| blob | 361a10898d36131887c75dac93d03df2df7a37d4 |
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
5 import optparse
6 import sys
7 import os
10 import samba
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP,
38 ATYPE_WORKSTATION_TRUST)
43 import unittest
52 # use command line creds if available
83 """This tests the SAM users and groups behaviour"""
106 # Try to create a user with an invalid account name
117 # Try to create a user with an invalid account name
128 # Try to create a user with an invalid primary group
139 # Try to Create a user with a valid primary group
150 # Test to see how we should behave when the user account doesn't
151 # exist
162 # Test to see how we should behave when the account isn't a user
173 # Test default primary groups on add operations
198 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
199 # since such accounts aren't directly creatable (ACCESS_DENIED)
225 # Read-only DC accounts are only creatable by
226 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
227 # we have a fallback in the assertion)
231 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD) })
241 # Test default primary groups on modify operations
249 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
258 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
259 # since such accounts aren't directly creatable (ACCESS_DENIED)
274 m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
285 m["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
294 # Read-only DC accounts are only creatable by
295 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
296 # we have a fallback in the assertion)
299 m["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_REPLACE,
311 # Recreate account for further tests
317 # Try to set an invalid account name
328 # But to reset the actual "sAMAccountName" should still be possible
338 # And another (free) name should be possible as well
345 # We should be able to reset our actual primary group
352 # Try to add invalid primary group
363 # Try to make group 1 primary - should be denied since it is not yet
364 # secondary
375 # Make group 1 secondary
382 # Make group 1 primary
389 # Try to delete group 1 - should be denied
396 # Try to add group 1 also as secondary - should be denied
407 # Try to add invalid member to group 1 - should be denied
419 # Make group 2 secondary
426 # Swap the groups
433 # Swap the groups (does not really make sense but does the same)
442 # Old primary group should contain a "member" attribute for the user,
443 # the new shouldn't contain anymore one
456 # Primary group member
467 # Delete invalid group member
478 # Also this should be denied
488 # Recreate user accounts
506 # Already added
517 # Already added, but as <SID=...>
533 # Invalid member
544 # Invalid member
556 # Invalid member
581 # Make also a small test for accounts with special DNs ("," in this case)
588 """Test the behaviour of special attributes of SAM objects"""
591 ldb.add({
594 ldb.add({
598 m = Message()
602 try:
603 ldb.modify(m)
604 self.fail()
605 except LdbError, (num, _):
606 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
608 # Delete protection tests
613 m = Message()
615 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
616 try:
617 ldb.modify(m)
618 self.fail()
619 except LdbError, (num, _):
620 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
622 m = Message()
624 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
625 try:
626 ldb.modify(m)
627 self.fail()
628 except LdbError, (num, _):
629 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
631 m = Message()
635 try:
636 ldb.modify(m)
637 self.fail()
638 except LdbError, (num, _):
639 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
641 m = Message()
643 m["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
645 try:
646 ldb.modify(m)
647 self.fail()
648 except LdbError, (num, _):
649 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
651 m = Message()
655 try:
656 ldb.modify(m)
657 self.fail()
658 except LdbError, (num, _):
659 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
661 m = Message()
665 try:
666 ldb.modify(m)
667 self.fail()
668 except LdbError, (num, _):
669 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
671 m = Message()
675 try:
676 ldb.modify(m)
677 self.fail()
678 except LdbError, (num, _):
679 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
681 # Delete protection tests
689 m = Message()
691 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
692 try:
693 ldb.modify(m)
694 self.fail()
695 except LdbError, (num, _):
696 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
698 m = Message()
700 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
701 try:
702 ldb.modify(m)
703 self.fail()
704 except LdbError, (num, _):
705 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
710 def test_primary_group_token_constructed(self):
711 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
714 try:
715 ldb.add({
719 self.fail()
720 except LdbError, (num, _):
721 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
724 ldb.add({
728 ldb.add({
732 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
733 res1 = ldb.search(self.base_dn,
735 self.assertTrue(len(res1) == 1)
741 res1 = ldb.search(self.base_dn,
743 self.assertTrue(len(res1) == 1)
751 self.assertTrue(len(res1) == 1)
756 self.assertTrue(len(res1) == 1)
760 scope=SCOPE_BASE)
761 self.assertTrue(len(res1) == 1)
766 self.assertTrue(len(res1) == 1)
769 rid = security.dom_sid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])).split()[1]
770 self.assertEquals(primary_group_token, rid)
772 m = Message()
775 try:
776 ldb.modify(m)
777 self.fail()
778 except LdbError, (num, _):
779 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
784 def test_tokenGroups(self):
785 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
790 self.assertTrue(len(res) == 1)
794 # (the exact number depends on the domain/forest function level and the
795 # DC software versions)
798 self.assertTrue(len(res) == 1)
801 ldb.add({
809 self.assertTrue(len(res) == 1)
814 domain_users_group_found = False
815 users_group_found = False
818 if rid == 513:
819 domain_users_group_found = True
820 if rid == 545:
821 users_group_found = True
823 self.assertTrue(domain_users_group_found)
824 self.assertTrue(users_group_found)
828 def test_groupType(self):
829 """Test the groupType behaviour"""
832 # You can never create or change to a
835 # Add operation
837 # Invalid attribute
838 try:
839 ldb.add({
843 self.fail()
844 except LdbError, (num, _):
845 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
848 try:
849 ldb.add({
853 self.fail()
854 except LdbError, (num, _):
855 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
858 ldb.add({
865 self.assertTrue(len(res1) == 1)
867 ATYPE_SECURITY_GLOBAL_GROUP)
870 ldb.add({
877 self.assertTrue(len(res1) == 1)
879 ATYPE_SECURITY_UNIVERSAL_GROUP)
882 ldb.add({
889 self.assertTrue(len(res1) == 1)
891 ATYPE_SECURITY_LOCAL_GROUP)
894 ldb.add({
901 self.assertTrue(len(res1) == 1)
903 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
906 ldb.add({
913 self.assertTrue(len(res1) == 1)
915 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
918 ldb.add({
925 self.assertTrue(len(res1) == 1)
927 ATYPE_DISTRIBUTION_LOCAL_GROUP)
930 # Modify operation
932 ldb.add({
936 # We can change in this direction: global <-> universal <-> local
937 # On each step also the group type itself (security/distribution) is
938 # variable.
943 self.assertTrue(len(res1) == 1)
945 ATYPE_SECURITY_GLOBAL_GROUP)
947 # Invalid attribute
948 try:
949 m = Message()
953 ldb.modify(m)
954 self.fail()
955 except LdbError, (num, _):
956 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
958 # Security groups
962 m = Message()
965 str(GTYPE_SECURITY_GLOBAL_GROUP),
967 ldb.modify(m)
971 self.assertTrue(len(res1) == 1)
973 ATYPE_SECURITY_GLOBAL_GROUP)
977 try:
978 m = Message()
981 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
983 ldb.modify(m)
984 self.fail()
985 except LdbError, (num, _):
986 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
990 m = Message()
993 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
995 ldb.modify(m)
999 self.assertTrue(len(res1) == 1)
1001 ATYPE_SECURITY_UNIVERSAL_GROUP)
1005 m = Message()
1008 str(GTYPE_SECURITY_GLOBAL_GROUP),
1010 ldb.modify(m)
1014 self.assertTrue(len(res1) == 1)
1016 ATYPE_SECURITY_GLOBAL_GROUP)
1020 m = Message()
1023 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1025 ldb.modify(m)
1029 self.assertTrue(len(res1) == 1)
1031 ATYPE_SECURITY_UNIVERSAL_GROUP)
1035 m = Message()
1038 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1040 ldb.modify(m)
1044 self.assertTrue(len(res1) == 1)
1046 ATYPE_SECURITY_LOCAL_GROUP)
1050 try:
1051 m = Message()
1054 str(GTYPE_SECURITY_GLOBAL_GROUP),
1056 ldb.modify(m)
1057 self.fail()
1058 except LdbError, (num, _):
1059 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1063 try:
1064 m = Message()
1067 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1069 ldb.modify(m)
1070 self.fail()
1071 except LdbError, (num, _):
1072 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1074 m = Message()
1079 m = Message()
1082 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1084 ldb.modify(m)
1088 self.assertTrue(len(res1) == 1)
1090 ATYPE_SECURITY_UNIVERSAL_GROUP)
1094 try:
1095 m = Message()
1098 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1100 ldb.modify(m)
1101 self.fail()
1102 except LdbError, (num, _):
1103 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1107 m = Message()
1110 str(GTYPE_SECURITY_GLOBAL_GROUP),
1112 ldb.modify(m)
1116 self.assertTrue(len(res1) == 1)
1118 ATYPE_SECURITY_GLOBAL_GROUP)
1122 try:
1123 m = Message()
1126 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1128 ldb.modify(m)
1129 self.fail()
1130 except LdbError, (num, _):
1131 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1133 # Distribution groups
1137 m = Message()
1140 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1142 ldb.modify(m)
1146 self.assertTrue(len(res1) == 1)
1148 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1150 # Change to local (shouldn't work)
1152 try:
1153 m = Message()
1156 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1158 ldb.modify(m)
1159 self.fail()
1160 except LdbError, (num, _):
1161 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1165 m = Message()
1168 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1170 ldb.modify(m)
1174 self.assertTrue(len(res1) == 1)
1176 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1180 m = Message()
1183 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1185 ldb.modify(m)
1189 self.assertTrue(len(res1) == 1)
1191 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1195 m = Message()
1198 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1200 ldb.modify(m)
1204 self.assertTrue(len(res1) == 1)
1206 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1210 m = Message()
1213 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1215 ldb.modify(m)
1219 self.assertTrue(len(res1) == 1)
1221 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1225 try:
1226 m = Message()
1229 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1231 ldb.modify(m)
1232 self.fail()
1233 except LdbError, (num, _):
1234 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1238 # Try to add invalid member to group 1 - should be denied
1239 m = Message()
1244 try:
1245 ldb.modify(m)
1246 self.fail()
1247 except LdbError, (num, _):
1248 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1250 # Make group 2 secondary
1251 m = Message()
1254 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1256 ldb.modify(m)
1260 self.assertTrue(len(res1) == 1)
1262 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1266 m = Message()
1269 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1271 ldb.modify(m)
1275 self.assertTrue(len(res1) == 1)
1277 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1279 # Both group types: this performs only random checks - all possibilities
1280 # would require too much code.
1284 m = Message()
1287 str(GTYPE_SECURITY_GLOBAL_GROUP),
1289 ldb.modify(m)
1293 self.assertTrue(len(res1) == 1)
1295 ATYPE_SECURITY_GLOBAL_GROUP)
1299 try:
1300 m = Message()
1303 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1305 ldb.modify(m)
1306 self.fail()
1307 except LdbError, (num, _):
1308 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1312 m = Message()
1315 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1317 ldb.modify(m)
1321 self.assertTrue(len(res1) == 1)
1323 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1327 m = Message()
1330 str(GTYPE_SECURITY_GLOBAL_GROUP),
1332 ldb.modify(m)
1336 self.assertTrue(len(res1) == 1)
1338 ATYPE_SECURITY_GLOBAL_GROUP)
1342 m = Message()
1345 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1347 ldb.modify(m)
1351 self.assertTrue(len(res1) == 1)
1353 ATYPE_SECURITY_UNIVERSAL_GROUP)
1357 m = Message()
1360 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1362 ldb.modify(m)
1366 self.assertTrue(len(res1) == 1)
1368 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1372 try:
1373 m = Message()
1376 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1378 ldb.modify(m)
1379 self.fail()
1380 except LdbError, (num, _):
1381 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1385 m = Message()
1388 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1390 ldb.modify(m)
1394 self.assertTrue(len(res1) == 1)
1396 ATYPE_SECURITY_UNIVERSAL_GROUP)
1400 m = Message()
1403 str(GTYPE_SECURITY_GLOBAL_GROUP),
1405 ldb.modify(m)
1409 self.assertTrue(len(res1) == 1)
1411 ATYPE_SECURITY_GLOBAL_GROUP)
1415 def test_userAccountControl(self):
1416 """Test the userAccountControl behaviour"""
1419 # With a user object
1421 # Add operation
1423 # As user you can only set a normal account.
1424 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1425 # password yet.
1426 # With SYSTEM rights you can set a interdomain trust account.
1428 ldb.add({
1434 scope=SCOPE_BASE,
1436 self.assertTrue(len(res1) == 1)
1438 ATYPE_NORMAL_ACCOUNT)
1443 # This has to wait until s4 supports it (needs a password module change)
1444 # try:
1445 # ldb.add({
1449 # self.fail()
1450 # except LdbError, (num, _):
1451 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1454 ldb.add({
1460 scope=SCOPE_BASE,
1462 self.assertTrue(len(res1) == 1)
1464 ATYPE_NORMAL_ACCOUNT)
1468 try:
1469 ldb.add({
1473 self.fail()
1474 except LdbError, (num, _):
1475 self.assertEquals(num, ERR_OTHER)
1478 try:
1479 ldb.add({
1483 self.fail()
1484 except LdbError, (num, _):
1485 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1488 try:
1489 ldb.add({
1493 except LdbError, (num, _):
1494 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1497 try:
1498 ldb.add({
1502 except LdbError, (num, _):
1503 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1506 # This isn't supported yet in s4 - needs ACL module adaption
1507 # try:
1508 # ldb.add({
1512 # self.fail()
1513 # except LdbError, (num, _):
1514 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1517 # Modify operation
1519 ldb.add({
1523 # After creation we should have a normal account
1525 scope=SCOPE_BASE,
1527 self.assertTrue(len(res1) == 1)
1529 ATYPE_NORMAL_ACCOUNT)
1532 # As user you can only switch from a normal account to a workstation
1533 # trust account and back.
1534 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1535 # password yet.
1536 # With SYSTEM rights you can switch to a interdomain trust account.
1538 # Invalid attribute
1539 try:
1540 m = Message()
1544 ldb.modify(m)
1545 except LdbError, (num, _):
1546 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1548 # This has to wait until s4 supports it (needs a password module change)
1549 # try:
1550 # m = Message()
1553 # str(UF_NORMAL_ACCOUNT),
1555 # ldb.modify(m)
1556 # except LdbError, (num, _):
1557 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1559 m = Message()
1562 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1564 ldb.modify(m)
1567 scope=SCOPE_BASE,
1569 self.assertTrue(len(res1) == 1)
1571 ATYPE_NORMAL_ACCOUNT)
1574 m = Message()
1577 str(UF_ACCOUNTDISABLE),
1579 ldb.modify(m)
1582 scope=SCOPE_BASE,
1584 self.assertTrue(len(res1) == 1)
1586 ATYPE_NORMAL_ACCOUNT)
1590 try:
1591 m = Message()
1594 str(UF_TEMP_DUPLICATE_ACCOUNT),
1596 ldb.modify(m)
1597 self.fail()
1598 except LdbError, (num, _):
1599 self.assertEquals(num, ERR_OTHER)
1601 try:
1602 m = Message()
1605 str(UF_SERVER_TRUST_ACCOUNT),
1607 ldb.modify(m)
1608 self.fail()
1609 except LdbError, (num, _):
1610 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1612 m = Message()
1615 str(UF_WORKSTATION_TRUST_ACCOUNT),
1617 ldb.modify(m)
1619 try:
1620 m = Message()
1623 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
1625 ldb.modify(m)
1626 self.fail()
1627 except LdbError, (num, _):
1628 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1632 self.assertTrue(len(res1) == 1)
1634 ATYPE_WORKSTATION_TRUST)
1636 m = Message()
1639 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1641 ldb.modify(m)
1645 self.assertTrue(len(res1) == 1)
1647 ATYPE_NORMAL_ACCOUNT)
1649 # This isn't supported yet in s4 - needs ACL module adaption
1650 # try:
1651 # m = Message()
1654 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1656 # ldb.modify(m)
1657 # self.fail()
1658 # except LdbError, (num, _):
1659 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1661 # With a computer object
1663 # Add operation
1665 # As computer you can set a normal account and a server trust account.
1666 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1667 # password yet.
1668 # With SYSTEM rights you can set a interdomain trust account.
1670 ldb.add({
1676 scope=SCOPE_BASE,
1678 self.assertTrue(len(res1) == 1)
1680 ATYPE_NORMAL_ACCOUNT)
1685 # This has to wait until s4 supports it (needs a password module change)
1686 # try:
1687 # ldb.add({
1691 # self.fail()
1692 # except LdbError, (num, _):
1693 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1696 ldb.add({
1702 scope=SCOPE_BASE,
1704 self.assertTrue(len(res1) == 1)
1706 ATYPE_NORMAL_ACCOUNT)
1710 try:
1711 ldb.add({
1715 self.fail()
1716 except LdbError, (num, _):
1717 self.assertEquals(num, ERR_OTHER)
1720 ldb.add({
1727 self.assertTrue(len(res1) == 1)
1729 ATYPE_WORKSTATION_TRUST)
1732 try:
1733 ldb.add({
1737 except LdbError, (num, _):
1738 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1741 # This isn't supported yet in s4 - needs ACL module adaption
1742 # try:
1743 # ldb.add({
1747 # self.fail()
1748 # except LdbError, (num, _):
1749 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1752 # Modify operation
1754 ldb.add({
1758 # After creation we should have a normal account
1760 scope=SCOPE_BASE,
1762 self.assertTrue(len(res1) == 1)
1764 ATYPE_NORMAL_ACCOUNT)
1767 # As computer you can switch from a normal account to a workstation
1768 # or server trust account and back (also swapping between trust
1769 # accounts is allowed).
1770 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1771 # password yet.
1772 # With SYSTEM rights you can switch to a interdomain trust account.
1774 # Invalid attribute
1775 try:
1776 m = Message()
1780 ldb.modify(m)
1781 except LdbError, (num, _):
1782 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1784 # This has to wait until s4 supports it (needs a password module change)
1785 # try:
1786 # m = Message()
1789 # str(UF_NORMAL_ACCOUNT),
1791 # ldb.modify(m)
1792 # except LdbError, (num, _):
1793 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1795 m = Message()
1798 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1800 ldb.modify(m)
1803 scope=SCOPE_BASE,
1805 self.assertTrue(len(res1) == 1)
1807 ATYPE_NORMAL_ACCOUNT)
1810 m = Message()
1813 str(UF_ACCOUNTDISABLE),
1815 ldb.modify(m)
1818 scope=SCOPE_BASE,
1820 self.assertTrue(len(res1) == 1)
1822 ATYPE_NORMAL_ACCOUNT)
1826 try:
1827 m = Message()
1830 str(UF_TEMP_DUPLICATE_ACCOUNT),
1832 ldb.modify(m)
1833 self.fail()
1834 except LdbError, (num, _):
1835 self.assertEquals(num, ERR_OTHER)
1837 m = Message()
1840 str(UF_SERVER_TRUST_ACCOUNT),
1842 ldb.modify(m)
1846 self.assertTrue(len(res1) == 1)
1848 ATYPE_WORKSTATION_TRUST)
1850 m = Message()
1853 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1855 ldb.modify(m)
1859 self.assertTrue(len(res1) == 1)
1861 ATYPE_NORMAL_ACCOUNT)
1863 m = Message()
1866 str(UF_WORKSTATION_TRUST_ACCOUNT),
1868 ldb.modify(m)
1872 self.assertTrue(len(res1) == 1)
1874 ATYPE_WORKSTATION_TRUST)
1876 m = Message()
1879 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1881 ldb.modify(m)
1885 self.assertTrue(len(res1) == 1)
1887 ATYPE_NORMAL_ACCOUNT)
1889 m = Message()
1892 str(UF_SERVER_TRUST_ACCOUNT),
1894 ldb.modify(m)
1898 self.assertTrue(len(res1) == 1)
1900 ATYPE_WORKSTATION_TRUST)
1902 m = Message()
1905 str(UF_WORKSTATION_TRUST_ACCOUNT),
1907 ldb.modify(m)
1911 self.assertTrue(len(res1) == 1)
1913 ATYPE_WORKSTATION_TRUST)
1915 # This isn't supported yet in s4 - needs ACL module adaption
1916 # try:
1917 # m = Message()
1920 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1922 # ldb.modify(m)
1923 # self.fail()
1924 # except LdbError, (num, _):
1925 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1929 # For a user account
1931 ldb.add({
1937 scope=SCOPE_BASE,
1939 self.assertTrue(len(res1) == 1)
1941 UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
1943 m = Message()
1947 ldb.modify(m)
1949 m = Message()
1953 ldb.modify(m)
1955 m = Message()
1958 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1960 ldb.modify(m)
1963 scope=SCOPE_BASE,
1965 self.assertTrue(len(res1) == 1)
1969 # For a workstation account
1972 scope=SCOPE_BASE,
1974 self.assertTrue(len(res1) == 1)
1977 m = Message()
1981 ldb.modify(m)
1983 m = Message()
1987 ldb.modify(m)
1989 m = Message()
1992 str(UF_WORKSTATION_TRUST_ACCOUNT),
1994 ldb.modify(m)
1997 scope=SCOPE_BASE,
1999 self.assertTrue(len(res1) == 1)
2006 def test_isCriticalSystemObject(self):
2007 """Test the isCriticalSystemObject behaviour"""
2010 # Add tests
2012 ldb.add({
2017 scope=SCOPE_BASE,
2019 self.assertTrue(len(res1) == 1)
2024 ldb.add({
2030 scope=SCOPE_BASE,
2032 self.assertTrue(len(res1) == 1)
2037 ldb.add({
2043 scope=SCOPE_BASE,
2045 self.assertTrue(len(res1) == 1)
2050 ldb.add({
2056 scope=SCOPE_BASE,
2058 self.assertTrue(len(res1) == 1)
2061 # Modification tests
2063 m = Message()
2067 ldb.modify(m)
2070 scope=SCOPE_BASE,
2072 self.assertTrue(len(res1) == 1)
2075 m = Message()
2079 ldb.modify(m)
2082 scope=SCOPE_BASE,
2084 self.assertTrue(len(res1) == 1)
2087 m = Message()
2090 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
2092 ldb.modify(m)
2095 scope=SCOPE_BASE,
2097 self.assertTrue(len(res1) == 1)
2100 m = Message()
2104 ldb.modify(m)
2107 scope=SCOPE_BASE,
2109 self.assertTrue(len(res1) == 1)
2112 m = Message()
2116 ldb.modify(m)
2119 scope=SCOPE_BASE,
2121 self.assertTrue(len(res1) == 1)
2124 m = Message()
2128 ldb.modify(m)
2131 scope=SCOPE_BASE,
2133 self.assertTrue(len(res1) == 1)
2138 def test_service_principal_name_updates(self):
2139 """Test the servicePrincipalNames update behaviour"""
2142 ldb.add({
2149 self.assertTrue(len(res) == 1)
2154 ldb.add({
2161 self.assertTrue(len(res) == 1)
2166 ldb.add({
2174 self.assertTrue(len(res) == 1)
2179 self.assertTrue(len(res) == 1)
2183 m = Message()
2187 ldb.modify(m)
2191 self.assertTrue(len(res) == 1)
2195 m = Message()
2199 ldb.modify(m)
2203 self.assertTrue(len(res) == 1)
2207 m = Message()
2211 ldb.modify(m)
2215 self.assertTrue(len(res) == 1)
2219 m = Message()
2223 ldb.modify(m)
2227 self.assertTrue(len(res) == 1)
2231 m = Message()
2235 ldb.modify(m)
2237 m = Message()
2242 FLAG_MOD_REPLACE,
2244 ldb.modify(m)
2248 self.assertTrue(len(res) == 1)
2252 m = Message()
2255 FLAG_MOD_REPLACE,
2259 ldb.modify(m)
2263 self.assertTrue(len(res) == 1)
2267 m = Message()
2270 FLAG_MOD_DELETE,
2272 ldb.modify(m)
2274 m = Message()
2278 ldb.modify(m)
2282 self.assertTrue(len(res) == 1)
2287 ldb.add({
2294 self.assertTrue(len(res) == 1)
2299 ldb.add({
2306 self.assertTrue(len(res) == 1)
2311 ldb.add({
2319 self.assertTrue(len(res) == 1)
2324 self.assertTrue(len(res) == 1)
2328 m = Message()
2332 ldb.modify(m)
2336 self.assertTrue(len(res) == 1)
2340 m = Message()
2344 ldb.modify(m)
2348 self.assertTrue(len(res) == 1)
2352 m = Message()
2356 ldb.modify(m)
2360 self.assertTrue(len(res) == 1)
2364 m = Message()
2368 ldb.modify(m)
2372 self.assertTrue(len(res) == 1)
2376 m = Message()
2381 FLAG_MOD_REPLACE,
2383 ldb.modify(m)
2387 self.assertTrue(len(res) == 1)
2391 m = Message()
2394 FLAG_MOD_REPLACE,
2398 ldb.modify(m)
2402 self.assertTrue(len(res) == 1)
2406 m = Message()
2409 FLAG_MOD_DELETE,
2411 ldb.modify(m)
2413 m = Message()
2417 ldb.modify(m)
2421 self.assertTrue(len(res) == 1)
2426 ldb.add({
2432 })
2434 m = Message()
2440 ldb.modify(m)
2444 self.assertTrue(len(res) == 1)
2454 ldb.add({
2460 })
2462 m = Message()
2468 ldb.modify(m)
2472 self.assertTrue(len(res) == 1)
2479 m = Message()
2483 try:
2484 ldb.modify(m)
2485 self.fail()
2486 except LdbError, (num, _):
2487 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2489 m = Message()
2493 ldb.modify(m)
2497 self.assertTrue(len(res) == 1)
2505 m = Message()
2511 ldb.modify(m)
2515 self.assertTrue(len(res) == 1)
2525 def test_sam_description_attribute(self):
2526 """Test SAM description attribute"""
2529 self.ldb.add({
2530 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2531 "description": "desc2",
2532 "objectclass": "group",
2533 "description": "desc1"})
2535 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2536 scope=SCOPE_BASE, attrs=["description"])
2537 self.assertTrue(len(res) == 1)
2538 self.assertTrue("description" in res[0])
2539 self.assertTrue(len(res[0]["description"]) == 1)
2540 self.assertEquals(res[0]["description"][0], "desc1")
2542 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2544 self.ldb.add({
2545 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2546 "objectclass": "group",
2547 "description": ["desc1", "desc2"]})
2549 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2550 scope=SCOPE_BASE, attrs=["description"])
2551 self.assertTrue(len(res) == 1)
2552 self.assertTrue("description" in res[0])
2553 self.assertTrue(len(res[0]["description"]) == 2)
2554 self.assertTrue(res[0]["description"][0] == "desc1" or
2555 res[0]["description"][1] == "desc1")
2556 self.assertTrue(res[0]["description"][0] == "desc2" or
2557 res[0]["description"][1] == "desc2")
2559 m = Message()
2560 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2561 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2562 "description")
2563 try:
2564 ldb.modify(m)
2565 self.fail()
2566 except LdbError, (num, _):
2567 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2569 m = Message()
2570 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2571 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2572 "description")
2573 ldb.modify(m)
2575 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2577 self.ldb.add({
2578 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2579 "objectclass": "group" })
2581 m = Message()
2582 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2583 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2584 "description")
2585 ldb.modify(m)
2587 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2588 scope=SCOPE_BASE, attrs=["description"])
2589 self.assertTrue(len(res) == 1)
2590 self.assertTrue("description" in res[0])
2591 self.assertTrue(len(res[0]["description"]) == 1)
2592 self.assertEquals(res[0]["description"][0], "desc1")
2594 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2596 self.ldb.add({
2597 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2598 "objectclass": "group",
2599 "description": ["desc1", "desc2"]})
2601 m = Message()
2602 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2603 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2604 "description")
2605 ldb.modify(m)
2607 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2608 scope=SCOPE_BASE, attrs=["description"])
2609 self.assertTrue(len(res) == 1)
2610 self.assertTrue("description" in res[0])
2611 self.assertTrue(len(res[0]["description"]) == 1)
2612 self.assertEquals(res[0]["description"][0], "desc1")
2614 m = Message()
2615 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2616 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2617 "description")
2618 try:
2619 ldb.modify(m)
2620 self.fail()
2621 except LdbError, (num, _):
2622 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2624 m = Message()
2625 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2626 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2627 "description")
2628 try:
2629 ldb.modify(m)
2630 self.fail()
2631 except LdbError, (num, _):
2632 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2634 m = Message()
2635 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2636 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2637 "description")
2638 ldb.modify(m)
2639 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2640 scope=SCOPE_BASE, attrs=["description"])
2641 self.assertTrue(len(res) == 1)
2642 self.assertFalse("description" in res[0])
2644 m = Message()
2645 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2646 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2647 "description")
2648 try:
2649 ldb.modify(m)
2650 self.fail()
2651 except LdbError, (num, _):
2652 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2654 m = Message()
2655 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2656 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2657 "description")
2658 try:
2659 ldb.modify(m)
2660 self.fail()
2661 except LdbError, (num, _):
2662 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2664 m = Message()
2665 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2666 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2667 "description")
2668 ldb.modify(m)
2670 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2671 scope=SCOPE_BASE, attrs=["description"])
2672 self.assertTrue(len(res) == 1)
2673 self.assertTrue("description" in res[0])
2674 self.assertTrue(len(res[0]["description"]) == 1)
2675 self.assertEquals(res[0]["description"][0], "desc1")
2677 m = Message()
2678 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2679 m.add(MessageElement("desc1", FLAG_MOD_DELETE, "description"))
2680 m.add(MessageElement("desc2", FLAG_MOD_ADD, "description"))
2681 ldb.modify(m)
2683 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2684 scope=SCOPE_BASE, attrs=["description"])
2685 self.assertTrue(len(res) == 1)
2686 self.assertTrue("description" in res[0])
2687 self.assertTrue(len(res[0]["description"]) == 1)
2688 self.assertEquals(res[0]["description"][0], "desc2")
2690 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2693 def test_fSMORoleOwner_attribute(self):
2695 print "Test fSMORoleOwner attribute"""
2699 # The "fSMORoleOwner" attribute can only be set to "nTDSDSA" entries,
2700 # invalid DNs return ERR_UNWILLING_TO_PERFORM
2720 # We are able to set it to a valid "nTDSDSA" entry if the server is
2721 # capable of handling the role
2752 # We are able to set it to a valid "nTDSDSA" entry if the server is
2753 # capable of handling the role
2760 # A clean-out works on plain entries, not master (schema, PDC...) DNs