2 # -*- coding: utf-8 -*-
13 sys
.path
.append("bin/python")
14 sys
.path
.append("../lib/subunit/python")
16 import samba
.getopt
as options
18 # Some error messages that are being tested
19 from ldb
import SCOPE_SUBTREE
, SCOPE_ONELEVEL
, SCOPE_BASE
, LdbError
20 from ldb
import ERR_NO_SUCH_OBJECT
, ERR_INVALID_DN_SYNTAX
, ERR_UNWILLING_TO_PERFORM
21 from ldb
import ERR_INSUFFICIENT_ACCESS_RIGHTS
23 # For running the test unit
24 from samba
.ndr
import ndr_pack
, ndr_unpack
25 from samba
.dcerpc
import security
27 from samba
.auth
import system_session
28 from samba
import Ldb
, DS_DOMAIN_FUNCTION_2008
, SECINFO_OWNER
, \
29 SECINFO_GROUP
, SECINFO_DACL
, SECINFO_SACL
30 from subunit
import SubunitTestRunner
33 parser
= optparse
.OptionParser("sec_descriptor [options] <host>")
34 sambaopts
= options
.SambaOptions(parser
)
35 parser
.add_option_group(sambaopts
)
36 parser
.add_option_group(options
.VersionOptions(parser
))
38 # use command line creds if available
39 credopts
= options
.CredentialsOptions(parser
)
40 parser
.add_option_group(credopts
)
41 opts
, args
= parser
.parse_args()
49 lp
= sambaopts
.get_loadparm()
50 creds
= credopts
.get_credentials(lp
)
56 class DescriptorTests(unittest
.TestCase
):
58 def delete_force(self
, ldb
, dn
):
61 except LdbError
, (num
, _
):
62 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
64 def find_basedn(self
, ldb
):
65 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
,
66 attrs
=["defaultNamingContext"])
67 self
.assertEquals(len(res
), 1)
68 return res
[0]["defaultNamingContext"][0]
70 def find_configurationdn(self
, ldb
):
71 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["configurationNamingContext"])
72 self
.assertEquals(len(res
), 1)
73 return res
[0]["configurationNamingContext"][0]
75 def find_schemadn(self
, ldb
):
76 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["schemaNamingContext"])
77 self
.assertEquals(len(res
), 1)
78 return res
[0]["schemaNamingContext"][0]
80 def find_domain_sid(self
, ldb
):
81 res
= ldb
.search(base
=self
.base_dn
, expression
="(objectClass=*)", scope
=SCOPE_BASE
)
82 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
84 def get_users_domain_dn(self
, name
):
85 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
87 def modify_desc(self
, _ldb
, object_dn
, desc
, controls
=None):
88 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
90 dn: """ + object_dn
+ """
92 replace: nTSecurityDescriptor
94 if isinstance(desc
, str):
95 mod
+= "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc
, security
.descriptor
):
97 mod
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
98 _ldb
.modify_ldif(mod
, controls
)
100 def create_domain_ou(self
, _ldb
, ou_dn
, desc
=None, controls
=None):
102 dn: """ + ou_dn
+ """
103 ou: """ + ou_dn
.split(",")[0][3:] + """
104 objectClass: organizationalUnit
108 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
109 if isinstance(desc
, str):
110 ldif
+= "nTSecurityDescriptor: %s" % desc
111 elif isinstance(desc
, security
.descriptor
):
112 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
113 _ldb
.add_ldif(ldif
, controls
)
115 def create_domain_user(self
, _ldb
, user_dn
, desc
=None):
117 dn: """ + user_dn
+ """
118 sAMAccountName: """ + user_dn
.split(",")[0][3:] + """
120 userPassword: samba123@
124 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
125 if isinstance(desc
, str):
126 ldif
+= "nTSecurityDescriptor: %s" % desc
127 elif isinstance(desc
, security
.descriptor
):
128 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
131 def create_domain_group(self
, _ldb
, group_dn
, desc
=None):
133 dn: """ + group_dn
+ """
135 sAMAccountName: """ + group_dn
.split(",")[0][3:] + """
140 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
141 if isinstance(desc
, str):
142 ldif
+= "nTSecurityDescriptor: %s" % desc
143 elif isinstance(desc
, security
.descriptor
):
144 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
147 def get_unique_schema_class_name(self
):
149 class_name
= "test-class%s" % random
.randint(1,100000)
150 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
152 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
153 except LdbError
, (num
, _
):
154 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
157 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
159 dn: """ + object_dn
+ """
160 objectClass: classSchema
161 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
162 defaultObjectCategory: """ + object_dn
+ """
163 distinguishedName: """ + object_dn
+ """
164 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
166 objectClassCategory: 1
167 subClassOf: organizationalPerson
170 systemMustContain: cn
174 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
175 if isinstance(desc
, str):
176 ldif
+= "nTSecurityDescriptor: %s" % desc
177 elif isinstance(desc
, security
.descriptor
):
178 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
181 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
183 dn: """ + object_dn
+ """
184 objectClass: container
185 objectCategory: CN=Container,""" + self
.schema_dn
+ """
186 showInAdvancedViewOnly: TRUE
190 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
191 if isinstance(desc
, str):
192 ldif
+= "nTSecurityDescriptor: %s" % desc
193 elif isinstance(desc
, security
.descriptor
):
194 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
197 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
199 dn: """ + object_dn
+ """
200 objectClass: displaySpecifier
201 showInAdvancedViewOnly: TRUE
204 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
205 if isinstance(desc
, str):
206 ldif
+= "nTSecurityDescriptor: %s" % desc
207 elif isinstance(desc
, security
.descriptor
):
208 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
211 def read_desc(self
, object_dn
, controls
=None):
212 res
= self
.ldb_admin
.search(base
=object_dn
, scope
=SCOPE_BASE
, attrs
=["nTSecurityDescriptor"], controls
=controls
)
213 desc
= res
[0]["nTSecurityDescriptor"][0]
214 return ndr_unpack(security
.descriptor
, desc
)
216 def enable_account(self
, user_dn
):
217 """Enable an account.
218 :param user_dn: Dn of the account to enable.
220 res
= self
.ldb_admin
.search(user_dn
, SCOPE_BASE
, None, ["userAccountControl"])
222 userAccountControl
= res
[0]["userAccountControl"][0]
223 userAccountControl
= int(userAccountControl
)
224 if (userAccountControl
& 0x2):
225 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
226 if (userAccountControl
& 0x20):
227 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
229 dn: """ + user_dn
+ """
231 replace: userAccountControl
232 userAccountControl: %s""" % userAccountControl
234 mod
= re
.sub("userAccountControl: \d.*", "userAccountControl: 544", mod
)
235 self
.ldb_admin
.modify_ldif(mod
)
237 def get_ldb_connection(self
, target_username
, target_password
):
238 username_save
= creds
.get_username(); password_save
= creds
.get_password()
239 creds
.set_username(target_username
)
240 creds
.set_password(target_password
)
241 ldb_target
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
)
242 creds
.set_username(username_save
); creds
.set_password(password_save
)
245 def get_object_sid(self
, object_dn
):
246 res
= self
.ldb_admin
.search(object_dn
)
247 return ndr_unpack( security
.dom_sid
, res
[0]["objectSid"][0] )
249 def dacl_add_ace(self
, object_dn
, ace
):
250 desc
= self
.read_desc( object_dn
)
251 desc_sddl
= desc
.as_sddl( self
.domain_sid
)
254 if desc_sddl
.find("(") >= 0:
255 desc_sddl
= desc_sddl
[:desc_sddl
.index("(")] + ace
+ desc_sddl
[desc_sddl
.index("("):]
257 desc_sddl
= desc_sddl
+ ace
258 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
260 def get_desc_sddl(self
, object_dn
, controls
=None):
261 """ Return object nTSecutiryDescriptor in SDDL format
263 desc
= self
.read_desc(object_dn
, controls
)
264 return desc
.as_sddl(self
.domain_sid
)
268 self
.base_dn
= self
.find_basedn(self
.ldb_admin
)
269 self
.configuration_dn
= self
.find_configurationdn(self
.ldb_admin
)
270 self
.schema_dn
= self
.find_schemadn(self
.ldb_admin
)
271 self
.domain_sid
= self
.find_domain_sid(self
.ldb_admin
)
272 print "baseDN: %s" % self
.base_dn
273 self
.SAMBA
= False; self
.WIN2003
= False
274 res
= self
.ldb_admin
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["vendorName"])
275 if "vendorName" in res
[0].keys() and "Samba Team" in res
[0]["vendorName"][0]:
280 ################################################################################################
284 # Default descriptor tests #####################################################################
286 class OwnerGroupDescriptorTests(DescriptorTests
):
289 DescriptorTests
.setUp(self
)
293 user_dn
= self
.get_users_domain_dn("testuser1")
294 self
.create_domain_user(self
.ldb_admin
, user_dn
)
295 self
.enable_account(user_dn
)
297 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
299 member: """ + user_dn
300 self
.ldb_admin
.modify_ldif(ldif
)
302 user_dn
= self
.get_users_domain_dn("testuser2")
303 self
.create_domain_user(self
.ldb_admin
, user_dn
)
304 self
.enable_account(user_dn
)
306 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
308 member: """ + user_dn
309 self
.ldb_admin
.modify_ldif(ldif
)
311 user_dn
= self
.get_users_domain_dn("testuser3")
312 self
.create_domain_user(self
.ldb_admin
, user_dn
)
313 self
.enable_account(user_dn
)
315 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
317 member: """ + user_dn
318 self
.ldb_admin
.modify_ldif(ldif
)
320 user_dn
= self
.get_users_domain_dn("testuser4")
321 self
.create_domain_user(self
.ldb_admin
, user_dn
)
322 self
.enable_account(user_dn
)
324 user_dn
= self
.get_users_domain_dn("testuser5")
325 self
.create_domain_user(self
.ldb_admin
, user_dn
)
326 self
.enable_account(user_dn
)
328 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
330 member: """ + user_dn
+ """
332 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
334 member: """ + user_dn
335 self
.ldb_admin
.modify_ldif(ldif
)
337 user_dn
= self
.get_users_domain_dn("testuser6")
338 self
.create_domain_user(self
.ldb_admin
, user_dn
)
339 self
.enable_account(user_dn
)
341 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
343 member: """ + user_dn
+ """
345 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
347 member: """ + user_dn
+ """
349 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
351 member: """ + user_dn
352 self
.ldb_admin
.modify_ldif(ldif
)
354 user_dn
= self
.get_users_domain_dn("testuser7")
355 self
.create_domain_user(self
.ldb_admin
, user_dn
)
356 self
.enable_account(user_dn
)
358 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
360 member: """ + user_dn
+ """
362 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
364 member: """ + user_dn
365 self
.ldb_admin
.modify_ldif(ldif
)
367 user_dn
= self
.get_users_domain_dn("testuser8")
368 self
.create_domain_user(self
.ldb_admin
, user_dn
)
369 self
.enable_account(user_dn
)
371 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
373 member: """ + user_dn
+ """
375 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
377 member: """ + user_dn
378 self
.ldb_admin
.modify_ldif(ldif
)
380 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
381 "ds_behavior_win2003" : {
431 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
432 "ds_behavior_win2008" : {
483 # Discover 'msDS-Behavior-Version'
484 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
485 attrs
=['msDS-Behavior-Version'])
486 res
= int(res
[0]['msDS-Behavior-Version'][0])
487 if res
< DS_DOMAIN_FUNCTION_2008
:
488 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
490 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
494 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
495 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
496 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
497 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
498 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
499 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
500 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
501 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
503 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
504 self
.delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
505 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
506 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
509 self
.delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
510 + self
.configuration_dn
)
511 self
.delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
513 def check_user_belongs(self
, user_dn
, groups
=[]):
514 """ Test wether user is member of the expected group(s) """
516 # User is member of at least one additional group
517 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
518 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
521 expected
.append(self
.get_users_domain_dn(x
))
522 expected
= [x
.upper() for x
in sorted(expected
)]
523 self
.assertEqual(expected
, res
)
525 # User is not a member of any additional groups but default
526 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
527 res
= [x
.upper() for x
in res
[0].keys()]
528 self
.assertFalse( "MEMBEROF" in res
)
530 def check_modify_inheritance(self
, _ldb
, object_dn
, owner_group
=""):
532 ace
= "(D;;CC;;;LG)" # Deny Create Children to Guest account
533 if owner_group
!= "":
534 self
.modify_desc(_ldb
, object_dn
, owner_group
+ "D:" + ace
)
536 self
.modify_desc(_ldb
, object_dn
, "D:" + ace
)
537 # Make sure the modify operation has been applied
538 desc_sddl
= self
.get_desc_sddl(object_dn
)
539 self
.assertTrue(ace
in desc_sddl
)
540 # Make sure we have identical result for both "add" and "modify"
541 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
542 print self
._testMethodName
543 test_number
= self
._testMethodName
[5:]
544 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][test_number
], res
)
547 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
549 user_name
= "testuser1"
550 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
551 # Open Ldb connection with the tested user
552 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
553 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
554 self
.delete_force(self
.ldb_admin
, object_dn
)
555 self
.create_domain_group(_ldb
, object_dn
)
556 desc_sddl
= self
.get_desc_sddl(object_dn
)
557 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
558 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
559 self
.check_modify_inheritance(_ldb
, object_dn
)
562 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
564 user_name
= "testuser2"
565 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
566 # Open Ldb connection with the tested user
567 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
568 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
569 self
.delete_force(self
.ldb_admin
, object_dn
)
570 self
.create_domain_group(_ldb
, object_dn
)
571 desc_sddl
= self
.get_desc_sddl(object_dn
)
572 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
573 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
574 self
.check_modify_inheritance(_ldb
, object_dn
)
577 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
579 user_name
= "testuser3"
580 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
581 # Open Ldb connection with the tested user
582 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
583 object_dn
= "OU=test_domain_ou1," + self
.base_dn
584 self
.delete_force(self
.ldb_admin
, object_dn
)
585 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
586 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
587 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
588 self
.dacl_add_ace(object_dn
, mod
)
589 # Create additional object into the first one
590 object_dn
= "CN=test_domain_user1," + object_dn
591 self
.delete_force(self
.ldb_admin
, object_dn
)
592 self
.create_domain_user(_ldb
, object_dn
)
593 desc_sddl
= self
.get_desc_sddl(object_dn
)
594 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
595 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
596 # This fails, research why
597 #self.check_modify_inheritance(_ldb, object_dn)
600 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
602 user_name
= "testuser4"
603 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
604 # Open Ldb connection with the tested user
605 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
606 object_dn
= "OU=test_domain_ou1," + self
.base_dn
607 self
.delete_force(self
.ldb_admin
, object_dn
)
608 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
609 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
610 mod
= "(A;CI;WPWDCC;;;%s)" % str(user_sid
)
611 self
.dacl_add_ace(object_dn
, mod
)
612 # Create additional object into the first one
613 object_dn
= "CN=test_domain_user1," + object_dn
614 self
.delete_force(self
.ldb_admin
, object_dn
)
615 self
.create_domain_user(_ldb
, object_dn
)
616 desc_sddl
= self
.get_desc_sddl(object_dn
)
617 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
618 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
619 #this fails, research why
620 #self.check_modify_inheritance(_ldb, object_dn)
623 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
625 user_name
= "testuser5"
626 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
627 # Open Ldb connection with the tested user
628 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
629 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
630 self
.delete_force(self
.ldb_admin
, object_dn
)
631 self
.create_domain_group(_ldb
, object_dn
)
632 desc_sddl
= self
.get_desc_sddl(object_dn
)
633 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
634 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
635 self
.check_modify_inheritance(_ldb
, object_dn
)
638 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
640 user_name
= "testuser6"
641 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
642 # Open Ldb connection with the tested user
643 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
644 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
645 self
.delete_force(self
.ldb_admin
, object_dn
)
646 self
.create_domain_group(_ldb
, object_dn
)
647 desc_sddl
= self
.get_desc_sddl(object_dn
)
648 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
649 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
650 self
.check_modify_inheritance(_ldb
, object_dn
)
653 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
655 user_name
= "testuser7"
656 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
657 # Open Ldb connection with the tested user
658 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
659 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
660 self
.delete_force(self
.ldb_admin
, object_dn
)
661 self
.create_domain_group(_ldb
, object_dn
)
662 desc_sddl
= self
.get_desc_sddl(object_dn
)
663 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
664 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
665 self
.check_modify_inheritance(_ldb
, object_dn
)
668 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
670 user_name
= "testuser8"
671 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
672 # Open Ldb connection with the tested user
673 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
674 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
675 self
.delete_force(self
.ldb_admin
, object_dn
)
676 self
.create_domain_group(_ldb
, object_dn
)
677 desc_sddl
= self
.get_desc_sddl(object_dn
)
678 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
679 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
680 self
.check_modify_inheritance(_ldb
, object_dn
)
682 # Control descriptor tests #####################################################################
685 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
687 user_name
= "testuser1"
688 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
689 # Open Ldb connection with the tested user
690 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
691 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
692 self
.delete_force(self
.ldb_admin
, object_dn
)
693 # Create a custom security descriptor
694 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
695 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
696 desc_sddl
= self
.get_desc_sddl(object_dn
)
697 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
698 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
701 """ Domain admin group member creates object (custom descriptor) in DOMAIN
703 user_name
= "testuser2"
704 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
705 # Open Ldb connection with the tested user
706 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
707 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
708 self
.delete_force(self
.ldb_admin
, object_dn
)
709 # Create a custom security descriptor
710 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
711 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
712 desc_sddl
= self
.get_desc_sddl(object_dn
)
713 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
714 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
717 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
719 user_name
= "testuser3"
720 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
721 # Open Ldb connection with the tested user
722 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
723 object_dn
= "OU=test_domain_ou1," + self
.base_dn
724 self
.delete_force(self
.ldb_admin
, object_dn
)
725 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
726 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
727 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
728 self
.dacl_add_ace(object_dn
, mod
)
729 # Create a custom security descriptor
730 # NB! Problematic owner part won't accept DA only <User Sid> !!!
731 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
732 # Create additional object into the first one
733 object_dn
= "CN=test_domain_user1," + object_dn
734 self
.delete_force(self
.ldb_admin
, object_dn
)
735 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
736 desc
= self
.read_desc(object_dn
)
737 desc_sddl
= self
.get_desc_sddl(object_dn
)
738 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
739 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
742 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
744 user_name
= "testuser4"
745 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
746 # Open Ldb connection with the tested user
747 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
748 object_dn
= "OU=test_domain_ou1," + self
.base_dn
749 self
.delete_force(self
.ldb_admin
, object_dn
)
750 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
751 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
752 mod
= "(A;CI;WOWDCC;;;%s)" % str(user_sid
)
753 self
.dacl_add_ace(object_dn
, mod
)
754 # Create a custom security descriptor
755 # NB! Problematic owner part won't accept DA only <User Sid> !!!
756 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
757 # Create additional object into the first one
758 object_dn
= "CN=test_domain_user1," + object_dn
759 self
.delete_force(self
.ldb_admin
, object_dn
)
760 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
761 desc
= self
.read_desc(object_dn
)
762 desc_sddl
= self
.get_desc_sddl(object_dn
)
763 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
764 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
767 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
769 user_name
= "testuser5"
770 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
771 # Open Ldb connection with the tested user
772 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
773 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
774 self
.delete_force(self
.ldb_admin
, object_dn
)
775 # Create a custom security descriptor
776 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
777 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
778 desc_sddl
= self
.get_desc_sddl(object_dn
)
779 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
780 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
783 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
785 user_name
= "testuser6"
786 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
787 # Open Ldb connection with the tested user
788 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
789 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
790 self
.delete_force(self
.ldb_admin
, object_dn
)
791 # Create a custom security descriptor
792 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
793 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
794 desc_sddl
= self
.get_desc_sddl(object_dn
)
795 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
796 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
799 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
801 user_name
= "testuser7"
802 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
803 # Open Ldb connection with the tested user
804 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
805 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
806 self
.delete_force(self
.ldb_admin
, object_dn
)
807 # Create a custom security descriptor
808 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
809 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
810 desc_sddl
= self
.get_desc_sddl(object_dn
)
811 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
812 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
815 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
817 user_name
= "testuser8"
818 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
819 # Open Ldb connection with the tested user
820 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
821 object_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
822 self
.delete_force(self
.ldb_admin
, object_dn
)
823 # Create a custom security descriptor
824 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
825 self
.create_domain_group(_ldb
, object_dn
, desc_sddl
)
826 desc_sddl
= self
.get_desc_sddl(object_dn
)
827 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
828 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
831 user_name
= "Administrator"
832 object_dn
= "OU=test_domain_ou1," + self
.base_dn
833 self
.delete_force(self
.ldb_admin
, object_dn
)
834 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
835 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
836 mod
= "(D;CI;WP;;;S-1-3-0)"
838 self
.dacl_add_ace(object_dn
, mod
)
839 desc_sddl
= self
.get_desc_sddl(object_dn
)
840 # Create additional object into the first one
841 object_dn
= "OU=test_domain_ou2," + object_dn
842 self
.delete_force(self
.ldb_admin
, object_dn
)
843 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
844 desc_sddl
= self
.get_desc_sddl(object_dn
)
848 # Defalt descriptor tests ##################################################################
851 user_name
= "testuser1"
852 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
853 # Open Ldb connection with the tested user
854 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
855 # Change Schema partition descriptor
856 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
857 mod
= "(A;;WDCC;;;AU)"
858 self
.dacl_add_ace(self
.schema_dn
, mod
)
859 # Create example Schema class
860 class_name
= self
.get_unique_schema_class_name()
861 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
862 self
.create_schema_class(_ldb
, class_dn
)
863 desc_sddl
= self
.get_desc_sddl(class_dn
)
864 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
865 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
866 self
.check_modify_inheritance(_ldb
, class_dn
)
869 user_name
= "testuser2"
870 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
871 # Open Ldb connection with the tested user
872 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
873 # Change Schema partition descriptor
874 mod
= "(A;CI;WDCC;;;AU)"
875 self
.dacl_add_ace(self
.schema_dn
, mod
)
876 # Create example Schema class
877 class_name
= self
.get_unique_schema_class_name()
878 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
879 self
.create_schema_class(_ldb
, class_dn
)
880 desc_sddl
= self
.get_desc_sddl(class_dn
)
881 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
882 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
883 self
.check_modify_inheritance(_ldb
, class_dn
)
886 user_name
= "testuser3"
887 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
888 # Open Ldb connection with the tested user
889 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
890 # Change Schema partition descriptor
891 mod
= "(A;CI;WDCC;;;AU)"
892 self
.dacl_add_ace(self
.schema_dn
, mod
)
893 # Create example Schema class
894 class_name
= self
.get_unique_schema_class_name()
895 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
896 self
.create_schema_class(_ldb
, class_dn
)
897 desc_sddl
= self
.get_desc_sddl(class_dn
)
898 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
899 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
900 #self.check_modify_inheritance(_ldb, class_dn)
903 user_name
= "testuser4"
904 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
905 # Open Ldb connection with the tested user
906 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
907 #Change Schema partition descriptor
908 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
909 mod
= "(A;CI;WDCC;;;AU)"
910 self
.dacl_add_ace(self
.schema_dn
, mod
)
911 # Create example Schema class
912 class_name
= self
.get_unique_schema_class_name()
913 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
914 self
.create_schema_class(_ldb
, class_dn
)
915 desc_sddl
= self
.get_desc_sddl(class_dn
)
916 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
917 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
918 #self.check_modify_inheritance(_ldb, class_dn)
921 user_name
= "testuser5"
922 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
923 # Open Ldb connection with the tested user
924 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
925 #Change Schema partition descriptor
926 mod
= "(A;CI;WDCC;;;AU)"
927 self
.dacl_add_ace(self
.schema_dn
, mod
)
928 # Create example Schema class
929 class_name
= self
.get_unique_schema_class_name()
930 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
931 self
.create_schema_class(_ldb
, class_dn
)
932 desc_sddl
= self
.get_desc_sddl(class_dn
)
933 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
934 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
935 self
.check_modify_inheritance(_ldb
, class_dn
)
938 user_name
= "testuser6"
939 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
940 # Open Ldb connection with the tested user
941 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
942 # Change Schema partition descriptor
943 mod
= "(A;CI;WDCC;;;AU)"
944 self
.dacl_add_ace(self
.schema_dn
, mod
)
945 # Create example Schema class
946 class_name
= self
.get_unique_schema_class_name()
947 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
948 self
.create_schema_class(_ldb
, class_dn
)
949 desc_sddl
= self
.get_desc_sddl(class_dn
)
950 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
951 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
952 self
.check_modify_inheritance(_ldb
, class_dn
)
955 user_name
= "testuser7"
956 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
957 # Open Ldb connection with the tested user
958 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
959 # Change Schema partition descriptor
960 mod
= "(A;CI;WDCC;;;AU)"
961 self
.dacl_add_ace(self
.schema_dn
, mod
)
962 # Create example Schema class
963 class_name
= self
.get_unique_schema_class_name()
964 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
965 self
.create_schema_class(_ldb
, class_dn
)
966 desc_sddl
= self
.get_desc_sddl(class_dn
)
967 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
968 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
969 self
.check_modify_inheritance(_ldb
, class_dn
)
972 user_name
= "testuser8"
973 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
974 # Open Ldb connection with the tested user
975 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
976 # Change Schema partition descriptor
977 mod
= "(A;CI;WDCC;;;AU)"
978 self
.dacl_add_ace(self
.schema_dn
, mod
)
979 # Create example Schema class
980 class_name
= self
.get_unique_schema_class_name()
981 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
982 self
.create_schema_class(_ldb
, class_dn
)
983 desc_sddl
= self
.get_desc_sddl(class_dn
)
984 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
985 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
986 self
.check_modify_inheritance(_ldb
, class_dn
)
988 # Custom descriptor tests ##################################################################
991 user_name
= "testuser1"
992 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
993 # Open Ldb connection with the tested user
994 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
995 # Change Schema partition descriptor
997 self
.dacl_add_ace(self
.schema_dn
, mod
)
998 # Create a custom security descriptor
999 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1000 # Create example Schema class
1001 class_name
= self
.get_unique_schema_class_name()
1002 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1003 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1004 desc_sddl
= self
.get_desc_sddl(class_dn
)
1005 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1006 self
.assertEqual("O:DAG:DA", res
)
1009 user_name
= "testuser2"
1010 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1011 # Open Ldb connection with the tested user
1012 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1013 # Change Schema partition descriptor
1014 mod
= "(A;;CC;;;AU)"
1015 self
.dacl_add_ace(self
.schema_dn
, mod
)
1016 # Create a custom security descriptor
1017 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1018 # Create example Schema class
1019 class_name
= self
.get_unique_schema_class_name()
1020 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1021 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1022 desc_sddl
= self
.get_desc_sddl(class_dn
)
1023 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1024 self
.assertEqual("O:DAG:DA", res
)
1027 user_name
= "testuser3"
1028 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1031 # Create a custom security descriptor
1032 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1033 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1034 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1035 # Create example Schema class
1036 class_name
= self
.get_unique_schema_class_name()
1037 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1038 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1039 desc_sddl
= self
.get_desc_sddl(class_dn
)
1040 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1041 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1044 user_name
= "testuser4"
1045 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1046 # Open Ldb connection with the tested user
1047 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1048 # Create a custom security descriptor
1049 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1050 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1051 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1052 # Create example Schema class
1053 class_name
= self
.get_unique_schema_class_name()
1054 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1055 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1056 desc_sddl
= self
.get_desc_sddl(class_dn
)
1057 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1058 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1061 user_name
= "testuser5"
1062 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1063 # Open Ldb connection with the tested user
1064 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1065 # Change Schema partition descriptor
1066 mod
= "(A;;CC;;;AU)"
1067 self
.dacl_add_ace(self
.schema_dn
, mod
)
1068 # Create a custom security descriptor
1069 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1070 # Create example Schema class
1071 class_name
= self
.get_unique_schema_class_name()
1072 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1073 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1074 desc_sddl
= self
.get_desc_sddl(class_dn
)
1075 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1076 self
.assertEqual("O:DAG:DA", res
)
1079 user_name
= "testuser6"
1080 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1081 # Open Ldb connection with the tested user
1082 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1083 # Change Schema partition descriptor
1084 mod
= "(A;;CC;;;AU)"
1085 self
.dacl_add_ace(self
.schema_dn
, mod
)
1086 # Create a custom security descriptor
1087 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1088 # Create example Schema class
1089 class_name
= self
.get_unique_schema_class_name()
1090 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1091 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1092 desc_sddl
= self
.get_desc_sddl(class_dn
)
1093 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1094 self
.assertEqual("O:DAG:DA", res
)
1097 user_name
= "testuser7"
1098 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1099 # Open Ldb connection with the tested user
1100 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1101 # Change Schema partition descriptor
1102 mod
= "(A;;CC;;;AU)"
1103 self
.dacl_add_ace(self
.schema_dn
, mod
)
1104 # Create a custom security descriptor
1105 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1106 # Create example Schema class
1107 class_name
= self
.get_unique_schema_class_name()
1108 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1109 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1110 desc_sddl
= self
.get_desc_sddl(class_dn
)
1111 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1112 self
.assertEqual("O:DAG:DA", res
)
1115 user_name
= "testuser8"
1116 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1117 # Open Ldb connection with the tested user
1118 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1119 # Change Schema partition descriptor
1120 mod
= "(A;;CC;;;AU)"
1121 self
.dacl_add_ace(self
.schema_dn
, mod
)
1122 # Create a custom security descriptor
1123 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1124 # Create example Schema class
1125 class_name
= self
.get_unique_schema_class_name()
1126 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1127 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1128 desc_sddl
= self
.get_desc_sddl(class_dn
)
1129 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1130 self
.assertEqual("O:DAG:DA", res
)
1132 ## Tests for CONFIGURATION
1134 # Defalt descriptor tests ##################################################################
1137 user_name
= "testuser1"
1138 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1139 # Open Ldb connection with the tested user
1140 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1141 # Create example Configuration container
1142 container_name
= "test-container1"
1143 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1144 self
.delete_force(self
.ldb_admin
, object_dn
)
1145 self
.create_configuration_container(_ldb
, object_dn
, )
1146 desc_sddl
= self
.get_desc_sddl(object_dn
)
1147 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1148 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1149 self
.check_modify_inheritance(_ldb
, object_dn
)
1152 user_name
= "testuser2"
1153 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1154 # Open Ldb connection with the tested user
1155 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1156 # Create example Configuration container
1157 container_name
= "test-container1"
1158 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1159 self
.delete_force(self
.ldb_admin
, object_dn
)
1160 self
.create_configuration_container(_ldb
, object_dn
, )
1161 desc_sddl
= self
.get_desc_sddl(object_dn
)
1162 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1163 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1164 self
.check_modify_inheritance(_ldb
, object_dn
)
1167 user_name
= "testuser3"
1168 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1169 # Open Ldb connection with the tested user
1170 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1171 # Create example Configuration container
1172 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1173 self
.delete_force(self
.ldb_admin
, object_dn
)
1174 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1175 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1176 mod
= "(A;;WDCC;;;AU)"
1177 self
.dacl_add_ace(object_dn
, mod
)
1178 # Create child object with user's credentials
1179 object_dn
= "CN=test-specifier1," + object_dn
1180 self
.delete_force(self
.ldb_admin
, object_dn
)
1181 self
.create_configuration_specifier(_ldb
, object_dn
)
1182 desc_sddl
= self
.get_desc_sddl(object_dn
)
1183 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1184 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1185 #self.check_modify_inheritance(_ldb, object_dn)
1188 user_name
= "testuser4"
1189 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1190 # Open Ldb connection with the tested user
1191 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1192 # Create example Configuration container
1193 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1194 self
.delete_force(self
.ldb_admin
, object_dn
)
1195 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1196 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1197 mod
= "(A;CI;WDCC;;;AU)"
1198 self
.dacl_add_ace(object_dn
, mod
)
1199 # Create child object with user's credentials
1200 object_dn
= "CN=test-specifier1," + object_dn
1201 self
.delete_force(self
.ldb_admin
, object_dn
)
1202 self
.create_configuration_specifier(_ldb
, object_dn
)
1203 desc_sddl
= self
.get_desc_sddl(object_dn
)
1204 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1205 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1206 #self.check_modify_inheritance(_ldb, object_dn)
1209 user_name
= "testuser5"
1210 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1211 # Open Ldb connection with the tested user
1212 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1213 # Create example Configuration container
1214 container_name
= "test-container1"
1215 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1216 self
.delete_force(self
.ldb_admin
, object_dn
)
1217 self
.create_configuration_container(_ldb
, object_dn
, )
1218 desc_sddl
= self
.get_desc_sddl(object_dn
)
1219 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1220 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1221 self
.check_modify_inheritance(_ldb
, object_dn
)
1224 user_name
= "testuser6"
1225 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1226 # Open Ldb connection with the tested user
1227 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1228 # Create example Configuration container
1229 container_name
= "test-container1"
1230 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1231 self
.delete_force(self
.ldb_admin
, object_dn
)
1232 self
.create_configuration_container(_ldb
, object_dn
, )
1233 desc_sddl
= self
.get_desc_sddl(object_dn
)
1234 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1235 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1236 self
.check_modify_inheritance(_ldb
, object_dn
)
1239 user_name
= "testuser7"
1240 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1241 # Open Ldb connection with the tested user
1242 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1243 # Create example Configuration container
1244 container_name
= "test-container1"
1245 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1246 self
.delete_force(self
.ldb_admin
, object_dn
)
1247 self
.create_configuration_container(_ldb
, object_dn
, )
1248 desc_sddl
= self
.get_desc_sddl(object_dn
)
1249 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1250 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1251 self
.check_modify_inheritance(_ldb
, object_dn
)
1254 user_name
= "testuser8"
1255 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1256 # Open Ldb connection with the tested user
1257 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1258 # Create example Configuration container
1259 container_name
= "test-container1"
1260 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1261 self
.delete_force(self
.ldb_admin
, object_dn
)
1262 self
.create_configuration_container(_ldb
, object_dn
, )
1263 desc_sddl
= self
.get_desc_sddl(object_dn
)
1264 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1265 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]], res
)
1266 self
.check_modify_inheritance(_ldb
, object_dn
)
1268 # Custom descriptor tests ##################################################################
1271 user_name
= "testuser1"
1272 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1273 # Open Ldb connection with the tested user
1274 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1275 # Create example Configuration container
1276 container_name
= "test-container1"
1277 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1278 self
.delete_force(self
.ldb_admin
, object_dn
)
1279 # Create a custom security descriptor
1280 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1281 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1282 desc_sddl
= self
.get_desc_sddl(object_dn
)
1283 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1284 self
.assertEqual("O:DAG:DA", res
)
1287 user_name
= "testuser2"
1288 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1289 # Open Ldb connection with the tested user
1290 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1291 # Create example Configuration container
1292 container_name
= "test-container1"
1293 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1294 self
.delete_force(self
.ldb_admin
, object_dn
)
1295 # Create a custom security descriptor
1296 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1297 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1298 desc_sddl
= self
.get_desc_sddl(object_dn
)
1299 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1300 self
.assertEqual("O:DAG:DA", res
)
1303 user_name
= "testuser3"
1304 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1305 # Open Ldb connection with the tested user
1306 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1307 # Create example Configuration container
1308 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1309 self
.delete_force(self
.ldb_admin
, object_dn
)
1310 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1311 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1312 mod
= "(A;;CC;;;AU)"
1313 self
.dacl_add_ace(object_dn
, mod
)
1314 # Create child object with user's credentials
1315 object_dn
= "CN=test-specifier1," + object_dn
1316 self
.delete_force(self
.ldb_admin
, object_dn
)
1317 # Create a custom security descriptor
1318 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1319 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1320 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1321 desc_sddl
= self
.get_desc_sddl(object_dn
)
1322 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1323 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1326 user_name
= "testuser4"
1327 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1328 # Open Ldb connection with the tested user
1329 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1330 # Create example Configuration container
1331 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1332 self
.delete_force(self
.ldb_admin
, object_dn
)
1333 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1334 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1335 mod
= "(A;;CC;;;AU)"
1336 self
.dacl_add_ace(object_dn
, mod
)
1337 # Create child object with user's credentials
1338 object_dn
= "CN=test-specifier1," + object_dn
1339 self
.delete_force(self
.ldb_admin
, object_dn
)
1340 # Create a custom security descriptor
1341 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1342 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1343 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1344 desc_sddl
= self
.get_desc_sddl(object_dn
)
1345 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1346 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
][self
._testMethodName
[5:]] % str(user_sid
), res
)
1349 user_name
= "testuser5"
1350 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1351 # Open Ldb connection with the tested user
1352 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1353 # Create example Configuration container
1354 container_name
= "test-container1"
1355 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1356 self
.delete_force(self
.ldb_admin
, object_dn
)
1357 # Create a custom security descriptor
1358 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1359 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1360 desc_sddl
= self
.get_desc_sddl(object_dn
)
1361 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1362 self
.assertEqual("O:DAG:DA", res
)
1365 user_name
= "testuser6"
1366 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1367 # Open Ldb connection with the tested user
1368 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1369 # Create example Configuration container
1370 container_name
= "test-container1"
1371 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1372 self
.delete_force(self
.ldb_admin
, object_dn
)
1373 # Create a custom security descriptor
1374 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1375 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1376 desc_sddl
= self
.get_desc_sddl(object_dn
)
1377 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1378 self
.assertEqual("O:DAG:DA", res
)
1381 user_name
= "testuser7"
1382 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1383 # Open Ldb connection with the tested user
1384 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1385 # Create example Configuration container
1386 container_name
= "test-container1"
1387 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1388 self
.delete_force(self
.ldb_admin
, object_dn
)
1389 # Create a custom security descriptor
1390 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1391 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1392 desc_sddl
= self
.get_desc_sddl(object_dn
)
1393 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1394 self
.assertEqual("O:DAG:DA", res
)
1397 user_name
= "testuser8"
1398 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1399 # Open Ldb connection with the tested user
1400 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1401 # Create example Configuration container
1402 container_name
= "test-container1"
1403 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1404 self
.delete_force(self
.ldb_admin
, object_dn
)
1405 # Create a custom security descriptor
1406 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1407 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1408 desc_sddl
= self
.get_desc_sddl(object_dn
)
1409 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1410 self
.assertEqual("O:DAG:DA", res
)
1412 ########################################################################################
1413 # Inharitance tests for DACL
1415 class DaclDescriptorTests(DescriptorTests
):
1418 DescriptorTests
.setUp(self
)
1421 self
.delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1422 self
.delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1424 def create_clean_ou(self
, object_dn
):
1425 """ Base repeating setup for unittests to follow """
1426 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1427 expression
="distinguishedName=%s" % object_dn
)
1428 # Make sure top testing OU has been deleted before starting the test
1429 self
.assertEqual(res
, [])
1430 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1431 desc_sddl
= self
.get_desc_sddl(object_dn
)
1432 # Make sure there are inheritable ACEs initially
1433 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1434 # Find and remove all inherit ACEs
1435 res
= re
.findall("\(.*?\)", desc_sddl
)
1436 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1438 desc_sddl
= desc_sddl
.replace(x
, "")
1439 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1440 # can propagate from above
1441 # remove SACL, we are not interested
1442 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1443 self
.modify_desc(self
.ldb_admin
, object_dn
, desc_sddl
)
1444 # Verify all inheritable ACEs are gone
1445 desc_sddl
= self
.get_desc_sddl(object_dn
)
1446 self
.assertFalse("CI" in desc_sddl
)
1447 self
.assertFalse("OI" in desc_sddl
)
1450 """ OU with protected flag and child group. See if the group has inherit ACEs.
1452 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1453 group_dn
= "CN=test_inherit_group," + ou_dn
1454 # Create inheritable-free OU
1455 self
.create_clean_ou(ou_dn
)
1456 # Create group child object
1457 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1458 # Make sure created group object contains NO inherit ACEs
1459 desc_sddl
= self
.get_desc_sddl(group_dn
)
1460 self
.assertFalse("ID" in desc_sddl
)
1463 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1464 Verify group has custom and default ACEs only.
1466 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1467 group_dn
= "CN=test_inherit_group," + ou_dn
1468 # Create inheritable-free OU
1469 self
.create_clean_ou(ou_dn
)
1470 # Create group child object using custom security descriptor
1471 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1472 self
.create_domain_group(self
.ldb_admin
, group_dn
, sddl
)
1473 # Make sure created group descriptor has NO additional ACEs
1474 desc_sddl
= self
.get_desc_sddl(group_dn
)
1475 self
.assertEqual(desc_sddl
, sddl
)
1476 sddl
= "O:AUG:AUD:AI(D;;CC;;;LG)"
1477 self
.modify_desc(self
.ldb_admin
, group_dn
, sddl
)
1478 desc_sddl
= self
.get_desc_sddl(group_dn
)
1479 self
.assertEqual(desc_sddl
, sddl
)
1482 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1483 See if the group has any of the added ACEs.
1485 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1486 group_dn
= "CN=test_inherit_group," + ou_dn
1487 # Create inheritable-free OU
1488 self
.create_clean_ou(ou_dn
)
1489 # Add some custom non-inheritable ACEs
1490 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1491 moded
= "(D;;CC;;;LG)"
1492 self
.dacl_add_ace(ou_dn
, mod
)
1493 # Verify all inheritable ACEs are gone
1494 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1495 # Create group child object
1496 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1497 # Make sure created group object contains NO inherit ACEs
1498 # also make sure the added above non-inheritable ACEs are absent too
1499 desc_sddl
= self
.get_desc_sddl(group_dn
)
1500 self
.assertFalse("ID" in desc_sddl
)
1501 for x
in re
.findall("\(.*?\)", mod
):
1502 self
.assertFalse(x
in desc_sddl
)
1503 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1504 desc_sddl
= self
.get_desc_sddl(group_dn
)
1505 self
.assertFalse("ID" in desc_sddl
)
1506 for x
in re
.findall("\(.*?\)", mod
):
1507 self
.assertFalse(x
in desc_sddl
)
1510 """ OU with protected flag and add 'CI' ACE, child group.
1511 See if the group has the added inherited ACE.
1513 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1514 group_dn
= "CN=test_inherit_group," + ou_dn
1515 # Create inheritable-free OU
1516 self
.create_clean_ou(ou_dn
)
1517 # Add some custom 'CI' ACE
1518 mod
= "(D;CI;WP;;;DU)"
1519 moded
= "(D;;CC;;;LG)"
1520 self
.dacl_add_ace(ou_dn
, mod
)
1521 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1522 # Create group child object
1523 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1524 # Make sure created group object contains only the above inherited ACE
1525 # that we've added manually
1526 desc_sddl
= self
.get_desc_sddl(group_dn
)
1527 mod
= mod
.replace(";CI;", ";CIID;")
1528 self
.assertTrue(mod
in desc_sddl
)
1529 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1530 desc_sddl
= self
.get_desc_sddl(group_dn
)
1531 self
.assertTrue(moded
in desc_sddl
)
1532 self
.assertTrue(mod
in desc_sddl
)
1535 """ OU with protected flag and add 'OI' ACE, child group.
1536 See if the group has the added inherited ACE.
1538 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1539 group_dn
= "CN=test_inherit_group," + ou_dn
1540 # Create inheritable-free OU
1541 self
.create_clean_ou(ou_dn
)
1542 # Add some custom 'CI' ACE
1543 mod
= "(D;OI;WP;;;DU)"
1544 moded
= "(D;;CC;;;LG)"
1545 self
.dacl_add_ace(ou_dn
, mod
)
1546 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1547 # Create group child object
1548 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1549 # Make sure created group object contains only the above inherited ACE
1550 # that we've added manually
1551 desc_sddl
= self
.get_desc_sddl(group_dn
)
1552 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1553 self
.assertTrue(mod
in desc_sddl
)
1554 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" +moded
)
1555 desc_sddl
= self
.get_desc_sddl(group_dn
)
1556 self
.assertTrue(moded
in desc_sddl
)
1557 self
.assertTrue(mod
in desc_sddl
)
1560 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1561 See if the group has the added inherited ACE.
1563 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1564 group_dn
= "CN=test_inherit_group," + ou_dn
1565 # Create inheritable-free OU
1566 self
.create_clean_ou(ou_dn
)
1567 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1568 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1569 moded
= "(D;;CC;;;LG)"
1570 self
.dacl_add_ace(ou_dn
, mod
)
1571 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1572 # Create group child object
1573 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1574 # Make sure created group object contains only the above inherited ACE
1575 # that we've added manually
1576 desc_sddl
= self
.get_desc_sddl(group_dn
)
1577 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1578 self
.assertTrue(mod
in desc_sddl
)
1579 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1580 desc_sddl
= self
.get_desc_sddl(group_dn
)
1581 self
.assertTrue(moded
in desc_sddl
)
1582 self
.assertTrue(mod
in desc_sddl
)
1585 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1586 See if the group has the added inherited ACE.
1588 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1589 group_dn
= "CN=test_inherit_group," + ou_dn
1590 # Create inheritable-free OU
1591 self
.create_clean_ou(ou_dn
)
1592 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1593 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1594 moded
= "(D;;CC;;;LG)"
1595 self
.dacl_add_ace(ou_dn
, mod
)
1596 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1597 # Create group child object
1598 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1599 # Make sure created group object contains only the above inherited ACE
1600 # that we've added manually
1601 desc_sddl
= self
.get_desc_sddl(group_dn
)
1602 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1603 self
.assertTrue(mod
in desc_sddl
)
1604 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1605 desc_sddl
= self
.get_desc_sddl(group_dn
)
1606 self
.assertTrue(moded
in desc_sddl
)
1607 self
.assertTrue(mod
in desc_sddl
)
1610 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1611 See if the group has the added inherited ACE.
1613 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1614 group_dn
= "CN=test_inherit_group," + ou_dn
1615 # Create inheritable-free OU
1616 self
.create_clean_ou(ou_dn
)
1617 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1618 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1619 moded
= "(D;;CC;;;LG)"
1620 self
.dacl_add_ace(ou_dn
, mod
)
1621 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1622 # Create group child object
1623 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1624 # Make sure created group object contains only the above inherited ACE
1625 # that we've added manually
1626 desc_sddl
= self
.get_desc_sddl(group_dn
)
1627 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1628 self
.assertTrue(mod
in desc_sddl
)
1629 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1630 desc_sddl
= self
.get_desc_sddl(group_dn
)
1631 self
.assertTrue(moded
in desc_sddl
)
1632 self
.assertTrue(mod
in desc_sddl
)
1635 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1636 See if the group has the added inherited ACE.
1638 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1639 group_dn
= "CN=test_inherit_group," + ou_dn
1640 # Create inheritable-free OU
1641 self
.create_clean_ou(ou_dn
)
1642 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1643 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1644 moded
= "(D;;CC;;;LG)"
1645 self
.dacl_add_ace(ou_dn
, mod
)
1646 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1647 # Create group child object
1648 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1649 # Make sure created group object contains only the above inherited ACE
1650 # that we've added manually
1651 desc_sddl
= self
.get_desc_sddl(group_dn
)
1652 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1653 self
.assertTrue(mod
in desc_sddl
)
1654 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded
)
1655 desc_sddl
= self
.get_desc_sddl(group_dn
)
1656 self
.assertTrue(moded
in desc_sddl
)
1657 self
.assertTrue(mod
in desc_sddl
)
1660 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1661 See if the group has the added inherited ACE.
1663 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1664 group_dn
= "CN=test_inherit_group," + ou_dn
1665 # Create inheritable-free OU
1666 self
.create_clean_ou(ou_dn
)
1667 # Add some custom 'CI' ACE
1668 mod
= "(D;CI;WP;;;CO)"
1669 moded
= "(D;;CC;;;LG)"
1670 self
.dacl_add_ace(ou_dn
, mod
)
1671 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1672 # Create group child object
1673 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1674 # Make sure created group object contains only the above inherited ACE(s)
1675 # that we've added manually
1676 desc_sddl
= self
.get_desc_sddl(group_dn
)
1677 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1678 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1679 self
.modify_desc(self
.ldb_admin
, group_dn
, "D:" + moded
)
1680 desc_sddl
= self
.get_desc_sddl(group_dn
)
1681 self
.assertTrue(moded
in desc_sddl
)
1682 self
.assertTrue("(D;ID;WP;;;DA)" in desc_sddl
)
1683 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1685 ########################################################################################
1688 class SdFlagsDescriptorTests(DescriptorTests
):
1690 DescriptorTests
.setUp(self
)
1691 self
.test_descr
= "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1694 self
.delete_force(self
.ldb_admin
, "OU=test_sdflags_ou," + self
.base_dn
)
1697 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1698 See that only the owner has been changed.
1700 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1701 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1702 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1703 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1704 # make sure we have modified the owner
1705 self
.assertTrue("O:AU" in desc_sddl
)
1706 # make sure nothing else has been modified
1707 self
.assertFalse("G:AU" in desc_sddl
)
1708 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1709 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1712 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1713 See that only the owner has been changed.
1715 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1716 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1717 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1718 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1719 # make sure we have modified the group
1720 self
.assertTrue("G:AU" in desc_sddl
)
1721 # make sure nothing else has been modified
1722 self
.assertFalse("O:AU" in desc_sddl
)
1723 self
.assertFalse("D:(D;;CC;;;LG)" in desc_sddl
)
1724 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1727 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1728 See that only the owner has been changed.
1730 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1731 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1732 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1733 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1734 # make sure we have modified the DACL
1735 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1736 # make sure nothing else has been modified
1737 self
.assertFalse("O:AU" in desc_sddl
)
1738 self
.assertFalse("G:AU" in desc_sddl
)
1739 self
.assertFalse("(OU;;WP;;;AU)" in desc_sddl
)
1742 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1743 See that only the owner has been changed.
1745 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1746 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1747 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1748 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1749 # make sure we have modified the DACL
1750 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1751 # make sure nothing else has been modified
1752 self
.assertFalse("O:AU" in desc_sddl
)
1753 self
.assertFalse("G:AU" in desc_sddl
)
1754 self
.assertFalse("(D;;CC;;;LG)" in desc_sddl
)
1757 """ Modify a descriptor with 0x0 set.
1758 Contrary to logic this is interpreted as no control,
1759 which is the same as 0xF
1761 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1762 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1763 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:0"])
1764 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1765 # make sure we have modified the DACL
1766 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1767 # make sure nothing else has been modified
1768 self
.assertTrue("O:AU" in desc_sddl
)
1769 self
.assertTrue("G:AU" in desc_sddl
)
1770 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1773 """ Modify a descriptor with 0xF set.
1775 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1776 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1777 self
.modify_desc(self
.ldb_admin
, ou_dn
, self
.test_descr
, controls
=["sd_flags:1:15"])
1778 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1779 # make sure we have modified the DACL
1780 self
.assertTrue("(OU;;WP;;;AU)" in desc_sddl
)
1781 # make sure nothing else has been modified
1782 self
.assertTrue("O:AU" in desc_sddl
)
1783 self
.assertTrue("G:AU" in desc_sddl
)
1784 self
.assertTrue("(D;;CC;;;LG)" in desc_sddl
)
1787 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1788 Only the owner part should be returned.
1790 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1791 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1792 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_OWNER
)])
1793 # make sure we have read the owner
1794 self
.assertTrue("O:" in desc_sddl
)
1795 # make sure we have read nothing else
1796 self
.assertFalse("G:" in desc_sddl
)
1797 self
.assertFalse("D:" in desc_sddl
)
1798 self
.assertFalse("S:" in desc_sddl
)
1801 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1802 Only the group part should be returned.
1804 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1805 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1806 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_GROUP
)])
1807 # make sure we have read the owner
1808 self
.assertTrue("G:" in desc_sddl
)
1809 # make sure we have read nothing else
1810 self
.assertFalse("O:" in desc_sddl
)
1811 self
.assertFalse("D:" in desc_sddl
)
1812 self
.assertFalse("S:" in desc_sddl
)
1815 """ Read a descriptor with SACL_SECURITY_INFORMATION
1816 Only the sacl part should be returned.
1818 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1819 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1820 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_SACL
)])
1821 # make sure we have read the owner
1822 self
.assertTrue("S:" in desc_sddl
)
1823 # make sure we have read nothing else
1824 self
.assertFalse("O:" in desc_sddl
)
1825 self
.assertFalse("D:" in desc_sddl
)
1826 self
.assertFalse("G:" in desc_sddl
)
1829 """ Read a descriptor with DACL_SECURITY_INFORMATION
1830 Only the dacl part should be returned.
1832 ou_dn
= "OU=test_sdflags_ou," + self
.base_dn
1833 self
.create_domain_ou(self
.ldb_admin
, ou_dn
)
1834 desc_sddl
= self
.get_desc_sddl(ou_dn
, controls
=["sd_flags:1:%d" % (SECINFO_DACL
)])
1835 # make sure we have read the owner
1836 self
.assertTrue("D:" in desc_sddl
)
1837 # make sure we have read nothing else
1838 self
.assertFalse("O:" in desc_sddl
)
1839 self
.assertFalse("S:" in desc_sddl
)
1840 self
.assertFalse("G:" in desc_sddl
)
1842 class RightsAttributesTests(DescriptorTests
):
1845 DescriptorTests
.setUp(self
)
1849 user_dn
= self
.get_users_domain_dn("testuser_attr")
1850 self
.create_domain_user(self
.ldb_admin
, user_dn
)
1851 self
.enable_account(user_dn
)
1852 # User 2, Domain Admins
1853 user_dn
= self
.get_users_domain_dn("testuser_attr2")
1854 self
.create_domain_user(self
.ldb_admin
, user_dn
)
1855 self
.enable_account(user_dn
)
1857 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
1859 member: """ + user_dn
1860 self
.ldb_admin
.modify_ldif(ldif
)
1865 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr"))
1866 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser_attr2"))
1868 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
1870 def test_sDRightsEffective(self
):
1871 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1872 self
.delete_force(self
.ldb_admin
, object_dn
)
1873 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1874 print self
.get_users_domain_dn("testuser_attr")
1875 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1876 #give testuser1 read access so attributes can be retrieved
1877 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1878 self
.dacl_add_ace(object_dn
, mod
)
1879 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1880 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1881 attrs
=["sDRightsEffective"])
1882 #user whould have no rights at all
1883 self
.assertEquals(len(res
), 1)
1884 self
.assertEquals(res
[0]["sDRightsEffective"][0], "0")
1885 #give the user Write DACL and see what happens
1886 mod
= "(A;CI;WD;;;%s)" % str(user_sid
)
1887 self
.dacl_add_ace(object_dn
, mod
)
1888 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1889 attrs
=["sDRightsEffective"])
1890 #user whould have DACL_SECURITY_INFORMATION
1891 self
.assertEquals(len(res
), 1)
1892 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL
)
1893 #give the user Write Owners and see what happens
1894 mod
= "(A;CI;WO;;;%s)" % str(user_sid
)
1895 self
.dacl_add_ace(object_dn
, mod
)
1896 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1897 attrs
=["sDRightsEffective"])
1898 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899 self
.assertEquals(len(res
), 1)
1900 self
.assertEquals(res
[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER
))
1901 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1902 _ldb
= self
.get_ldb_connection("testuser_attr2", "samba123@")
1903 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1904 attrs
=["sDRightsEffective"])
1905 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1906 self
.assertEquals(len(res
), 1)
1907 self
.assertEquals(res
[0]["sDRightsEffective"][0], \
1908 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL
))
1910 def test_allowedChildClassesEffective(self
):
1911 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1912 self
.delete_force(self
.ldb_admin
, object_dn
)
1913 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1914 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1915 #give testuser1 read access so attributes can be retrieved
1916 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1917 self
.dacl_add_ace(object_dn
, mod
)
1918 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1919 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1920 attrs
=["allowedChildClassesEffective"])
1921 #there should be no allowed child classes
1922 self
.assertEquals(len(res
), 1)
1923 self
.assertFalse("allowedChildClassesEffective" in res
[0].keys())
1924 #give the user the right to create children of type user
1925 mod
= "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1926 self
.dacl_add_ace(object_dn
, mod
)
1927 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1928 attrs
=["allowedChildClassesEffective"])
1929 # allowedChildClassesEffective should only have one value, user
1930 self
.assertEquals(len(res
), 1)
1931 self
.assertEquals(len(res
[0]["allowedChildClassesEffective"]), 1)
1932 self
.assertEquals(res
[0]["allowedChildClassesEffective"][0], "user")
1934 def test_allowedAttributesEffective(self
):
1935 object_dn
= "OU=test_domain_ou1," + self
.base_dn
1936 self
.delete_force(self
.ldb_admin
, object_dn
)
1937 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1938 user_sid
= self
.get_object_sid(self
.get_users_domain_dn("testuser_attr"))
1939 #give testuser1 read access so attributes can be retrieved
1940 mod
= "(A;CI;RP;;;%s)" % str(user_sid
)
1941 self
.dacl_add_ace(object_dn
, mod
)
1942 _ldb
= self
.get_ldb_connection("testuser_attr", "samba123@")
1943 #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1944 # attrs=["allowedAttributes"])
1946 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1947 attrs
=["allowedAttributesEffective"])
1948 #there should be no allowed attributes
1949 self
.assertEquals(len(res
), 1)
1950 self
.assertFalse("allowedAttributesEffective" in res
[0].keys())
1951 #give the user the right to write displayName and managedBy
1952 mod2
= "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid
)
1953 mod
= "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid
)
1954 # also rights to modify an read only attribute, fromEntry
1955 mod3
= "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid
)
1956 self
.dacl_add_ace(object_dn
, mod
+ mod2
+ mod3
)
1957 res
= _ldb
.search(base
=object_dn
, expression
="", scope
=SCOPE_BASE
,
1958 attrs
=["allowedAttributesEffective"])
1959 # value should only contain user and managedBy
1961 self
.assertEquals(len(res
), 1)
1962 self
.assertEquals(len(res
[0]["allowedAttributesEffective"]), 2)
1963 self
.assertTrue("displayName" in res
[0]["allowedAttributesEffective"])
1964 self
.assertTrue("managedBy" in res
[0]["allowedAttributesEffective"])
1966 if not "://" in host
:
1967 host
= "ldap://%s" % host
1968 ldb
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
, options
=["modules:paged_searches"])
1970 runner
= SubunitTestRunner()
1972 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1974 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():
1976 if not runner
.run(unittest
.makeSuite(SdFlagsDescriptorTests
)).wasSuccessful():
1978 if not runner
.run(unittest
.makeSuite(RightsAttributesTests
)).wasSuccessful():