2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys
.path
.insert(0, "bin/python")
11 samba
.ensure_external_module("testtools", "testtools")
12 samba
.ensure_external_module("subunit", "subunit/python")
14 import samba
.getopt
as options
16 from samba
.auth
import system_session
17 from ldb
import SCOPE_BASE
, LdbError
18 from ldb
import ERR_NO_SUCH_OBJECT
, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb
import ERR_ENTRY_ALREADY_EXISTS
, ERR_UNWILLING_TO_PERFORM
20 from ldb
import ERR_OTHER
, ERR_NO_SUCH_ATTRIBUTE
21 from ldb
import ERR_OBJECT_CLASS_VIOLATION
22 from ldb
import ERR_CONSTRAINT_VIOLATION
23 from ldb
import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb
import Message
, MessageElement
, Dn
25 from ldb
import FLAG_MOD_ADD
, FLAG_MOD_REPLACE
, FLAG_MOD_DELETE
26 from samba
.samdb
import SamDB
27 from samba
.dsdb
import (UF_NORMAL_ACCOUNT
, UF_ACCOUNTDISABLE
,
28 UF_WORKSTATION_TRUST_ACCOUNT
, UF_SERVER_TRUST_ACCOUNT
,
29 UF_PARTIAL_SECRETS_ACCOUNT
, UF_TEMP_DUPLICATE_ACCOUNT
,
30 UF_PASSWD_NOTREQD
, ATYPE_NORMAL_ACCOUNT
,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
,
32 GTYPE_SECURITY_GLOBAL_GROUP
, GTYPE_SECURITY_UNIVERSAL_GROUP
,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP
, GTYPE_DISTRIBUTION_GLOBAL_GROUP
,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP
,
35 ATYPE_SECURITY_GLOBAL_GROUP
, ATYPE_SECURITY_UNIVERSAL_GROUP
,
36 ATYPE_SECURITY_LOCAL_GROUP
, ATYPE_DISTRIBUTION_GLOBAL_GROUP
,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP
, ATYPE_DISTRIBUTION_LOCAL_GROUP
,
38 ATYPE_WORKSTATION_TRUST
)
39 from samba
.dcerpc
.security
import (DOMAIN_RID_USERS
, DOMAIN_RID_ADMINS
,
40 DOMAIN_RID_DOMAIN_MEMBERS
, DOMAIN_RID_DCS
, DOMAIN_RID_READONLY_DCS
)
42 from subunit
.run
import SubunitTestRunner
45 from samba
.dcerpc
import security
46 from samba
.tests
import delete_force
48 parser
= optparse
.OptionParser("sam.py [options] <host>")
49 sambaopts
= options
.SambaOptions(parser
)
50 parser
.add_option_group(sambaopts
)
51 parser
.add_option_group(options
.VersionOptions(parser
))
52 # use command line creds if available
53 credopts
= options
.CredentialsOptions(parser
)
54 parser
.add_option_group(credopts
)
55 opts
, args
= parser
.parse_args()
63 lp
= sambaopts
.get_loadparm()
64 creds
= credopts
.get_credentials(lp
)
66 class SamTests(samba
.tests
.TestCase
):
69 super(SamTests
, self
).setUp()
71 self
.base_dn
= ldb
.domain_dn()
73 print "baseDN: %s\n" % self
.base_dn
75 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
76 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
77 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
78 delete_force(self
.ldb
, "cn=ldaptestcomputer,cn=computers," + self
.base_dn
)
79 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
80 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
82 def test_users_groups(self
):
83 """This tests the SAM users and groups behaviour"""
84 print "Testing users and groups behaviour\n"
87 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
88 "objectclass": "group"})
91 "dn": "cn=ldaptestgroup2,cn=users," + self
.base_dn
,
92 "objectclass": "group"})
94 res1
= ldb
.search("cn=ldaptestgroup,cn=users," + self
.base_dn
,
95 scope
=SCOPE_BASE
, attrs
=["objectSID"])
96 self
.assertTrue(len(res1
) == 1)
97 group_rid_1
= security
.dom_sid(ldb
.schema_format_value("objectSID",
98 res1
[0]["objectSID"][0])).split()[1]
100 res1
= ldb
.search("cn=ldaptestgroup2,cn=users," + self
.base_dn
,
101 scope
=SCOPE_BASE
, attrs
=["objectSID"])
102 self
.assertTrue(len(res1
) == 1)
103 group_rid_2
= security
.dom_sid(ldb
.schema_format_value("objectSID",
104 res1
[0]["objectSID"][0])).split()[1]
106 # Try to create a user with an invalid account name
109 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
110 "objectclass": "user",
111 "sAMAccountName": "administrator"})
113 except LdbError
, (num
, _
):
114 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
115 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
117 # Try to create a user with an invalid account name
120 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
121 "objectclass": "user",
122 "sAMAccountName": []})
124 except LdbError
, (num
, _
):
125 self
.assertEquals(num
, ERR_CONSTRAINT_VIOLATION
)
126 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
128 # Try to create a user with an invalid primary group
131 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
132 "objectclass": "user",
133 "primaryGroupID": "0"})
135 except LdbError
, (num
, _
):
136 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
137 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
139 # Try to Create a user with a valid primary group
142 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
143 "objectclass": "user",
144 "primaryGroupID": str(group_rid_1
)})
146 except LdbError
, (num
, _
):
147 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
148 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
150 # Test to see how we should behave when the user account doesn't
153 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
154 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
159 except LdbError
, (num
, _
):
160 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
162 # Test to see how we should behave when the account isn't a user
164 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
165 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
170 except LdbError
, (num
, _
):
171 self
.assertEquals(num
, ERR_OBJECT_CLASS_VIOLATION
)
173 # Test default primary groups on add operations
176 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
177 "objectclass": "user"})
179 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
180 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
181 self
.assertTrue(len(res1
) == 1)
182 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
184 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
187 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
188 "objectclass": "user",
189 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
) })
191 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
192 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
193 self
.assertTrue(len(res1
) == 1)
194 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
196 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
198 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
199 # since such accounts aren't directly creatable (ACCESS_DENIED)
202 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
203 "objectclass": "computer",
204 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
206 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
207 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
208 self
.assertTrue(len(res1
) == 1)
209 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
211 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
214 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
215 "objectclass": "computer",
216 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
218 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
219 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
220 self
.assertTrue(len(res1
) == 1)
221 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
223 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
225 # Read-only DC accounts are only creatable by
226 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
227 # we have a fallback in the assertion)
229 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
230 "objectclass": "computer",
231 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
233 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
234 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
235 self
.assertTrue(len(res1
) == 1)
236 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
237 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
239 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
241 # Test default primary groups on modify operations
244 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
245 "objectclass": "user"})
248 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
249 m
["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
250 "userAccountControl")
253 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
254 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
255 self
.assertTrue(len(res1
) == 1)
256 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
258 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
259 # since such accounts aren't directly creatable (ACCESS_DENIED)
261 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
264 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
265 "objectclass": "computer"})
267 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
268 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
269 self
.assertTrue(len(res1
) == 1)
270 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
273 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
274 m
["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
275 "userAccountControl")
278 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
279 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
280 self
.assertTrue(len(res1
) == 1)
281 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
284 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
285 m
["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
286 "userAccountControl")
289 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
290 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
291 self
.assertTrue(len(res1
) == 1)
292 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
294 # Read-only DC accounts are only creatable by
295 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
296 # we have a fallback in the assertion)
298 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
299 m
["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
300 "userAccountControl")
303 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
304 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
305 self
.assertTrue(len(res1
) == 1)
306 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
307 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
309 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
311 # Recreate account for further tests
314 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
315 "objectclass": "user"})
317 # Try to set an invalid account name
319 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
320 m
["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE
,
325 except LdbError
, (num
, _
):
326 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
328 # But to reset the actual "sAMAccountName" should still be possible
329 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
330 scope
=SCOPE_BASE
, attrs
=["sAMAccountName"])
331 self
.assertTrue(len(res1
) == 1)
333 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
334 m
["sAMAccountName"] = MessageElement(res1
[0]["sAMAccountName"][0], FLAG_MOD_REPLACE
,
338 # And another (free) name should be possible as well
340 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
341 m
["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE
,
345 # We should be able to reset our actual primary group
347 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
348 m
["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS
), FLAG_MOD_REPLACE
,
352 # Try to add invalid primary group
354 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
355 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
360 except LdbError
, (num
, _
):
361 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
363 # Try to make group 1 primary - should be denied since it is not yet
366 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
367 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
368 FLAG_MOD_REPLACE
, "primaryGroupID")
372 except LdbError
, (num
, _
):
373 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
375 # Make group 1 secondary
377 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
378 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
379 FLAG_MOD_REPLACE
, "member")
382 # Make group 1 primary
384 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
385 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
386 FLAG_MOD_REPLACE
, "primaryGroupID")
389 # Try to delete group 1 - should be denied
391 ldb
.delete("cn=ldaptestgroup,cn=users," + self
.base_dn
)
393 except LdbError
, (num
, _
):
394 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
396 # Try to add group 1 also as secondary - should be denied
398 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
399 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
400 FLAG_MOD_ADD
, "member")
404 except LdbError
, (num
, _
):
405 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
407 # Try to add invalid member to group 1 - should be denied
409 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
410 m
["member"] = MessageElement(
411 "cn=ldaptestuser3,cn=users," + self
.base_dn
,
412 FLAG_MOD_ADD
, "member")
416 except LdbError
, (num
, _
):
417 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
419 # Make group 2 secondary
421 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
422 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
423 FLAG_MOD_ADD
, "member")
428 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
429 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
430 FLAG_MOD_REPLACE
, "primaryGroupID")
433 # Swap the groups (does not really make sense but does the same)
435 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
436 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
437 FLAG_MOD_REPLACE
, "primaryGroupID")
438 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
439 FLAG_MOD_REPLACE
, "primaryGroupID")
442 # Old primary group should contain a "member" attribute for the user,
443 # the new shouldn't contain anymore one
444 res1
= ldb
.search("cn=ldaptestgroup, cn=users," + self
.base_dn
,
445 scope
=SCOPE_BASE
, attrs
=["member"])
446 self
.assertTrue(len(res1
) == 1)
447 self
.assertTrue(len(res1
[0]["member"]) == 1)
448 self
.assertEquals(res1
[0]["member"][0].lower(),
449 ("cn=ldaptestuser,cn=users," + self
.base_dn
).lower())
451 res1
= ldb
.search("cn=ldaptestgroup2, cn=users," + self
.base_dn
,
452 scope
=SCOPE_BASE
, attrs
=["member"])
453 self
.assertTrue(len(res1
) == 1)
454 self
.assertFalse("member" in res1
[0])
456 # Primary group member
458 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
459 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
460 FLAG_MOD_DELETE
, "member")
464 except LdbError
, (num
, _
):
465 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
467 # Delete invalid group member
469 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
470 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
471 FLAG_MOD_DELETE
, "member")
475 except LdbError
, (num
, _
):
476 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
478 # Also this should be denied
481 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
482 "objectclass": "user",
483 "primaryGroupID": "0"})
485 except LdbError
, (num
, _
):
486 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
488 # Recreate user accounts
490 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
493 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
494 "objectclass": "user"})
497 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
498 "objectclass": "user"})
501 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
502 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
503 FLAG_MOD_ADD
, "member")
508 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
509 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
510 FLAG_MOD_ADD
, "member")
514 except LdbError
, (num
, _
):
515 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
517 # Already added, but as <SID=...>
518 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
519 scope
=SCOPE_BASE
, attrs
=["objectSid"])
520 self
.assertTrue(len(res1
) == 1)
521 sid_bin
= res1
[0]["objectSid"][0]
522 sid_str
= ("<SID=" + ldb
.schema_format_value("objectSid", sid_bin
) + ">").upper()
525 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
526 m
["member"] = MessageElement(sid_str
, FLAG_MOD_ADD
, "member")
530 except LdbError
, (num
, _
):
531 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
535 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
536 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
537 FLAG_MOD_REPLACE
, "member")
541 except LdbError
, (num
, _
):
542 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
546 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
547 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
548 "cn=ldaptestuser1,cn=users," + self
.base_dn
],
549 FLAG_MOD_REPLACE
, "member")
553 except LdbError
, (num
, _
):
554 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
558 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
559 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
560 FLAG_MOD_REPLACE
, "member")
561 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
562 FLAG_MOD_ADD
, "member")
566 except LdbError
, (num
, _
):
567 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
570 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
571 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
572 "cn=ldaptestuser2,cn=users," + self
.base_dn
],
573 FLAG_MOD_REPLACE
, "member")
576 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
577 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
578 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
579 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
581 # Make also a small test for accounts with special DNs ("," in this case)
583 "dn": "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
,
584 "objectclass": "user"})
585 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
587 def test_sam_attributes(self
):
588 """Test the behaviour of special attributes of SAM objects"""
589 print "Testing the behaviour of special attributes of SAM objects\n"""
592 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
593 "objectclass
": "user
"})
595 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
596 "objectclass
": "group
"})
599 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
600 m["groupType
"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
605 except LdbError, (num, _):
606 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
608 # Delete protection tests
610 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
611 "sAMAccountName
", "groupType
"]:
614 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
615 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
619 except LdbError, (num, _):
620 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
623 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
624 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
628 except LdbError, (num, _):
629 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
632 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
633 m["primaryGroupID
"] = MessageElement("513", FLAG_MOD_ADD,
638 except LdbError, (num, _):
639 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
642 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
643 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
644 "userAccountControl
")
648 except LdbError, (num, _):
649 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
652 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
653 m["objectSid
"] = MessageElement("xxxxxxxxxxxxxxxx
", FLAG_MOD_ADD,
658 except LdbError, (num, _):
659 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
662 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
663 m["sAMAccountType
"] = MessageElement("0", FLAG_MOD_ADD,
668 except LdbError, (num, _):
669 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
672 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
673 m["sAMAccountName
"] = MessageElement("test
", FLAG_MOD_ADD,
678 except LdbError, (num, _):
679 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
681 # Delete protection tests
683 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
684 "sAMAccountName
", "primaryGroupID
", "userAccountControl
",
685 "accountExpires
", "badPasswordTime
", "badPwdCount
",
686 "codePage
", "countryCode
", "lastLogoff
", "lastLogon
",
687 "logonCount
", "pwdLastSet
"]:
690 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
691 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
695 except LdbError, (num, _):
696 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
699 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
700 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
704 except LdbError, (num, _):
705 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
707 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
708 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
710 def test_primary_group_token_constructed(self):
711 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
712 print "Testing primary group token behaviour
and other constructed attributes
\n"
716 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
717 "objectclass
": "group
",
718 "primaryGroupToken
": "100"})
720 except LdbError, (num, _):
721 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
722 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
725 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
726 "objectclass
": "user
"})
729 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
730 "objectclass
": "group
"})
732 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
733 res1 = ldb.search(self.base_dn,
734 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
", "objectClass
", "objectSid
"])
735 self.assertTrue(len(res1) == 1)
736 self.assertFalse("primaryGroupToken
" in res1[0])
737 self.assertTrue("canonicalName
" in res1[0])
738 self.assertTrue("objectClass
" in res1[0])
739 self.assertTrue("objectSid
" in res1[0])
741 res1 = ldb.search(self.base_dn,
742 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
"])
743 self.assertTrue(len(res1) == 1)
744 self.assertFalse("primaryGroupToken
" in res1[0])
745 self.assertFalse("objectSid
" in res1[0])
746 self.assertFalse("objectClass
" in res1[0])
747 self.assertTrue("canonicalName
" in res1[0])
749 res1 = ldb.search("cn
=users
," + self.base_dn,
750 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
751 self.assertTrue(len(res1) == 1)
752 self.assertFalse("primaryGroupToken
" in res1[0])
754 res1 = ldb.search("cn
=ldaptestuser
, cn
=users
," + self.base_dn,
755 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
756 self.assertTrue(len(res1) == 1)
757 self.assertFalse("primaryGroupToken
" in res1[0])
759 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
761 self.assertTrue(len(res1) == 1)
762 self.assertFalse("primaryGroupToken
" in res1[0])
764 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
765 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "objectSID
"])
766 self.assertTrue(len(res1) == 1)
767 primary_group_token = int(res1[0]["primaryGroupToken
"][0])
769 rid = security.dom_sid(ldb.schema_format_value("objectSID
", res1[0]["objectSID
"][0])).split()[1]
770 self.assertEquals(primary_group_token, rid)
773 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
774 m["primaryGroupToken
"] = "100"
778 except LdbError, (num, _):
779 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
781 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
782 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
784 def test_tokenGroups(self):
785 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
786 print "Testing tokenGroups behaviour
\n"
788 # The domain object shouldn't contain any "tokenGroups
" entry
789 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups
"])
790 self.assertTrue(len(res) == 1)
791 self.assertFalse("tokenGroups
" in res[0])
793 # The domain administrator should contain "tokenGroups
" entries
794 # (the exact number depends on the domain/forest function level and the
795 # DC software versions)
796 res = ldb.search("cn
=Administrator
,cn
=Users
," + self.base_dn,
797 scope=SCOPE_BASE, attrs=["tokenGroups
"])
798 self.assertTrue(len(res) == 1)
799 self.assertTrue("tokenGroups
" in res[0])
802 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
803 "objectclass
": "user
"})
805 # This testuser should contain at least two "tokenGroups
" entries
806 # (exactly two on an unmodified "Domain Users
" and "Users
" group)
807 res = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
808 scope=SCOPE_BASE, attrs=["tokenGroups
"])
809 self.assertTrue(len(res) == 1)
810 self.assertTrue(len(res[0]["tokenGroups
"]) >= 2)
812 # one entry which we need to find should point to domains "Domain Users
"
813 # group and another entry should point to the builtin "Users
"group
814 domain_users_group_found = False
815 users_group_found = False
816 for sid in res[0]["tokenGroups
"]:
817 rid = security.dom_sid(ldb.schema_format_value("objectSID
", sid)).split()[1]
819 domain_users_group_found = True
821 users_group_found = True
823 self.assertTrue(domain_users_group_found)
824 self.assertTrue(users_group_found)
826 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
828 def test_groupType(self):
829 """Test the groupType behaviour"""
830 print "Testing groupType behaviour
\n"
832 # You can never create or change to a
833 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
"
840 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
841 "objectclass
": "group
",
844 except LdbError, (num, _):
845 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
846 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
850 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
851 "objectclass
": "group
",
852 "groupType
": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
854 except LdbError, (num, _):
855 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
856 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
859 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
860 "objectclass
": "group
",
861 "groupType
": str(GTYPE_SECURITY_GLOBAL_GROUP)})
863 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
864 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
865 self.assertTrue(len(res1) == 1)
866 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
867 ATYPE_SECURITY_GLOBAL_GROUP)
868 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
871 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
872 "objectclass
": "group
",
873 "groupType
": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
875 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
876 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
877 self.assertTrue(len(res1) == 1)
878 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
879 ATYPE_SECURITY_UNIVERSAL_GROUP)
880 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
883 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
884 "objectclass
": "group
",
885 "groupType
": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
887 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
888 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
889 self.assertTrue(len(res1) == 1)
890 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
891 ATYPE_SECURITY_LOCAL_GROUP)
892 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
895 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
896 "objectclass
": "group
",
897 "groupType
": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
899 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
900 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
901 self.assertTrue(len(res1) == 1)
902 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
903 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
904 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
907 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
908 "objectclass
": "group
",
909 "groupType
": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
911 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
912 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
913 self.assertTrue(len(res1) == 1)
914 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
915 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
916 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
919 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
920 "objectclass
": "group
",
921 "groupType
": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
923 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
924 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
925 self.assertTrue(len(res1) == 1)
926 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
927 ATYPE_DISTRIBUTION_LOCAL_GROUP)
928 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
933 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
934 "objectclass
": "group
"})
936 # We can change in this direction: global <-> universal <-> local
937 # On each step also the group type itself (security/distribution) is
940 # After creation we should have a "security
global group
"
941 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
942 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
943 self.assertTrue(len(res1) == 1)
944 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
945 ATYPE_SECURITY_GLOBAL_GROUP)
950 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
951 m["groupType
"] = MessageElement("0",
952 FLAG_MOD_REPLACE, "groupType
")
955 except LdbError, (num, _):
956 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
960 # Default is "global group
"
963 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
964 m["groupType
"] = MessageElement(
965 str(GTYPE_SECURITY_GLOBAL_GROUP),
966 FLAG_MOD_REPLACE, "groupType
")
969 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
970 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
971 self.assertTrue(len(res1) == 1)
972 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
973 ATYPE_SECURITY_GLOBAL_GROUP)
975 # Change to "local
" (shouldn't work)
979 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
980 m["groupType
"] = MessageElement(
981 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
982 FLAG_MOD_REPLACE, "groupType
")
985 except LdbError, (num, _):
986 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
988 # Change to "universal
"
991 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
992 m["groupType
"] = MessageElement(
993 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
994 FLAG_MOD_REPLACE, "groupType
")
997 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
998 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
999 self.assertTrue(len(res1) == 1)
1000 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1001 ATYPE_SECURITY_UNIVERSAL_GROUP)
1003 # Change back to "global"
1006 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1007 m["groupType
"] = MessageElement(
1008 str(GTYPE_SECURITY_GLOBAL_GROUP),
1009 FLAG_MOD_REPLACE, "groupType
")
1012 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1013 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1014 self.assertTrue(len(res1) == 1)
1015 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1016 ATYPE_SECURITY_GLOBAL_GROUP)
1018 # Change back to "universal
"
1021 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1022 m["groupType
"] = MessageElement(
1023 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1024 FLAG_MOD_REPLACE, "groupType
")
1027 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1028 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1029 self.assertTrue(len(res1) == 1)
1030 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1031 ATYPE_SECURITY_UNIVERSAL_GROUP)
1036 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1037 m["groupType
"] = MessageElement(
1038 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1039 FLAG_MOD_REPLACE, "groupType
")
1042 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1043 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1044 self.assertTrue(len(res1) == 1)
1045 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1046 ATYPE_SECURITY_LOCAL_GROUP)
1048 # Change to "global" (shouldn't work)
1052 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1053 m["groupType
"] = MessageElement(
1054 str(GTYPE_SECURITY_GLOBAL_GROUP),
1055 FLAG_MOD_REPLACE, "groupType
")
1058 except LdbError, (num, _):
1059 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1061 # Change to "builtin local
" (shouldn't work)
1065 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1066 m["groupType
"] = MessageElement(
1067 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1068 FLAG_MOD_REPLACE, "groupType
")
1071 except LdbError, (num, _):
1072 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1075 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1077 # Change back to "universal
"
1080 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1081 m["groupType
"] = MessageElement(
1082 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1083 FLAG_MOD_REPLACE, "groupType
")
1086 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1087 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1088 self.assertTrue(len(res1) == 1)
1089 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1090 ATYPE_SECURITY_UNIVERSAL_GROUP)
1092 # Change to "builtin local
" (shouldn't work)
1096 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1097 m["groupType
"] = MessageElement(
1098 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1099 FLAG_MOD_REPLACE, "groupType
")
1102 except LdbError, (num, _):
1103 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1105 # Change back to "global"
1108 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1109 m["groupType
"] = MessageElement(
1110 str(GTYPE_SECURITY_GLOBAL_GROUP),
1111 FLAG_MOD_REPLACE, "groupType
")
1114 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1115 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1116 self.assertTrue(len(res1) == 1)
1117 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1118 ATYPE_SECURITY_GLOBAL_GROUP)
1120 # Change to "builtin local
" (shouldn't work)
1124 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1125 m["groupType
"] = MessageElement(
1126 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1127 FLAG_MOD_REPLACE, "groupType
")
1130 except LdbError, (num, _):
1131 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1133 # Distribution groups
1135 # Default is "global group
"
1138 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1139 m["groupType
"] = MessageElement(
1140 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1141 FLAG_MOD_REPLACE, "groupType
")
1144 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1145 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1146 self.assertTrue(len(res1) == 1)
1147 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1148 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1150 # Change to local (shouldn't work)
1154 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1155 m["groupType
"] = MessageElement(
1156 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1157 FLAG_MOD_REPLACE, "groupType
")
1160 except LdbError, (num, _):
1161 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1163 # Change to "universal
"
1166 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1167 m["groupType
"] = MessageElement(
1168 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1169 FLAG_MOD_REPLACE, "groupType
")
1172 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1173 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1174 self.assertTrue(len(res1) == 1)
1175 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1176 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1178 # Change back to "global"
1181 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1182 m["groupType
"] = MessageElement(
1183 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1184 FLAG_MOD_REPLACE, "groupType
")
1187 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1188 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1189 self.assertTrue(len(res1) == 1)
1190 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1191 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1193 # Change back to "universal
"
1196 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1197 m["groupType
"] = MessageElement(
1198 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1199 FLAG_MOD_REPLACE, "groupType
")
1202 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1203 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1204 self.assertTrue(len(res1) == 1)
1205 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1206 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1211 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1212 m["groupType
"] = MessageElement(
1213 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1214 FLAG_MOD_REPLACE, "groupType
")
1217 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1218 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1219 self.assertTrue(len(res1) == 1)
1220 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1221 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1223 # Change to "global" (shouldn't work)
1227 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1228 m["groupType
"] = MessageElement(
1229 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1230 FLAG_MOD_REPLACE, "groupType
")
1233 except LdbError, (num, _):
1234 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1236 # Change back to "universal
"
1238 # Try to add invalid member to group 1 - should be denied
1240 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1241 m["member
"] = MessageElement(
1242 "cn
=ldaptestuser3
,cn
=users
," + self.base_dn,
1243 FLAG_MOD_ADD, "member
")
1247 except LdbError, (num, _):
1248 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1250 # Make group 2 secondary
1252 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1253 m["groupType
"] = MessageElement(
1254 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1255 FLAG_MOD_REPLACE, "groupType
")
1258 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1259 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1260 self.assertTrue(len(res1) == 1)
1261 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1262 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1264 # Change back to "global"
1267 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1268 m["groupType
"] = MessageElement(
1269 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1270 FLAG_MOD_REPLACE, "groupType
")
1273 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1274 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1275 self.assertTrue(len(res1) == 1)
1276 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1277 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1279 # Both group types: this performs only random checks - all possibilities
1280 # would require too much code.
1282 # Default is "global group
"
1285 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1286 m["groupType
"] = MessageElement(
1287 str(GTYPE_SECURITY_GLOBAL_GROUP),
1288 FLAG_MOD_REPLACE, "groupType
")
1291 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1292 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1293 self.assertTrue(len(res1) == 1)
1294 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1295 ATYPE_SECURITY_GLOBAL_GROUP)
1297 # Change to "local
" (shouldn't work)
1301 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1302 m["groupType
"] = MessageElement(
1303 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1304 FLAG_MOD_REPLACE, "groupType
")
1307 except LdbError, (num, _):
1308 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1310 # Change to "universal
"
1313 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1314 m["groupType
"] = MessageElement(
1315 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1316 FLAG_MOD_REPLACE, "groupType
")
1319 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1320 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1321 self.assertTrue(len(res1) == 1)
1322 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1323 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1325 # Change back to "global"
1328 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1329 m["groupType
"] = MessageElement(
1330 str(GTYPE_SECURITY_GLOBAL_GROUP),
1331 FLAG_MOD_REPLACE, "groupType
")
1334 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1335 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1336 self.assertTrue(len(res1) == 1)
1337 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1338 ATYPE_SECURITY_GLOBAL_GROUP)
1340 # Change back to "universal
"
1343 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1344 m["groupType
"] = MessageElement(
1345 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1346 FLAG_MOD_REPLACE, "groupType
")
1349 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1350 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1351 self.assertTrue(len(res1) == 1)
1352 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1353 ATYPE_SECURITY_UNIVERSAL_GROUP)
1358 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1359 m["groupType
"] = MessageElement(
1360 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1361 FLAG_MOD_REPLACE, "groupType
")
1364 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1365 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1366 self.assertTrue(len(res1) == 1)
1367 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1368 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1370 # Change to "global" (shouldn't work)
1374 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1375 m["groupType
"] = MessageElement(
1376 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1377 FLAG_MOD_REPLACE, "groupType
")
1380 except LdbError, (num, _):
1381 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1383 # Change back to "universal
"
1386 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1387 m["groupType
"] = MessageElement(
1388 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1389 FLAG_MOD_REPLACE, "groupType
")
1392 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1393 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1394 self.assertTrue(len(res1) == 1)
1395 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1396 ATYPE_SECURITY_UNIVERSAL_GROUP)
1398 # Change back to "global"
1401 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1402 m["groupType
"] = MessageElement(
1403 str(GTYPE_SECURITY_GLOBAL_GROUP),
1404 FLAG_MOD_REPLACE, "groupType
")
1407 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1408 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1409 self.assertTrue(len(res1) == 1)
1410 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1411 ATYPE_SECURITY_GLOBAL_GROUP)
1413 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1415 def test_userAccountControl(self):
1416 """Test the userAccountControl behaviour"""
1417 print "Testing userAccountControl behaviour
\n"
1419 # With a user object
1423 # As user you can only set a normal account.
1424 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1426 # With SYSTEM rights you can set a interdomain trust account.
1429 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1430 "objectclass
": "user
",
1431 "userAccountControl
": "0"})
1433 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1435 attrs=["sAMAccountType
", "userAccountControl
"])
1436 self.assertTrue(len(res1) == 1)
1437 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1438 ATYPE_NORMAL_ACCOUNT)
1439 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1440 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_PASSWD_NOTREQD == 0)
1441 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1443 # This has to wait until s4 supports it (needs a password module change)
1446 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1447 # "objectclass
": "user
",
1448 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1450 # except LdbError, (num, _):
1451 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1452 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1455 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1456 "objectclass
": "user
",
1457 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1459 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1461 attrs=["sAMAccountType
", "userAccountControl
"])
1462 self.assertTrue(len(res1) == 1)
1463 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1464 ATYPE_NORMAL_ACCOUNT)
1465 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1466 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1470 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1471 "objectclass
": "user
",
1472 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1474 except LdbError, (num, _):
1475 self.assertEquals(num, ERR_OTHER)
1476 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1480 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1481 "objectclass
": "user
",
1482 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1484 except LdbError, (num, _):
1485 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1486 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1490 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1491 "objectclass
": "user
",
1492 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1493 except LdbError, (num, _):
1494 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1495 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1499 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1500 "objectclass
": "user
",
1501 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
1502 except LdbError, (num, _):
1503 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1504 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1506 # This isn't supported yet in s4 - needs ACL module adaption
1509 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1510 # "objectclass
": "user
",
1511 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1513 # except LdbError, (num, _):
1514 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1515 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1520 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1521 "objectclass
": "user
"})
1523 # After creation we should have a normal account
1524 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1526 attrs=["sAMAccountType
", "userAccountControl
"])
1527 self.assertTrue(len(res1) == 1)
1528 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1529 ATYPE_NORMAL_ACCOUNT)
1530 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1532 # As user you can only switch from a normal account to a workstation
1533 # trust account and back.
1534 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1536 # With SYSTEM rights you can switch to a interdomain trust account.
1541 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1542 m["userAccountControl
"] = MessageElement("0",
1543 FLAG_MOD_REPLACE, "userAccountControl
")
1545 except LdbError, (num, _):
1546 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1548 # This has to wait until s4 supports it (needs a password module change)
1551 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1552 # m["userAccountControl
"] = MessageElement(
1553 # str(UF_NORMAL_ACCOUNT),
1554 # FLAG_MOD_REPLACE, "userAccountControl
")
1556 # except LdbError, (num, _):
1557 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1560 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1561 m["userAccountControl
"] = MessageElement(
1562 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1563 FLAG_MOD_REPLACE, "userAccountControl
")
1566 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1568 attrs=["sAMAccountType
", "userAccountControl
"])
1569 self.assertTrue(len(res1) == 1)
1570 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1571 ATYPE_NORMAL_ACCOUNT)
1572 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1575 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1576 m["userAccountControl
"] = MessageElement(
1577 str(UF_ACCOUNTDISABLE),
1578 FLAG_MOD_REPLACE, "userAccountControl
")
1581 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1583 attrs=["sAMAccountType
", "userAccountControl
"])
1584 self.assertTrue(len(res1) == 1)
1585 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1586 ATYPE_NORMAL_ACCOUNT)
1587 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_NORMAL_ACCOUNT != 0)
1588 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1592 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1593 m["userAccountControl
"] = MessageElement(
1594 str(UF_TEMP_DUPLICATE_ACCOUNT),
1595 FLAG_MOD_REPLACE, "userAccountControl
")
1598 except LdbError, (num, _):
1599 self.assertEquals(num, ERR_OTHER)
1603 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1604 m["userAccountControl
"] = MessageElement(
1605 str(UF_SERVER_TRUST_ACCOUNT),
1606 FLAG_MOD_REPLACE, "userAccountControl
")
1609 except LdbError, (num, _):
1610 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1613 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1614 m["userAccountControl
"] = MessageElement(
1615 str(UF_WORKSTATION_TRUST_ACCOUNT),
1616 FLAG_MOD_REPLACE, "userAccountControl
")
1621 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1622 m["userAccountControl
"] = MessageElement(
1623 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
1624 FLAG_MOD_REPLACE, "userAccountControl
")
1627 except LdbError, (num, _):
1628 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1630 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1631 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1632 self.assertTrue(len(res1) == 1)
1633 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1634 ATYPE_WORKSTATION_TRUST)
1637 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1638 m["userAccountControl
"] = MessageElement(
1639 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1640 FLAG_MOD_REPLACE, "userAccountControl
")
1643 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1644 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1645 self.assertTrue(len(res1) == 1)
1646 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1647 ATYPE_NORMAL_ACCOUNT)
1649 # This isn't supported yet in s4 - needs ACL module adaption
1652 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1653 # m["userAccountControl
"] = MessageElement(
1654 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1655 # FLAG_MOD_REPLACE, "userAccountControl
")
1658 # except LdbError, (num, _):
1659 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1661 # With a computer object
1665 # As computer you can set a normal account and a server trust account.
1666 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1668 # With SYSTEM rights you can set a interdomain trust account.
1671 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1672 "objectclass
": "computer
",
1673 "userAccountControl
": "0"})
1675 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1677 attrs=["sAMAccountType
", "userAccountControl
"])
1678 self.assertTrue(len(res1) == 1)
1679 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1680 ATYPE_NORMAL_ACCOUNT)
1681 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1682 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_PASSWD_NOTREQD == 0)
1683 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1685 # This has to wait until s4 supports it (needs a password module change)
1688 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1689 # "objectclass
": "computer
",
1690 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1692 # except LdbError, (num, _):
1693 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1694 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1697 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1698 "objectclass
": "computer
",
1699 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1701 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1703 attrs=["sAMAccountType
", "userAccountControl
"])
1704 self.assertTrue(len(res1) == 1)
1705 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1706 ATYPE_NORMAL_ACCOUNT)
1707 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1708 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1712 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1713 "objectclass
": "computer
",
1714 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1716 except LdbError, (num, _):
1717 self.assertEquals(num, ERR_OTHER)
1718 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1721 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1722 "objectclass
": "computer
",
1723 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1725 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1726 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1727 self.assertTrue(len(res1) == 1)
1728 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1729 ATYPE_WORKSTATION_TRUST)
1730 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1734 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1735 "objectclass
": "computer
",
1736 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1737 except LdbError, (num, _):
1738 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1739 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1741 # This isn't supported yet in s4 - needs ACL module adaption
1744 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1745 # "objectclass
": "computer
",
1746 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1748 # except LdbError, (num, _):
1749 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1750 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1755 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1756 "objectclass
": "computer
"})
1758 # After creation we should have a normal account
1759 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1761 attrs=["sAMAccountType
", "userAccountControl
"])
1762 self.assertTrue(len(res1) == 1)
1763 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1764 ATYPE_NORMAL_ACCOUNT)
1765 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1767 # As computer you can switch from a normal account to a workstation
1768 # or server trust account and back (also swapping between trust
1769 # accounts is allowed).
1770 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1772 # With SYSTEM rights you can switch to a interdomain trust account.
1777 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1778 m["userAccountControl
"] = MessageElement("0",
1779 FLAG_MOD_REPLACE, "userAccountControl
")
1781 except LdbError, (num, _):
1782 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1784 # This has to wait until s4 supports it (needs a password module change)
1787 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1788 # m["userAccountControl
"] = MessageElement(
1789 # str(UF_NORMAL_ACCOUNT),
1790 # FLAG_MOD_REPLACE, "userAccountControl
")
1792 # except LdbError, (num, _):
1793 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1796 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1797 m["userAccountControl
"] = MessageElement(
1798 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1799 FLAG_MOD_REPLACE, "userAccountControl
")
1802 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1804 attrs=["sAMAccountType
", "userAccountControl
"])
1805 self.assertTrue(len(res1) == 1)
1806 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1807 ATYPE_NORMAL_ACCOUNT)
1808 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1811 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1812 m["userAccountControl
"] = MessageElement(
1813 str(UF_ACCOUNTDISABLE),
1814 FLAG_MOD_REPLACE, "userAccountControl
")
1817 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1819 attrs=["sAMAccountType
", "userAccountControl
"])
1820 self.assertTrue(len(res1) == 1)
1821 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1822 ATYPE_NORMAL_ACCOUNT)
1823 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_NORMAL_ACCOUNT != 0)
1824 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1828 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1829 m["userAccountControl
"] = MessageElement(
1830 str(UF_TEMP_DUPLICATE_ACCOUNT),
1831 FLAG_MOD_REPLACE, "userAccountControl
")
1834 except LdbError, (num, _):
1835 self.assertEquals(num, ERR_OTHER)
1838 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1839 m["userAccountControl
"] = MessageElement(
1840 str(UF_SERVER_TRUST_ACCOUNT),
1841 FLAG_MOD_REPLACE, "userAccountControl
")
1844 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1845 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1846 self.assertTrue(len(res1) == 1)
1847 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1848 ATYPE_WORKSTATION_TRUST)
1851 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1852 m["userAccountControl
"] = MessageElement(
1853 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1854 FLAG_MOD_REPLACE, "userAccountControl
")
1857 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1858 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1859 self.assertTrue(len(res1) == 1)
1860 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1861 ATYPE_NORMAL_ACCOUNT)
1864 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1865 m["userAccountControl
"] = MessageElement(
1866 str(UF_WORKSTATION_TRUST_ACCOUNT),
1867 FLAG_MOD_REPLACE, "userAccountControl
")
1870 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1871 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1872 self.assertTrue(len(res1) == 1)
1873 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1874 ATYPE_WORKSTATION_TRUST)
1877 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1878 m["userAccountControl
"] = MessageElement(
1879 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1880 FLAG_MOD_REPLACE, "userAccountControl
")
1883 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1884 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1885 self.assertTrue(len(res1) == 1)
1886 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1887 ATYPE_NORMAL_ACCOUNT)
1890 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1891 m["userAccountControl
"] = MessageElement(
1892 str(UF_SERVER_TRUST_ACCOUNT),
1893 FLAG_MOD_REPLACE, "userAccountControl
")
1896 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1897 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1898 self.assertTrue(len(res1) == 1)
1899 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1900 ATYPE_WORKSTATION_TRUST)
1903 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1904 m["userAccountControl
"] = MessageElement(
1905 str(UF_WORKSTATION_TRUST_ACCOUNT),
1906 FLAG_MOD_REPLACE, "userAccountControl
")
1909 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1910 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1911 self.assertTrue(len(res1) == 1)
1912 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1913 ATYPE_WORKSTATION_TRUST)
1915 # This isn't supported yet in s4 - needs ACL module adaption
1918 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1919 # m["userAccountControl
"] = MessageElement(
1920 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1921 # FLAG_MOD_REPLACE, "userAccountControl
")
1924 # except LdbError, (num, _):
1925 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1927 # "primaryGroupID
" does not change if account type remains the same
1929 # For a user account
1932 "dn
": "cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1933 "objectclass
": "user
",
1934 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)})
1936 res1 = ldb.search("cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1938 attrs=["userAccountControl
"])
1939 self.assertTrue(len(res1) == 1)
1940 self.assertEquals(int(res1[0]["userAccountControl
"][0]),
1941 UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
1944 m.dn = Dn(ldb, "<SID
=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_ADMINS) + ">")
1945 m["member
"] = MessageElement(
1946 "cn
=ldaptestuser2
,cn
=users
," + self.base_dn, FLAG_MOD_ADD, "member
")
1950 m.dn = Dn(ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
1951 m["primaryGroupID
"] = MessageElement(str(DOMAIN_RID_ADMINS),
1952 FLAG_MOD_REPLACE, "primaryGroupID
")
1956 m.dn = Dn(ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
1957 m["userAccountControl
"] = MessageElement(
1958 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1959 FLAG_MOD_REPLACE, "userAccountControl
")
1962 res1 = ldb.search("cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1964 attrs=["userAccountControl
", "primaryGroupID
"])
1965 self.assertTrue(len(res1) == 1)
1966 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1967 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_ADMINS)
1969 # For a workstation account
1971 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1973 attrs=["primaryGroupID
"])
1974 self.assertTrue(len(res1) == 1)
1975 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_DOMAIN_MEMBERS)
1978 m.dn = Dn(ldb, "<SID
=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_USERS) + ">")
1979 m["member
"] = MessageElement(
1980 "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn, FLAG_MOD_ADD, "member
")
1984 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1985 m["primaryGroupID
"] = MessageElement(str(DOMAIN_RID_USERS),
1986 FLAG_MOD_REPLACE, "primaryGroupID
")
1990 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1991 m["userAccountControl
"] = MessageElement(
1992 str(UF_WORKSTATION_TRUST_ACCOUNT),
1993 FLAG_MOD_REPLACE, "userAccountControl
")
1996 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1998 attrs=["primaryGroupID
"])
1999 self.assertTrue(len(res1) == 1)
2000 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_USERS)
2002 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
2003 delete_force(self.ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
2004 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2006 def test_isCriticalSystemObject(self):
2007 """Test the isCriticalSystemObject behaviour"""
2008 print "Testing isCriticalSystemObject behaviour
\n"
2013 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2014 "objectclass
": "computer
"})
2016 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2018 attrs=["isCriticalSystemObject
"])
2019 self.assertTrue(len(res1) == 1)
2020 self.assertTrue("isCriticalSystemObject
" not in res1[0])
2022 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2025 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2026 "objectclass
": "computer
",
2027 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
2029 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2031 attrs=["isCriticalSystemObject
"])
2032 self.assertTrue(len(res1) == 1)
2033 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2035 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2038 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2039 "objectclass
": "computer
",
2040 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
2042 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2044 attrs=["isCriticalSystemObject
"])
2045 self.assertTrue(len(res1) == 1)
2046 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2048 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2051 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2052 "objectclass
": "computer
",
2053 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
2055 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2057 attrs=["isCriticalSystemObject
"])
2058 self.assertTrue(len(res1) == 1)
2059 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2061 # Modification tests
2064 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2065 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2066 FLAG_MOD_REPLACE, "userAccountControl
")
2069 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2071 attrs=["isCriticalSystemObject
"])
2072 self.assertTrue(len(res1) == 1)
2073 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2076 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2077 m["userAccountControl
"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2078 FLAG_MOD_REPLACE, "userAccountControl
")
2081 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2083 attrs=["isCriticalSystemObject
"])
2084 self.assertTrue(len(res1) == 1)
2085 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2088 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2089 m["userAccountControl
"] = MessageElement(
2090 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
2091 FLAG_MOD_REPLACE, "userAccountControl
")
2094 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2096 attrs=["isCriticalSystemObject
"])
2097 self.assertTrue(len(res1) == 1)
2098 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2101 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2102 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2103 FLAG_MOD_REPLACE, "userAccountControl
")
2106 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2108 attrs=["isCriticalSystemObject
"])
2109 self.assertTrue(len(res1) == 1)
2110 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2113 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2114 m["userAccountControl
"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT),
2115 FLAG_MOD_REPLACE, "userAccountControl
")
2118 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2120 attrs=["isCriticalSystemObject
"])
2121 self.assertTrue(len(res1) == 1)
2122 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2125 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2126 m["userAccountControl
"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2127 FLAG_MOD_REPLACE, "userAccountControl
")
2130 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2132 attrs=["isCriticalSystemObject
"])
2133 self.assertTrue(len(res1) == 1)
2134 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2136 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2138 def test_service_principal_name_updates(self):
2139 """Test the servicePrincipalNames update behaviour"""
2140 print "Testing servicePrincipalNames update behaviour
\n"
2143 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2144 "objectclass
": "computer
",
2145 "dNSHostName
": "testname
.testdom
"})
2147 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2148 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2149 self.assertTrue(len(res) == 1)
2150 self.assertFalse("servicePrincipalName
" in res[0])
2152 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2155 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2156 "objectclass
": "computer
",
2157 "servicePrincipalName
": "HOST
/testname
.testdom
"})
2159 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2160 scope=SCOPE_BASE, attrs=["dNSHostName
"])
2161 self.assertTrue(len(res) == 1)
2162 self.assertFalse("dNSHostName
" in res[0])
2164 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2167 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2168 "objectclass
": "computer
",
2169 "dNSHostName
": "testname2
.testdom
",
2170 "servicePrincipalName
": "HOST
/testname
.testdom
"})
2172 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2173 scope=SCOPE_BASE, attrs=["dNSHostName
"])
2174 self.assertTrue(len(res) == 1)
2175 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2177 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2178 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2179 self.assertTrue(len(res) == 1)
2180 self.assertEquals(res[0]["servicePrincipalName
"][0],
2181 "HOST
/testname
.testdom
")
2184 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2185 m["dNSHostName
"] = MessageElement("testname
.testdoM
",
2186 FLAG_MOD_REPLACE, "dNSHostName
")
2189 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2190 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2191 self.assertTrue(len(res) == 1)
2192 self.assertEquals(res[0]["servicePrincipalName
"][0],
2193 "HOST
/testname
.testdom
")
2196 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2197 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2198 FLAG_MOD_REPLACE, "dNSHostName
")
2201 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2202 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2203 self.assertTrue(len(res) == 1)
2204 self.assertEquals(res[0]["servicePrincipalName
"][0],
2205 "HOST
/testname2
.testdom2
")
2208 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2209 m["dNSHostName
"] = MessageElement([],
2210 FLAG_MOD_DELETE, "dNSHostName
")
2213 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2214 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2215 self.assertTrue(len(res) == 1)
2216 self.assertEquals(res[0]["servicePrincipalName
"][0],
2217 "HOST
/testname2
.testdom2
")
2220 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2221 m["dNSHostName
"] = MessageElement("testname
.testdom3
",
2222 FLAG_MOD_REPLACE, "dNSHostName
")
2225 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2226 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2227 self.assertTrue(len(res) == 1)
2228 self.assertEquals(res[0]["servicePrincipalName
"][0],
2229 "HOST
/testname2
.testdom2
")
2232 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2233 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2234 FLAG_MOD_REPLACE, "dNSHostName
")
2238 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2239 m["dNSHostName
"] = MessageElement("testname3
.testdom3
",
2240 FLAG_MOD_REPLACE, "dNSHostName
")
2241 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
2243 "servicePrincipalName
")
2246 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2247 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2248 self.assertTrue(len(res) == 1)
2249 self.assertEquals(res[0]["servicePrincipalName
"][0],
2250 "HOST
/testname3
.testdom3
")
2253 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2254 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
2256 "servicePrincipalName
")
2257 m["dNSHostName
"] = MessageElement("testname4
.testdom4
",
2258 FLAG_MOD_REPLACE, "dNSHostName
")
2261 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2262 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2263 self.assertTrue(len(res) == 1)
2264 self.assertEquals(res[0]["servicePrincipalName
"][0],
2265 "HOST
/testname2
.testdom2
")
2268 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2269 m["servicePrincipalName
"] = MessageElement([],
2271 "servicePrincipalName
")
2275 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2276 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2277 FLAG_MOD_REPLACE, "dNSHostName
")
2280 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2281 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2282 self.assertTrue(len(res) == 1)
2283 self.assertFalse("servicePrincipalName
" in res[0])
2285 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2288 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2289 "objectclass
": "computer
",
2290 "sAMAccountName
": "testname$
"})
2292 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2293 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2294 self.assertTrue(len(res) == 1)
2295 self.assertFalse("servicePrincipalName
" in res[0])
2297 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2300 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2301 "objectclass
": "computer
",
2302 "servicePrincipalName
": "HOST
/testname
"})
2304 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2305 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2306 self.assertTrue(len(res) == 1)
2307 self.assertTrue("sAMAccountName
" in res[0])
2309 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2312 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2313 "objectclass
": "computer
",
2314 "sAMAccountName
": "testname$
",
2315 "servicePrincipalName
": "HOST
/testname
"})
2317 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2318 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2319 self.assertTrue(len(res) == 1)
2320 self.assertEquals(res[0]["sAMAccountName
"][0], "testname$
")
2322 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2323 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2324 self.assertTrue(len(res) == 1)
2325 self.assertEquals(res[0]["servicePrincipalName
"][0],
2329 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2330 m["sAMAccountName
"] = MessageElement("testnamE$
",
2331 FLAG_MOD_REPLACE, "sAMAccountName
")
2334 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2335 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2336 self.assertTrue(len(res) == 1)
2337 self.assertEquals(res[0]["servicePrincipalName
"][0],
2341 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2342 m["sAMAccountName
"] = MessageElement("testname
",
2343 FLAG_MOD_REPLACE, "sAMAccountName
")
2346 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2347 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2348 self.assertTrue(len(res) == 1)
2349 self.assertEquals(res[0]["servicePrincipalName
"][0],
2353 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2354 m["sAMAccountName
"] = MessageElement("test$name$
",
2355 FLAG_MOD_REPLACE, "sAMAccountName
")
2358 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2359 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2360 self.assertTrue(len(res) == 1)
2361 self.assertEquals(res[0]["servicePrincipalName
"][0],
2365 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2366 m["sAMAccountName
"] = MessageElement("testname2
",
2367 FLAG_MOD_REPLACE, "sAMAccountName
")
2370 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2371 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2372 self.assertTrue(len(res) == 1)
2373 self.assertEquals(res[0]["servicePrincipalName
"][0],
2377 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2378 m["sAMAccountName
"] = MessageElement("testname3
",
2379 FLAG_MOD_REPLACE, "sAMAccountName
")
2380 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2382 "servicePrincipalName
")
2385 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2386 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2387 self.assertTrue(len(res) == 1)
2388 self.assertEquals(res[0]["servicePrincipalName
"][0],
2392 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2393 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2395 "servicePrincipalName
")
2396 m["sAMAccountName
"] = MessageElement("testname4
",
2397 FLAG_MOD_REPLACE, "sAMAccountName
")
2400 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2401 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2402 self.assertTrue(len(res) == 1)
2403 self.assertEquals(res[0]["servicePrincipalName
"][0],
2407 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2408 m["servicePrincipalName
"] = MessageElement([],
2410 "servicePrincipalName
")
2414 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2415 m["sAMAccountName
"] = MessageElement("testname2
",
2416 FLAG_MOD_REPLACE, "sAMAccountName
")
2419 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2420 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2421 self.assertTrue(len(res) == 1)
2422 self.assertFalse("servicePrincipalName
" in res[0])
2424 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2427 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2428 "objectclass
": "computer
",
2429 "dNSHostName
": "testname
.testdom
",
2430 "sAMAccountName
": "testname$
",
2431 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2435 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2436 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2437 FLAG_MOD_REPLACE, "dNSHostName
")
2438 m["sAMAccountName
"] = MessageElement("testname2$
",
2439 FLAG_MOD_REPLACE, "sAMAccountName
")
2442 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2443 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2444 self.assertTrue(len(res) == 1)
2445 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2446 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2447 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
" or
2448 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
")
2449 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
.testdom
" or
2450 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
.testdom
")
2452 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2455 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2456 "objectclass
": "computer
",
2457 "dNSHostName
": "testname
.testdom
",
2458 "sAMAccountName
": "testname$
",
2459 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2463 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2464 m["sAMAccountName
"] = MessageElement("testname2$
",
2465 FLAG_MOD_REPLACE, "sAMAccountName
")
2466 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2467 FLAG_MOD_REPLACE, "dNSHostName
")
2470 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2471 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2472 self.assertTrue(len(res) == 1)
2473 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2474 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2475 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 2)
2476 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2477 self.assertTrue("HOST
/testname2
.testdom
" in res[0]["servicePrincipalName
"])
2480 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2481 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom
",
2482 FLAG_MOD_ADD, "servicePrincipalName
")
2486 except LdbError, (num, _):
2487 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2490 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2491 m["servicePrincipalName
"] = MessageElement("HOST
/testname3
",
2492 FLAG_MOD_ADD, "servicePrincipalName
")
2495 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2496 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2497 self.assertTrue(len(res) == 1)
2498 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2499 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2500 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 3)
2501 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2502 self.assertTrue("HOST
/testname3
" in res[0]["servicePrincipalName
"])
2503 self.assertTrue("HOST
/testname2
.testdom
" in res[0]["servicePrincipalName
"])
2506 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2507 m["dNSHostName
"] = MessageElement("testname3
.testdom
",
2508 FLAG_MOD_REPLACE, "dNSHostName
")
2509 m["servicePrincipalName
"] = MessageElement("HOST
/testname3
.testdom
",
2510 FLAG_MOD_ADD, "servicePrincipalName
")
2513 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2514 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2515 self.assertTrue(len(res) == 1)
2516 self.assertEquals(res[0]["dNSHostName
"][0], "testname3
.testdom
")
2517 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2518 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 3)
2519 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2520 self.assertTrue("HOST
/testname3
" in res[0]["servicePrincipalName
"])
2521 self.assertTrue("HOST
/testname3
.testdom
" in res[0]["servicePrincipalName
"])
2523 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2525 def test_sam_description_attribute(self):
2526 """Test SAM description attribute"""
2527 print "Test SAM description attribute
"""
2530 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2531 "description": "desc2",
2532 "objectclass": "group",
2533 "description": "desc1"})
2535 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2536 scope=SCOPE_BASE, attrs=["description"])
2537 self.assertTrue(len(res) == 1)
2538 self.assertTrue("description" in res[0])
2539 self.assertTrue(len(res[0]["description"]) == 1)
2540 self.assertEquals(res[0]["description"][0], "desc1")
2542 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2545 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2546 "objectclass": "group",
2547 "description": ["desc1", "desc2"]})
2549 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2550 scope=SCOPE_BASE, attrs=["description"])
2551 self.assertTrue(len(res) == 1)
2552 self.assertTrue("description" in res[0])
2553 self.assertTrue(len(res[0]["description"]) == 2)
2554 self.assertTrue(res[0]["description"][0] == "desc1" or
2555 res[0]["description"][1] == "desc1")
2556 self.assertTrue(res[0]["description"][0] == "desc2" or
2557 res[0]["description"][1] == "desc2")
2560 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2561 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2566 except LdbError, (num, _):
2567 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2570 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2571 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2575 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2578 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2579 "objectclass": "group" })
2582 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2583 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2587 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2588 scope=SCOPE_BASE, attrs=["description"])
2589 self.assertTrue(len(res) == 1)
2590 self.assertTrue("description" in res[0])
2591 self.assertTrue(len(res[0]["description"]) == 1)
2592 self.assertEquals(res[0]["description"][0], "desc1")
2594 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2597 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2598 "objectclass": "group",
2599 "description": ["desc1", "desc2"]})
2602 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2603 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2607 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2608 scope=SCOPE_BASE, attrs=["description"])
2609 self.assertTrue(len(res) == 1)
2610 self.assertTrue("description" in res[0])
2611 self.assertTrue(len(res[0]["description"]) == 1)
2612 self.assertEquals(res[0]["description"][0], "desc1")
2615 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2616 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2621 except LdbError, (num, _):
2622 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2625 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2626 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2631 except LdbError, (num, _):
2632 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2635 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2636 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2639 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2640 scope=SCOPE_BASE, attrs=["description"])
2641 self.assertTrue(len(res) == 1)
2642 self.assertFalse("description" in res[0])
2645 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2646 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2651 except LdbError, (num, _):
2652 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2655 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2656 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2661 except LdbError, (num, _):
2662 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2665 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2666 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2670 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2671 scope=SCOPE_BASE, attrs=["description"])
2672 self.assertTrue(len(res) == 1)
2673 self.assertTrue("description" in res[0])
2674 self.assertTrue(len(res[0]["description"]) == 1)
2675 self.assertEquals(res[0]["description"][0], "desc1")
2678 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2679 m.add(MessageElement("desc1", FLAG_MOD_DELETE, "description"))
2680 m.add(MessageElement("desc2", FLAG_MOD_ADD, "description"))
2683 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2684 scope=SCOPE_BASE, attrs=["description"])
2685 self.assertTrue(len(res) == 1)
2686 self.assertTrue("description" in res[0])
2687 self.assertTrue(len(res[0]["description"]) == 1)
2688 self.assertEquals(res[0]["description"][0], "desc2")
2690 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2693 def test_fSMORoleOwner_attribute(self):
2694 """Test fSMORoleOwner attribute
"""
2695 print "Test fSMORoleOwner attribute"""
2697 ds_service_name
= self
.ldb
.get_dsServiceName()
2699 # The "fSMORoleOwner" attribute can only be set to "nTDSDSA" entries,
2700 # invalid DNs return ERR_UNWILLING_TO_PERFORM
2704 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2705 "objectclass": "group",
2706 "fSMORoleOwner": self
.base_dn
})
2708 except LdbError
, (num
, _
):
2709 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2713 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2714 "objectclass": "group",
2715 "fSMORoleOwner": [] })
2717 except LdbError
, (num
, _
):
2718 self
.assertEquals(num
, ERR_CONSTRAINT_VIOLATION
)
2720 # We are able to set it to a valid "nTDSDSA" entry if the server is
2721 # capable of handling the role
2724 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2725 "objectclass": "group",
2726 "fSMORoleOwner": ds_service_name
})
2728 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2731 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2732 "objectclass": "group" })
2735 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2736 m
.add(MessageElement(self
.base_dn
, FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2740 except LdbError
, (num
, _
):
2741 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2744 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2745 m
.add(MessageElement([], FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2749 except LdbError
, (num
, _
):
2750 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2752 # We are able to set it to a valid "nTDSDSA" entry if the server is
2753 # capable of handling the role
2756 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2757 m
.add(MessageElement(ds_service_name
, FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2760 # A clean-out works on plain entries, not master (schema, PDC...) DNs
2763 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2764 m
.add(MessageElement([], FLAG_MOD_DELETE
, "fSMORoleOwner"))
2767 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2770 if not "://" in host
:
2771 if os
.path
.isfile(host
):
2772 host
= "tdb://%s" % host
2774 host
= "ldap://%s" % host
2776 ldb
= SamDB(host
, credentials
=creds
, session_info
=system_session(lp
), lp
=lp
)
2778 runner
= SubunitTestRunner()
2780 if not runner
.run(unittest
.makeSuite(SamTests
)).wasSuccessful():