783
FLAG_MOD_REPLACE, "userAccountControl")
1786
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1787
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1788
self.assertTrue(len(res1) == 1)
1789
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1790
ATYPE_WORKSTATION_TRUST)
1793
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1794
m["userAccountControl"] = MessageElement(
1795
str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1796
FLAG_MOD_REPLACE, "userAccountControl")
1799
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1800
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1801
self.assertTrue(len(res1) == 1)
1802
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1803
ATYPE_NORMAL_ACCOUNT)
1806
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1807
m["userAccountControl"] = MessageElement(
1808
str(UF_WORKSTATION_TRUST_ACCOUNT),
1809
FLAG_MOD_REPLACE, "userAccountControl")
1812
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1813
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1814
self.assertTrue(len(res1) == 1)
1815
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1816
ATYPE_WORKSTATION_TRUST)
1819
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1820
m["userAccountControl"] = MessageElement(
1821
str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1822
FLAG_MOD_REPLACE, "userAccountControl")
1825
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1826
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1827
self.assertTrue(len(res1) == 1)
1828
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1829
ATYPE_NORMAL_ACCOUNT)
1832
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1833
m["userAccountControl"] = MessageElement(
1834
str(UF_SERVER_TRUST_ACCOUNT),
1835
FLAG_MOD_REPLACE, "userAccountControl")
1838
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1839
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1840
self.assertTrue(len(res1) == 1)
1841
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1842
ATYPE_WORKSTATION_TRUST)
1845
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1846
m["userAccountControl"] = MessageElement(
1847
str(UF_WORKSTATION_TRUST_ACCOUNT),
1848
FLAG_MOD_REPLACE, "userAccountControl")
1851
res1 = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1852
scope=SCOPE_BASE, attrs=["sAMAccountType"])
1853
self.assertTrue(len(res1) == 1)
1854
self.assertEquals(int(res1[0]["sAMAccountType"][0]),
1855
ATYPE_WORKSTATION_TRUST)
1857
# This isn't supported yet in s4 - needs ACL module adaption
1860
# m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1861
# m["userAccountControl"] = MessageElement(
1862
# str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1863
# FLAG_MOD_REPLACE, "userAccountControl")
1866
# except LdbError, (num, _):
1867
# self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1869
delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
1870
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1872
def test_service_principal_name_updates(self):
1873
"""Test the servicePrincipalNames update behaviour"""
1874
print "Testing servicePrincipalNames update behaviour\n"
1877
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1878
"objectclass": "computer",
1879
"dNSHostName": "testname.testdom"})
1881
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1882
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1883
self.assertTrue(len(res) == 1)
1884
self.assertFalse("servicePrincipalName" in res[0])
1886
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1889
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1890
"objectclass": "computer",
1891
"servicePrincipalName": "HOST/testname.testdom"})
1893
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1894
scope=SCOPE_BASE, attrs=["dNSHostName"])
1895
self.assertTrue(len(res) == 1)
1896
self.assertFalse("dNSHostName" in res[0])
1898
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1901
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
1902
"objectclass": "computer",
1903
"dNSHostName": "testname2.testdom",
1904
"servicePrincipalName": "HOST/testname.testdom"})
1906
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1907
scope=SCOPE_BASE, attrs=["dNSHostName"])
1908
self.assertTrue(len(res) == 1)
1909
self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
1911
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1912
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1913
self.assertTrue(len(res) == 1)
1914
self.assertEquals(res[0]["servicePrincipalName"][0],
1915
"HOST/testname.testdom")
1918
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1919
m["dNSHostName"] = MessageElement("testname.testdoM",
1920
FLAG_MOD_REPLACE, "dNSHostName")
1923
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1924
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1925
self.assertTrue(len(res) == 1)
1926
self.assertEquals(res[0]["servicePrincipalName"][0],
1927
"HOST/testname.testdom")
1930
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1931
m["dNSHostName"] = MessageElement("testname2.testdom2",
1932
FLAG_MOD_REPLACE, "dNSHostName")
1935
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1936
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1937
self.assertTrue(len(res) == 1)
1938
self.assertEquals(res[0]["servicePrincipalName"][0],
1939
"HOST/testname2.testdom2")
1942
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1943
m["dNSHostName"] = MessageElement([],
1944
FLAG_MOD_DELETE, "dNSHostName")
1947
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1948
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1949
self.assertTrue(len(res) == 1)
1950
self.assertEquals(res[0]["servicePrincipalName"][0],
1951
"HOST/testname2.testdom2")
1954
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1955
m["dNSHostName"] = MessageElement("testname.testdom3",
1956
FLAG_MOD_REPLACE, "dNSHostName")
1959
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1960
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1961
self.assertTrue(len(res) == 1)
1962
self.assertEquals(res[0]["servicePrincipalName"][0],
1963
"HOST/testname2.testdom2")
1966
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1967
m["dNSHostName"] = MessageElement("testname2.testdom2",
1968
FLAG_MOD_REPLACE, "dNSHostName")
1972
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1973
m["dNSHostName"] = MessageElement("testname3.testdom3",
1974
FLAG_MOD_REPLACE, "dNSHostName")
1975
m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1977
"servicePrincipalName")
1980
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1981
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1982
self.assertTrue(len(res) == 1)
1983
self.assertEquals(res[0]["servicePrincipalName"][0],
1984
"HOST/testname3.testdom3")
1987
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
1988
m["servicePrincipalName"] = MessageElement("HOST/testname2.testdom2",
1990
"servicePrincipalName")
1991
m["dNSHostName"] = MessageElement("testname4.testdom4",
1992
FLAG_MOD_REPLACE, "dNSHostName")
1995
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
1996
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
1997
self.assertTrue(len(res) == 1)
1998
self.assertEquals(res[0]["servicePrincipalName"][0],
1999
"HOST/testname2.testdom2")
2002
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2003
m["servicePrincipalName"] = MessageElement([],
2005
"servicePrincipalName")
2009
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2010
m["dNSHostName"] = MessageElement("testname2.testdom2",
2011
FLAG_MOD_REPLACE, "dNSHostName")
2014
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2015
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2016
self.assertTrue(len(res) == 1)
2017
self.assertFalse("servicePrincipalName" in res[0])
2019
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2022
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2023
"objectclass": "computer",
2024
"sAMAccountName": "testname$"})
2026
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2027
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2028
self.assertTrue(len(res) == 1)
2029
self.assertFalse("servicePrincipalName" in res[0])
2031
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2034
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2035
"objectclass": "computer",
2036
"servicePrincipalName": "HOST/testname"})
2038
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2039
scope=SCOPE_BASE, attrs=["sAMAccountName"])
2040
self.assertTrue(len(res) == 1)
2041
self.assertTrue("sAMAccountName" in res[0])
2043
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2046
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2047
"objectclass": "computer",
2048
"sAMAccountName": "testname$",
2049
"servicePrincipalName": "HOST/testname"})
2051
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2052
scope=SCOPE_BASE, attrs=["sAMAccountName"])
2053
self.assertTrue(len(res) == 1)
2054
self.assertEquals(res[0]["sAMAccountName"][0], "testname$")
2056
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2057
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2058
self.assertTrue(len(res) == 1)
2059
self.assertEquals(res[0]["servicePrincipalName"][0],
2063
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2064
m["sAMAccountName"] = MessageElement("testnamE$",
2065
FLAG_MOD_REPLACE, "sAMAccountName")
2068
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2069
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2070
self.assertTrue(len(res) == 1)
2071
self.assertEquals(res[0]["servicePrincipalName"][0],
2075
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2076
m["sAMAccountName"] = MessageElement("testname",
2077
FLAG_MOD_REPLACE, "sAMAccountName")
2080
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2081
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2082
self.assertTrue(len(res) == 1)
2083
self.assertEquals(res[0]["servicePrincipalName"][0],
2087
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2088
m["sAMAccountName"] = MessageElement("test$name$",
2089
FLAG_MOD_REPLACE, "sAMAccountName")
2092
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2093
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2094
self.assertTrue(len(res) == 1)
2095
self.assertEquals(res[0]["servicePrincipalName"][0],
2099
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2100
m["sAMAccountName"] = MessageElement("testname2",
2101
FLAG_MOD_REPLACE, "sAMAccountName")
2104
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2105
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2106
self.assertTrue(len(res) == 1)
2107
self.assertEquals(res[0]["servicePrincipalName"][0],
2111
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2112
m["sAMAccountName"] = MessageElement("testname3",
2113
FLAG_MOD_REPLACE, "sAMAccountName")
2114
m["servicePrincipalName"] = MessageElement("HOST/testname2",
2116
"servicePrincipalName")
2119
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2120
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2121
self.assertTrue(len(res) == 1)
2122
self.assertEquals(res[0]["servicePrincipalName"][0],
2126
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2127
m["servicePrincipalName"] = MessageElement("HOST/testname2",
2129
"servicePrincipalName")
2130
m["sAMAccountName"] = MessageElement("testname4",
2131
FLAG_MOD_REPLACE, "sAMAccountName")
2134
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2135
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2136
self.assertTrue(len(res) == 1)
2137
self.assertEquals(res[0]["servicePrincipalName"][0],
2141
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2142
m["servicePrincipalName"] = MessageElement([],
2144
"servicePrincipalName")
2148
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2149
m["sAMAccountName"] = MessageElement("testname2",
2150
FLAG_MOD_REPLACE, "sAMAccountName")
2153
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2154
scope=SCOPE_BASE, attrs=["servicePrincipalName"])
2155
self.assertTrue(len(res) == 1)
2156
self.assertFalse("servicePrincipalName" in res[0])
2158
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2161
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2162
"objectclass": "computer",
2163
"dNSHostName": "testname.testdom",
2164
"sAMAccountName": "testname$",
2165
"servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2169
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2170
m["dNSHostName"] = MessageElement("testname2.testdom",
2171
FLAG_MOD_REPLACE, "dNSHostName")
2172
m["sAMAccountName"] = MessageElement("testname2$",
2173
FLAG_MOD_REPLACE, "sAMAccountName")
2176
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2177
scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2178
self.assertTrue(len(res) == 1)
2179
self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2180
self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2181
self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2182
res[0]["servicePrincipalName"][1] == "HOST/testname2")
2183
self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2184
res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2186
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2189
"dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
2190
"objectclass": "computer",
2191
"dNSHostName": "testname.testdom",
2192
"sAMAccountName": "testname$",
2193
"servicePrincipalName": [ "HOST/testname.testdom", "HOST/testname" ]
2197
m.dn = Dn(ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2198
m["sAMAccountName"] = MessageElement("testname2$",
2199
FLAG_MOD_REPLACE, "sAMAccountName")
2200
m["dNSHostName"] = MessageElement("testname2.testdom",
2201
FLAG_MOD_REPLACE, "dNSHostName")
2204
res = ldb.search("cn=ldaptestcomputer,cn=computers," + self.base_dn,
2205
scope=SCOPE_BASE, attrs=["dNSHostName", "sAMAccountName", "servicePrincipalName"])
2206
self.assertTrue(len(res) == 1)
2207
self.assertEquals(res[0]["dNSHostName"][0], "testname2.testdom")
2208
self.assertEquals(res[0]["sAMAccountName"][0], "testname2$")
2209
self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2" or
2210
res[0]["servicePrincipalName"][1] == "HOST/testname2")
2211
self.assertTrue(res[0]["servicePrincipalName"][0] == "HOST/testname2.testdom" or
2212
res[0]["servicePrincipalName"][1] == "HOST/testname2.testdom")
2214
delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
2216
def test_sam_description_attribute(self):
2217
"""Test SAM description attribute"""
2218
print "Test SAM description attribute"""
2221
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2222
"description": "desc2",
2223
"objectclass": "group",
2224
"description": "desc1"})
2226
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2227
scope=SCOPE_BASE, attrs=["description"])
2228
self.assertTrue(len(res) == 1)
2229
self.assertTrue("description" in res[0])
2230
self.assertTrue(len(res[0]["description"]) == 1)
2231
self.assertEquals(res[0]["description"][0], "desc1")
2233
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2236
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2237
"objectclass": "group",
2238
"description": ["desc1", "desc2"]})
2240
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2241
scope=SCOPE_BASE, attrs=["description"])
2242
self.assertTrue(len(res) == 1)
2243
self.assertTrue("description" in res[0])
2244
self.assertTrue(len(res[0]["description"]) == 2)
2245
self.assertTrue(res[0]["description"][0] == "desc1" or
2246
res[0]["description"][1] == "desc1")
2247
self.assertTrue(res[0]["description"][0] == "desc2" or
2248
res[0]["description"][1] == "desc2")
2251
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2252
m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2257
except LdbError, (num, _):
2258
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2261
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2262
m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2266
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2269
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2270
"objectclass": "group" })
2273
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2274
m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2278
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2279
scope=SCOPE_BASE, attrs=["description"])
2280
self.assertTrue(len(res) == 1)
2281
self.assertTrue("description" in res[0])
2282
self.assertTrue(len(res[0]["description"]) == 1)
2283
self.assertEquals(res[0]["description"][0], "desc1")
2285
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2288
"dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2289
"objectclass": "group",
2290
"description": ["desc1", "desc2"]})
2293
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2294
m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2298
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2299
scope=SCOPE_BASE, attrs=["description"])
2300
self.assertTrue(len(res) == 1)
2301
self.assertTrue("description" in res[0])
2302
self.assertTrue(len(res[0]["description"]) == 1)
2303
self.assertEquals(res[0]["description"][0], "desc1")
2306
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2307
m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2312
except LdbError, (num, _):
2313
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2316
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2317
m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2322
except LdbError, (num, _):
2323
self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2326
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2327
m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2330
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2331
scope=SCOPE_BASE, attrs=["description"])
2332
self.assertTrue(len(res) == 1)
2333
self.assertFalse("description" in res[0])
2336
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2337
m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2342
except LdbError, (num, _):
2343
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2346
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2347
m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2352
except LdbError, (num, _):
2353
self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2356
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2357
m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2361
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2362
scope=SCOPE_BASE, attrs=["description"])
2363
self.assertTrue(len(res) == 1)
2364
self.assertTrue("description" in res[0])
2365
self.assertTrue(len(res[0]["description"]) == 1)
2366
self.assertEquals(res[0]["description"][0], "desc1")
2369
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2370
m.add(MessageElement("desc1", FLAG_MOD_DELETE, "description"))
2371
m.add(MessageElement("desc2", FLAG_MOD_ADD, "description"))
2374
res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2375
scope=SCOPE_BASE, attrs=["description"])
2376
self.assertTrue(len(res) == 1)
2377
self.assertTrue("description" in res[0])
2378
self.assertTrue(len(res[0]["description"]) == 1)
2379
self.assertEquals(res[0]["description"][0], "desc2")
2381
delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2384
if not "://" in host:
2385
if os.path.isfile(host):
2386
host = "tdb://%s" % host
2388
host = "ldap://%s" % host
2390
ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
2392
runner = SubunitTestRunner()
2394
if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():