2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys
.path
.insert(0, "bin/python")
11 samba
.ensure_external_module("testtools", "testtools")
12 samba
.ensure_external_module("subunit", "subunit/python")
14 import samba
.getopt
as options
16 from samba
.auth
import system_session
17 from ldb
import SCOPE_BASE
, LdbError
18 from ldb
import ERR_NO_SUCH_OBJECT
, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb
import ERR_ENTRY_ALREADY_EXISTS
, ERR_UNWILLING_TO_PERFORM
20 from ldb
import ERR_OTHER
, ERR_NO_SUCH_ATTRIBUTE
21 from ldb
import ERR_OBJECT_CLASS_VIOLATION
22 from ldb
import ERR_CONSTRAINT_VIOLATION
23 from ldb
import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb
import Message
, MessageElement
, Dn
25 from ldb
import FLAG_MOD_ADD
, FLAG_MOD_REPLACE
, FLAG_MOD_DELETE
26 from samba
.samdb
import SamDB
27 from samba
.dsdb
import (UF_NORMAL_ACCOUNT
, UF_ACCOUNTDISABLE
,
28 UF_WORKSTATION_TRUST_ACCOUNT
, UF_SERVER_TRUST_ACCOUNT
,
29 UF_PARTIAL_SECRETS_ACCOUNT
, UF_TEMP_DUPLICATE_ACCOUNT
,
30 UF_PASSWD_NOTREQD
, ATYPE_NORMAL_ACCOUNT
,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
,
32 GTYPE_SECURITY_GLOBAL_GROUP
, GTYPE_SECURITY_UNIVERSAL_GROUP
,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP
, GTYPE_DISTRIBUTION_GLOBAL_GROUP
,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP
,
35 ATYPE_SECURITY_GLOBAL_GROUP
, ATYPE_SECURITY_UNIVERSAL_GROUP
,
36 ATYPE_SECURITY_LOCAL_GROUP
, ATYPE_DISTRIBUTION_GLOBAL_GROUP
,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP
, ATYPE_DISTRIBUTION_LOCAL_GROUP
,
38 ATYPE_WORKSTATION_TRUST
)
39 from samba
.dcerpc
.security
import (DOMAIN_RID_USERS
, DOMAIN_RID_ADMINS
,
40 DOMAIN_RID_DOMAIN_MEMBERS
, DOMAIN_RID_DCS
, DOMAIN_RID_READONLY_DCS
)
42 from subunit
.run
import SubunitTestRunner
45 from samba
.dcerpc
import security
46 from samba
.tests
import delete_force
48 parser
= optparse
.OptionParser("sam.py [options] <host>")
49 sambaopts
= options
.SambaOptions(parser
)
50 parser
.add_option_group(sambaopts
)
51 parser
.add_option_group(options
.VersionOptions(parser
))
52 # use command line creds if available
53 credopts
= options
.CredentialsOptions(parser
)
54 parser
.add_option_group(credopts
)
55 opts
, args
= parser
.parse_args()
63 lp
= sambaopts
.get_loadparm()
64 creds
= credopts
.get_credentials(lp
)
66 class SamTests(samba
.tests
.TestCase
):
69 super(SamTests
, self
).setUp()
71 self
.base_dn
= ldb
.domain_dn()
73 print "baseDN: %s\n" % self
.base_dn
75 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
76 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
77 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
78 delete_force(self
.ldb
, "cn=ldaptestcomputer,cn=computers," + self
.base_dn
)
79 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
80 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
82 def test_users_groups(self
):
83 """This tests the SAM users and groups behaviour"""
84 print "Testing users and groups behaviour\n"
87 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
88 "objectclass": "group"})
91 "dn": "cn=ldaptestgroup2,cn=users," + self
.base_dn
,
92 "objectclass": "group"})
94 res1
= ldb
.search("cn=ldaptestgroup,cn=users," + self
.base_dn
,
95 scope
=SCOPE_BASE
, attrs
=["objectSID"])
96 self
.assertTrue(len(res1
) == 1)
97 group_rid_1
= security
.dom_sid(ldb
.schema_format_value("objectSID",
98 res1
[0]["objectSID"][0])).split()[1]
100 res1
= ldb
.search("cn=ldaptestgroup2,cn=users," + self
.base_dn
,
101 scope
=SCOPE_BASE
, attrs
=["objectSID"])
102 self
.assertTrue(len(res1
) == 1)
103 group_rid_2
= security
.dom_sid(ldb
.schema_format_value("objectSID",
104 res1
[0]["objectSID"][0])).split()[1]
106 # Try to create a user with an invalid account name
109 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
110 "objectclass": "user",
111 "sAMAccountName": "administrator"})
113 except LdbError
, (num
, _
):
114 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
115 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
117 # Try to create a user with an invalid account name
120 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
121 "objectclass": "user",
122 "sAMAccountName": []})
124 except LdbError
, (num
, _
):
125 self
.assertEquals(num
, ERR_CONSTRAINT_VIOLATION
)
126 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
128 # Try to create a user with an invalid primary group
131 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
132 "objectclass": "user",
133 "primaryGroupID": "0"})
135 except LdbError
, (num
, _
):
136 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
137 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
139 # Try to Create a user with a valid primary group
142 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
143 "objectclass": "user",
144 "primaryGroupID": str(group_rid_1
)})
146 except LdbError
, (num
, _
):
147 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
148 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
150 # Test to see how we should behave when the user account doesn't
153 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
154 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
159 except LdbError
, (num
, _
):
160 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
162 # Test to see how we should behave when the account isn't a user
164 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
165 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
170 except LdbError
, (num
, _
):
171 self
.assertEquals(num
, ERR_OBJECT_CLASS_VIOLATION
)
173 # Test default primary groups on add operations
176 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
177 "objectclass": "user"})
179 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
180 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
181 self
.assertTrue(len(res1
) == 1)
182 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
184 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
187 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
188 "objectclass": "user",
189 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
) })
191 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
192 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
193 self
.assertTrue(len(res1
) == 1)
194 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
196 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
198 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
199 # since such accounts aren't directly creatable (ACCESS_DENIED)
202 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
203 "objectclass": "computer",
204 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
206 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
207 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
208 self
.assertTrue(len(res1
) == 1)
209 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
211 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
214 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
215 "objectclass": "computer",
216 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
218 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
219 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
220 self
.assertTrue(len(res1
) == 1)
221 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
223 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
225 # Read-only DC accounts are only creatable by
226 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
227 # we have a fallback in the assertion)
229 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
230 "objectclass": "computer",
231 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
233 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
234 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
235 self
.assertTrue(len(res1
) == 1)
236 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
237 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
239 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
241 # Test default primary groups on modify operations
244 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
245 "objectclass": "user"})
248 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
249 m
["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
250 "userAccountControl")
253 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
254 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
255 self
.assertTrue(len(res1
) == 1)
256 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
258 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
259 # since such accounts aren't directly creatable (ACCESS_DENIED)
261 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
264 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
265 "objectclass": "computer"})
267 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
268 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
269 self
.assertTrue(len(res1
) == 1)
270 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
273 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
274 m
["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
275 "userAccountControl")
278 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
279 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
280 self
.assertTrue(len(res1
) == 1)
281 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
284 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
285 m
["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
286 "userAccountControl")
289 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
290 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
291 self
.assertTrue(len(res1
) == 1)
292 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
294 # Read-only DC accounts are only creatable by
295 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
296 # we have a fallback in the assertion)
298 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
299 m
["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
300 "userAccountControl")
303 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
304 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
305 self
.assertTrue(len(res1
) == 1)
306 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
307 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
309 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
311 # Recreate account for further tests
314 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
315 "objectclass": "user"})
317 # Try to set an invalid account name
319 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
320 m
["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE
,
325 except LdbError
, (num
, _
):
326 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
328 # But to reset the actual "sAMAccountName" should still be possible
329 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
330 scope
=SCOPE_BASE
, attrs
=["sAMAccountName"])
331 self
.assertTrue(len(res1
) == 1)
333 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
334 m
["sAMAccountName"] = MessageElement(res1
[0]["sAMAccountName"][0], FLAG_MOD_REPLACE
,
338 # And another (free) name should be possible as well
340 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
341 m
["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE
,
345 # We should be able to reset our actual primary group
347 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
348 m
["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS
), FLAG_MOD_REPLACE
,
352 # Try to add invalid primary group
354 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
355 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
360 except LdbError
, (num
, _
):
361 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
363 # Try to make group 1 primary - should be denied since it is not yet
366 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
367 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
368 FLAG_MOD_REPLACE
, "primaryGroupID")
372 except LdbError
, (num
, _
):
373 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
375 # Make group 1 secondary
377 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
378 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
379 FLAG_MOD_REPLACE
, "member")
382 # Make group 1 primary
384 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
385 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
386 FLAG_MOD_REPLACE
, "primaryGroupID")
389 # Try to delete group 1 - should be denied
391 ldb
.delete("cn=ldaptestgroup,cn=users," + self
.base_dn
)
393 except LdbError
, (num
, _
):
394 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
396 # Try to add group 1 also as secondary - should be denied
398 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
399 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
400 FLAG_MOD_ADD
, "member")
404 except LdbError
, (num
, _
):
405 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
407 # Try to add invalid member to group 1 - should be denied
409 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
410 m
["member"] = MessageElement(
411 "cn=ldaptestuser3,cn=users," + self
.base_dn
,
412 FLAG_MOD_ADD
, "member")
416 except LdbError
, (num
, _
):
417 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
419 # Make group 2 secondary
421 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
422 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
423 FLAG_MOD_ADD
, "member")
428 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
429 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
430 FLAG_MOD_REPLACE
, "primaryGroupID")
433 # Swap the groups (does not really make sense but does the same)
435 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
436 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
437 FLAG_MOD_REPLACE
, "primaryGroupID")
438 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
439 FLAG_MOD_REPLACE
, "primaryGroupID")
442 # Old primary group should contain a "member" attribute for the user,
443 # the new shouldn't contain anymore one
444 res1
= ldb
.search("cn=ldaptestgroup, cn=users," + self
.base_dn
,
445 scope
=SCOPE_BASE
, attrs
=["member"])
446 self
.assertTrue(len(res1
) == 1)
447 self
.assertTrue(len(res1
[0]["member"]) == 1)
448 self
.assertEquals(res1
[0]["member"][0].lower(),
449 ("cn=ldaptestuser,cn=users," + self
.base_dn
).lower())
451 res1
= ldb
.search("cn=ldaptestgroup2, cn=users," + self
.base_dn
,
452 scope
=SCOPE_BASE
, attrs
=["member"])
453 self
.assertTrue(len(res1
) == 1)
454 self
.assertFalse("member" in res1
[0])
456 # Primary group member
458 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
459 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
460 FLAG_MOD_DELETE
, "member")
464 except LdbError
, (num
, _
):
465 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
467 # Delete invalid group member
469 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
470 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
471 FLAG_MOD_DELETE
, "member")
475 except LdbError
, (num
, _
):
476 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
478 # Also this should be denied
481 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
482 "objectclass": "user",
483 "primaryGroupID": "0"})
485 except LdbError
, (num
, _
):
486 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
488 # Recreate user accounts
490 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
493 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
494 "objectclass": "user"})
497 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
498 "objectclass": "user"})
501 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
502 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
503 FLAG_MOD_ADD
, "member")
508 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
509 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
510 FLAG_MOD_ADD
, "member")
514 except LdbError
, (num
, _
):
515 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
517 # Already added, but as <SID=...>
518 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
519 scope
=SCOPE_BASE
, attrs
=["objectSid"])
520 self
.assertTrue(len(res1
) == 1)
521 sid_bin
= res1
[0]["objectSid"][0]
522 sid_str
= ("<SID=" + ldb
.schema_format_value("objectSid", sid_bin
) + ">").upper()
525 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
526 m
["member"] = MessageElement(sid_str
, FLAG_MOD_ADD
, "member")
530 except LdbError
, (num
, _
):
531 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
535 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
536 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
537 FLAG_MOD_REPLACE
, "member")
541 except LdbError
, (num
, _
):
542 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
546 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
547 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
548 "cn=ldaptestuser1,cn=users," + self
.base_dn
],
549 FLAG_MOD_REPLACE
, "member")
553 except LdbError
, (num
, _
):
554 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
558 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
559 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
560 FLAG_MOD_REPLACE
, "member")
561 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
562 FLAG_MOD_ADD
, "member")
566 except LdbError
, (num
, _
):
567 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
570 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
571 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
572 "cn=ldaptestuser2,cn=users," + self
.base_dn
],
573 FLAG_MOD_REPLACE
, "member")
576 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
577 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
578 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
579 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
581 # Make also a small test for accounts with special DNs ("," in this case)
583 "dn": "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
,
584 "objectclass": "user"})
585 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
587 def test_sam_attributes(self
):
588 """Test the behaviour of special attributes of SAM objects"""
589 print "Testing the behaviour of special attributes of SAM objects\n"""
592 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
593 "objectclass
": "user
"})
595 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
596 "objectclass
": "group
"})
599 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
600 m["groupType
"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
605 except LdbError, (num, _):
606 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
608 # Delete protection tests
610 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
611 "sAMAccountName
", "groupType
"]:
614 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
615 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
619 except LdbError, (num, _):
620 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
623 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
624 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
628 except LdbError, (num, _):
629 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
632 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
633 m["primaryGroupID
"] = MessageElement("513", FLAG_MOD_ADD,
638 except LdbError, (num, _):
639 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
642 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
643 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
644 "userAccountControl
")
648 except LdbError, (num, _):
649 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
652 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
653 m["objectSid
"] = MessageElement("xxxxxxxxxxxxxxxx
", FLAG_MOD_ADD,
658 except LdbError, (num, _):
659 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
662 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
663 m["sAMAccountType
"] = MessageElement("0", FLAG_MOD_ADD,
668 except LdbError, (num, _):
669 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
672 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
673 m["sAMAccountName
"] = MessageElement("test
", FLAG_MOD_ADD,
678 except LdbError, (num, _):
679 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
681 # Delete protection tests
683 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
684 "sAMAccountName
", "primaryGroupID
", "userAccountControl
",
685 "accountExpires
", "badPasswordTime
", "badPwdCount
",
686 "codePage
", "countryCode
", "lastLogoff
", "lastLogon
",
687 "logonCount
", "pwdLastSet
"]:
690 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
691 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
695 except LdbError, (num, _):
696 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
699 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
700 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
704 except LdbError, (num, _):
705 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
707 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
708 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
710 def test_primary_group_token_constructed(self):
711 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
712 print "Testing primary group token behaviour
and other constructed attributes
\n"
716 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
717 "objectclass
": "group
",
718 "primaryGroupToken
": "100"})
720 except LdbError, (num, _):
721 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
722 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
725 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
726 "objectclass
": "user
"})
729 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
730 "objectclass
": "group
"})
732 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
733 res1 = ldb.search(self.base_dn,
734 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
", "objectClass
", "objectSid
"])
735 self.assertTrue(len(res1) == 1)
736 self.assertFalse("primaryGroupToken
" in res1[0])
737 self.assertTrue("canonicalName
" in res1[0])
738 self.assertTrue("objectClass
" in res1[0])
739 self.assertTrue("objectSid
" in res1[0])
741 res1 = ldb.search(self.base_dn,
742 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
"])
743 self.assertTrue(len(res1) == 1)
744 self.assertFalse("primaryGroupToken
" in res1[0])
745 self.assertFalse("objectSid
" in res1[0])
746 self.assertFalse("objectClass
" in res1[0])
747 self.assertTrue("canonicalName
" in res1[0])
749 res1 = ldb.search("cn
=users
," + self.base_dn,
750 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
751 self.assertTrue(len(res1) == 1)
752 self.assertFalse("primaryGroupToken
" in res1[0])
754 res1 = ldb.search("cn
=ldaptestuser
, cn
=users
," + self.base_dn,
755 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
756 self.assertTrue(len(res1) == 1)
757 self.assertFalse("primaryGroupToken
" in res1[0])
759 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
761 self.assertTrue(len(res1) == 1)
762 self.assertFalse("primaryGroupToken
" in res1[0])
764 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
765 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "objectSID
"])
766 self.assertTrue(len(res1) == 1)
767 primary_group_token = int(res1[0]["primaryGroupToken
"][0])
769 rid = security.dom_sid(ldb.schema_format_value("objectSID
", res1[0]["objectSID
"][0])).split()[1]
770 self.assertEquals(primary_group_token, rid)
773 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
774 m["primaryGroupToken
"] = "100"
778 except LdbError, (num, _):
779 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
781 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
782 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
784 def test_tokenGroups(self):
785 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
786 print "Testing tokenGroups behaviour
\n"
788 # The domain object shouldn't contain any "tokenGroups
" entry
789 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups
"])
790 self.assertTrue(len(res) == 1)
791 self.assertFalse("tokenGroups
" in res[0])
793 # The domain administrator should contain "tokenGroups
" entries
794 # (the exact number depends on the domain/forest function level and the
795 # DC software versions)
796 res = ldb.search("cn
=Administrator
,cn
=Users
," + self.base_dn,
797 scope=SCOPE_BASE, attrs=["tokenGroups
"])
798 self.assertTrue(len(res) == 1)
799 self.assertTrue("tokenGroups
" in res[0])
802 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
803 "objectclass
": "user
"})
805 # This testuser should contain at least two "tokenGroups
" entries
806 # (exactly two on an unmodified "Domain Users
" and "Users
" group)
807 res = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
808 scope=SCOPE_BASE, attrs=["tokenGroups
"])
809 self.assertTrue(len(res) == 1)
810 self.assertTrue(len(res[0]["tokenGroups
"]) >= 2)
812 # one entry which we need to find should point to domains "Domain Users
"
813 # group and another entry should point to the builtin "Users
"group
814 domain_users_group_found = False
815 users_group_found = False
816 for sid in res[0]["tokenGroups
"]:
817 rid = security.dom_sid(ldb.schema_format_value("objectSID
", sid)).split()[1]
819 domain_users_group_found = True
821 users_group_found = True
823 self.assertTrue(domain_users_group_found)
824 self.assertTrue(users_group_found)
826 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
828 def test_groupType(self):
829 """Test the groupType behaviour"""
830 print "Testing groupType behaviour
\n"
832 # You can never create or change to a
833 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
"
840 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
841 "objectclass
": "group
",
844 except LdbError, (num, _):
845 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
846 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
850 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
851 "objectclass
": "group
",
852 "groupType
": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
854 except LdbError, (num, _):
855 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
856 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
859 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
860 "objectclass
": "group
",
861 "groupType
": str(GTYPE_SECURITY_GLOBAL_GROUP)})
863 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
864 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
865 self.assertTrue(len(res1) == 1)
866 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
867 ATYPE_SECURITY_GLOBAL_GROUP)
868 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
871 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
872 "objectclass
": "group
",
873 "groupType
": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
875 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
876 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
877 self.assertTrue(len(res1) == 1)
878 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
879 ATYPE_SECURITY_UNIVERSAL_GROUP)
880 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
883 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
884 "objectclass
": "group
",
885 "groupType
": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
887 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
888 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
889 self.assertTrue(len(res1) == 1)
890 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
891 ATYPE_SECURITY_LOCAL_GROUP)
892 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
895 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
896 "objectclass
": "group
",
897 "groupType
": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
899 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
900 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
901 self.assertTrue(len(res1) == 1)
902 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
903 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
904 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
907 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
908 "objectclass
": "group
",
909 "groupType
": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
911 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
912 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
913 self.assertTrue(len(res1) == 1)
914 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
915 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
916 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
919 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
920 "objectclass
": "group
",
921 "groupType
": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
923 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
924 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
925 self.assertTrue(len(res1) == 1)
926 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
927 ATYPE_DISTRIBUTION_LOCAL_GROUP)
928 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
933 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
934 "objectclass
": "group
"})
936 # We can change in this direction: global <-> universal <-> local
937 # On each step also the group type itself (security/distribution) is
940 # After creation we should have a "security
global group
"
941 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
942 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
943 self.assertTrue(len(res1) == 1)
944 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
945 ATYPE_SECURITY_GLOBAL_GROUP)
950 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
951 m["groupType
"] = MessageElement("0",
952 FLAG_MOD_REPLACE, "groupType
")
955 except LdbError, (num, _):
956 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
960 # Default is "global group
"
963 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
964 m["groupType
"] = MessageElement(
965 str(GTYPE_SECURITY_GLOBAL_GROUP),
966 FLAG_MOD_REPLACE, "groupType
")
969 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
970 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
971 self.assertTrue(len(res1) == 1)
972 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
973 ATYPE_SECURITY_GLOBAL_GROUP)
975 # Change to "local
" (shouldn't work)
979 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
980 m["groupType
"] = MessageElement(
981 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
982 FLAG_MOD_REPLACE, "groupType
")
985 except LdbError, (num, _):
986 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
988 # Change to "universal
"
991 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
992 m["groupType
"] = MessageElement(
993 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
994 FLAG_MOD_REPLACE, "groupType
")
997 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
998 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
999 self.assertTrue(len(res1) == 1)
1000 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1001 ATYPE_SECURITY_UNIVERSAL_GROUP)
1003 # Change back to "global"
1006 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1007 m["groupType
"] = MessageElement(
1008 str(GTYPE_SECURITY_GLOBAL_GROUP),
1009 FLAG_MOD_REPLACE, "groupType
")
1012 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1013 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1014 self.assertTrue(len(res1) == 1)
1015 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1016 ATYPE_SECURITY_GLOBAL_GROUP)
1018 # Change back to "universal
"
1021 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1022 m["groupType
"] = MessageElement(
1023 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1024 FLAG_MOD_REPLACE, "groupType
")
1027 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1028 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1029 self.assertTrue(len(res1) == 1)
1030 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1031 ATYPE_SECURITY_UNIVERSAL_GROUP)
1036 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1037 m["groupType
"] = MessageElement(
1038 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1039 FLAG_MOD_REPLACE, "groupType
")
1042 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1043 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1044 self.assertTrue(len(res1) == 1)
1045 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1046 ATYPE_SECURITY_LOCAL_GROUP)
1048 # Change to "global" (shouldn't work)
1052 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1053 m["groupType
"] = MessageElement(
1054 str(GTYPE_SECURITY_GLOBAL_GROUP),
1055 FLAG_MOD_REPLACE, "groupType
")
1058 except LdbError, (num, _):
1059 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1061 # Change to "builtin local
" (shouldn't work)
1065 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1066 m["groupType
"] = MessageElement(
1067 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1068 FLAG_MOD_REPLACE, "groupType
")
1071 except LdbError, (num, _):
1072 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1075 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1077 # Change back to "universal
"
1080 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1081 m["groupType
"] = MessageElement(
1082 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1083 FLAG_MOD_REPLACE, "groupType
")
1086 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1087 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1088 self.assertTrue(len(res1) == 1)
1089 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1090 ATYPE_SECURITY_UNIVERSAL_GROUP)
1092 # Change to "builtin local
" (shouldn't work)
1096 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1097 m["groupType
"] = MessageElement(
1098 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1099 FLAG_MOD_REPLACE, "groupType
")
1102 except LdbError, (num, _):
1103 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1105 # Change back to "global"
1108 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1109 m["groupType
"] = MessageElement(
1110 str(GTYPE_SECURITY_GLOBAL_GROUP),
1111 FLAG_MOD_REPLACE, "groupType
")
1114 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1115 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1116 self.assertTrue(len(res1) == 1)
1117 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1118 ATYPE_SECURITY_GLOBAL_GROUP)
1120 # Change to "builtin local
" (shouldn't work)
1124 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1125 m["groupType
"] = MessageElement(
1126 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1127 FLAG_MOD_REPLACE, "groupType
")
1130 except LdbError, (num, _):
1131 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1133 # Distribution groups
1135 # Default is "global group
"
1138 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1139 m["groupType
"] = MessageElement(
1140 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1141 FLAG_MOD_REPLACE, "groupType
")
1144 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1145 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1146 self.assertTrue(len(res1) == 1)
1147 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1148 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1150 # Change to local (shouldn't work)
1154 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1155 m["groupType
"] = MessageElement(
1156 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1157 FLAG_MOD_REPLACE, "groupType
")
1160 except LdbError, (num, _):
1161 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1163 # Change to "universal
"
1166 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1167 m["groupType
"] = MessageElement(
1168 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1169 FLAG_MOD_REPLACE, "groupType
")
1172 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1173 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1174 self.assertTrue(len(res1) == 1)
1175 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1176 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1178 # Change back to "global"
1181 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1182 m["groupType
"] = MessageElement(
1183 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1184 FLAG_MOD_REPLACE, "groupType
")
1187 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1188 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1189 self.assertTrue(len(res1) == 1)
1190 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1191 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1193 # Change back to "universal
"
1196 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1197 m["groupType
"] = MessageElement(
1198 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1199 FLAG_MOD_REPLACE, "groupType
")
1202 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1203 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1204 self.assertTrue(len(res1) == 1)
1205 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1206 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1211 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1212 m["groupType
"] = MessageElement(
1213 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1214 FLAG_MOD_REPLACE, "groupType
")
1217 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1218 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1219 self.assertTrue(len(res1) == 1)
1220 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1221 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1223 # Change to "global" (shouldn't work)
1227 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1228 m["groupType
"] = MessageElement(
1229 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1230 FLAG_MOD_REPLACE, "groupType
")
1233 except LdbError, (num, _):
1234 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1236 # Change back to "universal
"
1238 # Try to add invalid member to group 1 - should be denied
1240 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1241 m["member
"] = MessageElement(
1242 "cn
=ldaptestuser3
,cn
=users
," + self.base_dn,
1243 FLAG_MOD_ADD, "member
")
1247 except LdbError, (num, _):
1248 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1250 # Make group 2 secondary
1252 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1253 m["groupType
"] = MessageElement(
1254 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1255 FLAG_MOD_REPLACE, "groupType
")
1258 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1259 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1260 self.assertTrue(len(res1) == 1)
1261 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1262 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1264 # Change back to "global"
1267 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1268 m["groupType
"] = MessageElement(
1269 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1270 FLAG_MOD_REPLACE, "groupType
")
1273 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1274 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1275 self.assertTrue(len(res1) == 1)
1276 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1277 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1279 # Both group types: this performs only random checks - all possibilities
1280 # would require too much code.
1282 # Default is "global group
"
1285 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1286 m["groupType
"] = MessageElement(
1287 str(GTYPE_SECURITY_GLOBAL_GROUP),
1288 FLAG_MOD_REPLACE, "groupType
")
1291 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1292 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1293 self.assertTrue(len(res1) == 1)
1294 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1295 ATYPE_SECURITY_GLOBAL_GROUP)
1297 # Change to "local
" (shouldn't work)
1301 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1302 m["groupType
"] = MessageElement(
1303 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1304 FLAG_MOD_REPLACE, "groupType
")
1307 except LdbError, (num, _):
1308 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1310 # Change to "universal
"
1313 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1314 m["groupType
"] = MessageElement(
1315 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1316 FLAG_MOD_REPLACE, "groupType
")
1319 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1320 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1321 self.assertTrue(len(res1) == 1)
1322 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1323 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1325 # Change back to "global"
1328 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1329 m["groupType
"] = MessageElement(
1330 str(GTYPE_SECURITY_GLOBAL_GROUP),
1331 FLAG_MOD_REPLACE, "groupType
")
1334 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1335 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1336 self.assertTrue(len(res1) == 1)
1337 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1338 ATYPE_SECURITY_GLOBAL_GROUP)
1340 # Change back to "universal
"
1343 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1344 m["groupType
"] = MessageElement(
1345 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1346 FLAG_MOD_REPLACE, "groupType
")
1349 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1350 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1351 self.assertTrue(len(res1) == 1)
1352 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1353 ATYPE_SECURITY_UNIVERSAL_GROUP)
1358 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1359 m["groupType
"] = MessageElement(
1360 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1361 FLAG_MOD_REPLACE, "groupType
")
1364 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1365 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1366 self.assertTrue(len(res1) == 1)
1367 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1368 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1370 # Change to "global" (shouldn't work)
1374 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1375 m["groupType
"] = MessageElement(
1376 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1377 FLAG_MOD_REPLACE, "groupType
")
1380 except LdbError, (num, _):
1381 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1383 # Change back to "universal
"
1386 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1387 m["groupType
"] = MessageElement(
1388 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1389 FLAG_MOD_REPLACE, "groupType
")
1392 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1393 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1394 self.assertTrue(len(res1) == 1)
1395 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1396 ATYPE_SECURITY_UNIVERSAL_GROUP)
1398 # Change back to "global"
1401 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1402 m["groupType
"] = MessageElement(
1403 str(GTYPE_SECURITY_GLOBAL_GROUP),
1404 FLAG_MOD_REPLACE, "groupType
")
1407 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1408 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1409 self.assertTrue(len(res1) == 1)
1410 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1411 ATYPE_SECURITY_GLOBAL_GROUP)
1413 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1415 def test_userAccountControl(self):
1416 """Test the userAccountControl behaviour"""
1417 print "Testing userAccountControl behaviour
\n"
1419 # With a user object
1423 # As user you can only set a normal account.
1424 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1426 # With SYSTEM rights you can set a interdomain trust account.
1429 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1430 "objectclass
": "user
",
1431 "userAccountControl
": "0"})
1433 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1435 attrs=["sAMAccountType
", "userAccountControl
"])
1436 self.assertTrue(len(res1) == 1)
1437 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1438 ATYPE_NORMAL_ACCOUNT)
1439 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1440 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_PASSWD_NOTREQD == 0)
1441 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1443 # This has to wait until s4 supports it (needs a password module change)
1446 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1447 # "objectclass
": "user
",
1448 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1450 # except LdbError, (num, _):
1451 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1452 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1455 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1456 "objectclass
": "user
",
1457 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1459 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1461 attrs=["sAMAccountType
", "userAccountControl
"])
1462 self.assertTrue(len(res1) == 1)
1463 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1464 ATYPE_NORMAL_ACCOUNT)
1465 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1466 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1470 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1471 "objectclass
": "user
",
1472 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1474 except LdbError, (num, _):
1475 self.assertEquals(num, ERR_OTHER)
1476 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1480 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1481 "objectclass
": "user
",
1482 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1484 except LdbError, (num, _):
1485 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1486 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1490 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1491 "objectclass
": "user
",
1492 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1493 except LdbError, (num, _):
1494 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1495 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1499 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1500 "objectclass
": "user
",
1501 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
1502 except LdbError, (num, _):
1503 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1504 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1506 # This isn't supported yet in s4 - needs ACL module adaption
1509 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1510 # "objectclass
": "user
",
1511 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1513 # except LdbError, (num, _):
1514 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1515 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1520 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1521 "objectclass
": "user
"})
1523 # After creation we should have a normal account
1524 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1526 attrs=["sAMAccountType
", "userAccountControl
"])
1527 self.assertTrue(len(res1) == 1)
1528 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1529 ATYPE_NORMAL_ACCOUNT)
1530 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1532 # As user you can only switch from a normal account to a workstation
1533 # trust account and back.
1534 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1536 # With SYSTEM rights you can switch to a interdomain trust account.
1541 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1542 m["userAccountControl
"] = MessageElement("0",
1543 FLAG_MOD_REPLACE, "userAccountControl
")
1545 except LdbError, (num, _):
1546 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1548 # This has to wait until s4 supports it (needs a password module change)
1551 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1552 # m["userAccountControl
"] = MessageElement(
1553 # str(UF_NORMAL_ACCOUNT),
1554 # FLAG_MOD_REPLACE, "userAccountControl
")
1556 # except LdbError, (num, _):
1557 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1560 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1561 m["userAccountControl
"] = MessageElement(
1562 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1563 FLAG_MOD_REPLACE, "userAccountControl
")
1566 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1568 attrs=["sAMAccountType
", "userAccountControl
"])
1569 self.assertTrue(len(res1) == 1)
1570 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1571 ATYPE_NORMAL_ACCOUNT)
1572 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1576 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1577 m["userAccountControl
"] = MessageElement(
1578 str(UF_TEMP_DUPLICATE_ACCOUNT),
1579 FLAG_MOD_REPLACE, "userAccountControl
")
1582 except LdbError, (num, _):
1583 self.assertEquals(num, ERR_OTHER)
1587 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1588 m["userAccountControl
"] = MessageElement(
1589 str(UF_SERVER_TRUST_ACCOUNT),
1590 FLAG_MOD_REPLACE, "userAccountControl
")
1593 except LdbError, (num, _):
1594 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1597 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1598 m["userAccountControl
"] = MessageElement(
1599 str(UF_WORKSTATION_TRUST_ACCOUNT),
1600 FLAG_MOD_REPLACE, "userAccountControl
")
1605 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1606 m["userAccountControl
"] = MessageElement(
1607 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
1608 FLAG_MOD_REPLACE, "userAccountControl
")
1611 except LdbError, (num, _):
1612 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1614 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1615 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1616 self.assertTrue(len(res1) == 1)
1617 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1618 ATYPE_WORKSTATION_TRUST)
1621 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1622 m["userAccountControl
"] = MessageElement(
1623 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1624 FLAG_MOD_REPLACE, "userAccountControl
")
1627 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1628 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1629 self.assertTrue(len(res1) == 1)
1630 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1631 ATYPE_NORMAL_ACCOUNT)
1633 # This isn't supported yet in s4 - needs ACL module adaption
1636 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1637 # m["userAccountControl
"] = MessageElement(
1638 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1639 # FLAG_MOD_REPLACE, "userAccountControl
")
1642 # except LdbError, (num, _):
1643 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1645 # With a computer object
1649 # As computer you can set a normal account and a server trust account.
1650 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1652 # With SYSTEM rights you can set a interdomain trust account.
1655 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1656 "objectclass
": "computer
",
1657 "userAccountControl
": "0"})
1659 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1661 attrs=["sAMAccountType
", "userAccountControl
"])
1662 self.assertTrue(len(res1) == 1)
1663 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1664 ATYPE_NORMAL_ACCOUNT)
1665 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1666 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_PASSWD_NOTREQD == 0)
1667 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1669 # This has to wait until s4 supports it (needs a password module change)
1672 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1673 # "objectclass
": "computer
",
1674 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1676 # except LdbError, (num, _):
1677 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1678 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1681 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1682 "objectclass
": "computer
",
1683 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1685 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1687 attrs=["sAMAccountType
", "userAccountControl
"])
1688 self.assertTrue(len(res1) == 1)
1689 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1690 ATYPE_NORMAL_ACCOUNT)
1691 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1692 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1696 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1697 "objectclass
": "computer
",
1698 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1700 except LdbError, (num, _):
1701 self.assertEquals(num, ERR_OTHER)
1702 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1705 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1706 "objectclass
": "computer
",
1707 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1709 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1710 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1711 self.assertTrue(len(res1) == 1)
1712 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1713 ATYPE_WORKSTATION_TRUST)
1714 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1718 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1719 "objectclass
": "computer
",
1720 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1721 except LdbError, (num, _):
1722 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1723 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1725 # This isn't supported yet in s4 - needs ACL module adaption
1728 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1729 # "objectclass
": "computer
",
1730 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1732 # except LdbError, (num, _):
1733 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1734 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1739 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1740 "objectclass
": "computer
"})
1742 # After creation we should have a normal account
1743 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1745 attrs=["sAMAccountType
", "userAccountControl
"])
1746 self.assertTrue(len(res1) == 1)
1747 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1748 ATYPE_NORMAL_ACCOUNT)
1749 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE != 0)
1751 # As computer you can switch from a normal account to a workstation
1752 # or server trust account and back (also swapping between trust
1753 # accounts is allowed).
1754 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1756 # With SYSTEM rights you can switch to a interdomain trust account.
1761 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1762 m["userAccountControl
"] = MessageElement("0",
1763 FLAG_MOD_REPLACE, "userAccountControl
")
1765 except LdbError, (num, _):
1766 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1768 # This has to wait until s4 supports it (needs a password module change)
1771 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1772 # m["userAccountControl
"] = MessageElement(
1773 # str(UF_NORMAL_ACCOUNT),
1774 # FLAG_MOD_REPLACE, "userAccountControl
")
1776 # except LdbError, (num, _):
1777 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1780 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1781 m["userAccountControl
"] = MessageElement(
1782 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1783 FLAG_MOD_REPLACE, "userAccountControl
")
1786 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1788 attrs=["sAMAccountType
", "userAccountControl
"])
1789 self.assertTrue(len(res1) == 1)
1790 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1791 ATYPE_NORMAL_ACCOUNT)
1792 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1796 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1797 m["userAccountControl
"] = MessageElement(
1798 str(UF_TEMP_DUPLICATE_ACCOUNT),
1799 FLAG_MOD_REPLACE, "userAccountControl
")
1802 except LdbError, (num, _):
1803 self.assertEquals(num, ERR_OTHER)
1806 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1807 m["userAccountControl
"] = MessageElement(
1808 str(UF_SERVER_TRUST_ACCOUNT),
1809 FLAG_MOD_REPLACE, "userAccountControl
")
1812 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1813 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1814 self.assertTrue(len(res1) == 1)
1815 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1816 ATYPE_WORKSTATION_TRUST)
1819 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1820 m["userAccountControl
"] = MessageElement(
1821 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1822 FLAG_MOD_REPLACE, "userAccountControl
")
1825 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1826 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1827 self.assertTrue(len(res1) == 1)
1828 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1829 ATYPE_NORMAL_ACCOUNT)
1832 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1833 m["userAccountControl
"] = MessageElement(
1834 str(UF_WORKSTATION_TRUST_ACCOUNT),
1835 FLAG_MOD_REPLACE, "userAccountControl
")
1838 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1839 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1840 self.assertTrue(len(res1) == 1)
1841 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1842 ATYPE_WORKSTATION_TRUST)
1845 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1846 m["userAccountControl
"] = MessageElement(
1847 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1848 FLAG_MOD_REPLACE, "userAccountControl
")
1851 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1852 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1853 self.assertTrue(len(res1) == 1)
1854 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1855 ATYPE_NORMAL_ACCOUNT)
1858 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1859 m["userAccountControl
"] = MessageElement(
1860 str(UF_SERVER_TRUST_ACCOUNT),
1861 FLAG_MOD_REPLACE, "userAccountControl
")
1864 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1865 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1866 self.assertTrue(len(res1) == 1)
1867 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1868 ATYPE_WORKSTATION_TRUST)
1871 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1872 m["userAccountControl
"] = MessageElement(
1873 str(UF_WORKSTATION_TRUST_ACCOUNT),
1874 FLAG_MOD_REPLACE, "userAccountControl
")
1877 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1878 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1879 self.assertTrue(len(res1) == 1)
1880 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1881 ATYPE_WORKSTATION_TRUST)
1883 # This isn't supported yet in s4 - needs ACL module adaption
1886 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1887 # m["userAccountControl
"] = MessageElement(
1888 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1889 # FLAG_MOD_REPLACE, "userAccountControl
")
1892 # except LdbError, (num, _):
1893 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1895 # "primaryGroupID
" does not change if account type remains the same
1897 # For a user account
1900 "dn
": "cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1901 "objectclass
": "user
",
1902 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)})
1904 res1 = ldb.search("cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1906 attrs=["userAccountControl
"])
1907 self.assertTrue(len(res1) == 1)
1908 self.assertEquals(int(res1[0]["userAccountControl
"][0]),
1909 UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD | UF_ACCOUNTDISABLE)
1912 m.dn = Dn(ldb, "<SID
=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_ADMINS) + ">")
1913 m["member
"] = MessageElement(
1914 "cn
=ldaptestuser2
,cn
=users
," + self.base_dn, FLAG_MOD_ADD, "member
")
1918 m.dn = Dn(ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
1919 m["primaryGroupID
"] = MessageElement(str(DOMAIN_RID_ADMINS),
1920 FLAG_MOD_REPLACE, "primaryGroupID
")
1924 m.dn = Dn(ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
1925 m["userAccountControl
"] = MessageElement(
1926 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1927 FLAG_MOD_REPLACE, "userAccountControl
")
1930 res1 = ldb.search("cn
=ldaptestuser2
,cn
=users
," + self.base_dn,
1932 attrs=["userAccountControl
", "primaryGroupID
"])
1933 self.assertTrue(len(res1) == 1)
1934 self.assertTrue(int(res1[0]["userAccountControl
"][0]) & UF_ACCOUNTDISABLE == 0)
1935 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_ADMINS)
1937 # For a workstation account
1939 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1941 attrs=["primaryGroupID
"])
1942 self.assertTrue(len(res1) == 1)
1943 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_DOMAIN_MEMBERS)
1946 m.dn = Dn(ldb, "<SID
=" + ldb.get_domain_sid() + "-" + str(DOMAIN_RID_USERS) + ">")
1947 m["member
"] = MessageElement(
1948 "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn, FLAG_MOD_ADD, "member
")
1952 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1953 m["primaryGroupID
"] = MessageElement(str(DOMAIN_RID_USERS),
1954 FLAG_MOD_REPLACE, "primaryGroupID
")
1958 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1959 m["userAccountControl
"] = MessageElement(
1960 str(UF_WORKSTATION_TRUST_ACCOUNT),
1961 FLAG_MOD_REPLACE, "userAccountControl
")
1964 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1966 attrs=["primaryGroupID
"])
1967 self.assertTrue(len(res1) == 1)
1968 self.assertEquals(int(res1[0]["primaryGroupID
"][0]), DOMAIN_RID_USERS)
1970 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1971 delete_force(self.ldb, "cn
=ldaptestuser2
,cn
=users
," + self.base_dn)
1972 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1974 def test_isCriticalSystemObject(self):
1975 """Test the isCriticalSystemObject behaviour"""
1976 print "Testing isCriticalSystemObject behaviour
\n"
1981 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1982 "objectclass
": "computer
"})
1984 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1986 attrs=["isCriticalSystemObject
"])
1987 self.assertTrue(len(res1) == 1)
1988 self.assertTrue("isCriticalSystemObject
" not in res1[0])
1990 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1993 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1994 "objectclass
": "computer
",
1995 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1997 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1999 attrs=["isCriticalSystemObject
"])
2000 self.assertTrue(len(res1) == 1)
2001 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2003 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2006 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2007 "objectclass
": "computer
",
2008 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)})
2010 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2012 attrs=["isCriticalSystemObject
"])
2013 self.assertTrue(len(res1) == 1)
2014 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2016 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2019 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2020 "objectclass
": "computer
",
2021 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
2023 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2025 attrs=["isCriticalSystemObject
"])
2026 self.assertTrue(len(res1) == 1)
2027 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2029 # Modification tests
2032 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2033 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2034 FLAG_MOD_REPLACE, "userAccountControl
")
2037 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2039 attrs=["isCriticalSystemObject
"])
2040 self.assertTrue(len(res1) == 1)
2041 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2044 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2045 m["userAccountControl
"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2046 FLAG_MOD_REPLACE, "userAccountControl
")
2049 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2051 attrs=["isCriticalSystemObject
"])
2052 self.assertTrue(len(res1) == 1)
2053 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2056 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2057 m["userAccountControl
"] = MessageElement(
2058 str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT),
2059 FLAG_MOD_REPLACE, "userAccountControl
")
2062 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2064 attrs=["isCriticalSystemObject
"])
2065 self.assertTrue(len(res1) == 1)
2066 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2069 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2070 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
2071 FLAG_MOD_REPLACE, "userAccountControl
")
2074 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2076 attrs=["isCriticalSystemObject
"])
2077 self.assertTrue(len(res1) == 1)
2078 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2081 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2082 m["userAccountControl
"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT),
2083 FLAG_MOD_REPLACE, "userAccountControl
")
2086 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2088 attrs=["isCriticalSystemObject
"])
2089 self.assertTrue(len(res1) == 1)
2090 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "TRUE
")
2093 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2094 m["userAccountControl
"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
2095 FLAG_MOD_REPLACE, "userAccountControl
")
2098 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2100 attrs=["isCriticalSystemObject
"])
2101 self.assertTrue(len(res1) == 1)
2102 self.assertEquals(res1[0]["isCriticalSystemObject
"][0], "FALSE
")
2104 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2106 def test_service_principal_name_updates(self):
2107 """Test the servicePrincipalNames update behaviour"""
2108 print "Testing servicePrincipalNames update behaviour
\n"
2111 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2112 "objectclass
": "computer
",
2113 "dNSHostName
": "testname
.testdom
"})
2115 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2116 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2117 self.assertTrue(len(res) == 1)
2118 self.assertFalse("servicePrincipalName
" in res[0])
2120 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2123 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2124 "objectclass
": "computer
",
2125 "servicePrincipalName
": "HOST
/testname
.testdom
"})
2127 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2128 scope=SCOPE_BASE, attrs=["dNSHostName
"])
2129 self.assertTrue(len(res) == 1)
2130 self.assertFalse("dNSHostName
" in res[0])
2132 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2135 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2136 "objectclass
": "computer
",
2137 "dNSHostName
": "testname2
.testdom
",
2138 "servicePrincipalName
": "HOST
/testname
.testdom
"})
2140 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2141 scope=SCOPE_BASE, attrs=["dNSHostName
"])
2142 self.assertTrue(len(res) == 1)
2143 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2145 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2146 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2147 self.assertTrue(len(res) == 1)
2148 self.assertEquals(res[0]["servicePrincipalName
"][0],
2149 "HOST
/testname
.testdom
")
2152 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2153 m["dNSHostName
"] = MessageElement("testname
.testdoM
",
2154 FLAG_MOD_REPLACE, "dNSHostName
")
2157 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2158 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2159 self.assertTrue(len(res) == 1)
2160 self.assertEquals(res[0]["servicePrincipalName
"][0],
2161 "HOST
/testname
.testdom
")
2164 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2165 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2166 FLAG_MOD_REPLACE, "dNSHostName
")
2169 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2170 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2171 self.assertTrue(len(res) == 1)
2172 self.assertEquals(res[0]["servicePrincipalName
"][0],
2173 "HOST
/testname2
.testdom2
")
2176 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2177 m["dNSHostName
"] = MessageElement([],
2178 FLAG_MOD_DELETE, "dNSHostName
")
2181 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2182 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2183 self.assertTrue(len(res) == 1)
2184 self.assertEquals(res[0]["servicePrincipalName
"][0],
2185 "HOST
/testname2
.testdom2
")
2188 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2189 m["dNSHostName
"] = MessageElement("testname
.testdom3
",
2190 FLAG_MOD_REPLACE, "dNSHostName
")
2193 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2194 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2195 self.assertTrue(len(res) == 1)
2196 self.assertEquals(res[0]["servicePrincipalName
"][0],
2197 "HOST
/testname2
.testdom2
")
2200 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2201 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2202 FLAG_MOD_REPLACE, "dNSHostName
")
2206 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2207 m["dNSHostName
"] = MessageElement("testname3
.testdom3
",
2208 FLAG_MOD_REPLACE, "dNSHostName
")
2209 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
2211 "servicePrincipalName
")
2214 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2215 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2216 self.assertTrue(len(res) == 1)
2217 self.assertEquals(res[0]["servicePrincipalName
"][0],
2218 "HOST
/testname3
.testdom3
")
2221 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2222 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
2224 "servicePrincipalName
")
2225 m["dNSHostName
"] = MessageElement("testname4
.testdom4
",
2226 FLAG_MOD_REPLACE, "dNSHostName
")
2229 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2230 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2231 self.assertTrue(len(res) == 1)
2232 self.assertEquals(res[0]["servicePrincipalName
"][0],
2233 "HOST
/testname2
.testdom2
")
2236 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2237 m["servicePrincipalName
"] = MessageElement([],
2239 "servicePrincipalName
")
2243 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2244 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2245 FLAG_MOD_REPLACE, "dNSHostName
")
2248 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2249 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2250 self.assertTrue(len(res) == 1)
2251 self.assertFalse("servicePrincipalName
" in res[0])
2253 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2256 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2257 "objectclass
": "computer
",
2258 "sAMAccountName
": "testname$
"})
2260 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2261 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2262 self.assertTrue(len(res) == 1)
2263 self.assertFalse("servicePrincipalName
" in res[0])
2265 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2268 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2269 "objectclass
": "computer
",
2270 "servicePrincipalName
": "HOST
/testname
"})
2272 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2273 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2274 self.assertTrue(len(res) == 1)
2275 self.assertTrue("sAMAccountName
" in res[0])
2277 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2280 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2281 "objectclass
": "computer
",
2282 "sAMAccountName
": "testname$
",
2283 "servicePrincipalName
": "HOST
/testname
"})
2285 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2286 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2287 self.assertTrue(len(res) == 1)
2288 self.assertEquals(res[0]["sAMAccountName
"][0], "testname$
")
2290 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2291 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2292 self.assertTrue(len(res) == 1)
2293 self.assertEquals(res[0]["servicePrincipalName
"][0],
2297 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2298 m["sAMAccountName
"] = MessageElement("testnamE$
",
2299 FLAG_MOD_REPLACE, "sAMAccountName
")
2302 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2303 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2304 self.assertTrue(len(res) == 1)
2305 self.assertEquals(res[0]["servicePrincipalName
"][0],
2309 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2310 m["sAMAccountName
"] = MessageElement("testname
",
2311 FLAG_MOD_REPLACE, "sAMAccountName
")
2314 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2315 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2316 self.assertTrue(len(res) == 1)
2317 self.assertEquals(res[0]["servicePrincipalName
"][0],
2321 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2322 m["sAMAccountName
"] = MessageElement("test$name$
",
2323 FLAG_MOD_REPLACE, "sAMAccountName
")
2326 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2327 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2328 self.assertTrue(len(res) == 1)
2329 self.assertEquals(res[0]["servicePrincipalName
"][0],
2333 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2334 m["sAMAccountName
"] = MessageElement("testname2
",
2335 FLAG_MOD_REPLACE, "sAMAccountName
")
2338 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2339 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2340 self.assertTrue(len(res) == 1)
2341 self.assertEquals(res[0]["servicePrincipalName
"][0],
2345 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2346 m["sAMAccountName
"] = MessageElement("testname3
",
2347 FLAG_MOD_REPLACE, "sAMAccountName
")
2348 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2350 "servicePrincipalName
")
2353 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2354 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2355 self.assertTrue(len(res) == 1)
2356 self.assertEquals(res[0]["servicePrincipalName
"][0],
2360 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2361 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2363 "servicePrincipalName
")
2364 m["sAMAccountName
"] = MessageElement("testname4
",
2365 FLAG_MOD_REPLACE, "sAMAccountName
")
2368 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2369 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2370 self.assertTrue(len(res) == 1)
2371 self.assertEquals(res[0]["servicePrincipalName
"][0],
2375 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2376 m["servicePrincipalName
"] = MessageElement([],
2378 "servicePrincipalName
")
2382 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2383 m["sAMAccountName
"] = MessageElement("testname2
",
2384 FLAG_MOD_REPLACE, "sAMAccountName
")
2387 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2388 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2389 self.assertTrue(len(res) == 1)
2390 self.assertFalse("servicePrincipalName
" in res[0])
2392 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2395 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2396 "objectclass
": "computer
",
2397 "dNSHostName
": "testname
.testdom
",
2398 "sAMAccountName
": "testname$
",
2399 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2403 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2404 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2405 FLAG_MOD_REPLACE, "dNSHostName
")
2406 m["sAMAccountName
"] = MessageElement("testname2$
",
2407 FLAG_MOD_REPLACE, "sAMAccountName
")
2410 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2411 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2412 self.assertTrue(len(res) == 1)
2413 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2414 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2415 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
" or
2416 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
")
2417 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
.testdom
" or
2418 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
.testdom
")
2420 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2423 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2424 "objectclass
": "computer
",
2425 "dNSHostName
": "testname
.testdom
",
2426 "sAMAccountName
": "testname$
",
2427 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2431 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2432 m["sAMAccountName
"] = MessageElement("testname2$
",
2433 FLAG_MOD_REPLACE, "sAMAccountName
")
2434 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2435 FLAG_MOD_REPLACE, "dNSHostName
")
2438 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2439 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2440 self.assertTrue(len(res) == 1)
2441 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2442 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2443 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 2)
2444 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2445 self.assertTrue("HOST
/testname2
.testdom
" in res[0]["servicePrincipalName
"])
2448 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2449 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom
",
2450 FLAG_MOD_ADD, "servicePrincipalName
")
2454 except LdbError, (num, _):
2455 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2458 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2459 m["servicePrincipalName
"] = MessageElement("HOST
/testname3
",
2460 FLAG_MOD_ADD, "servicePrincipalName
")
2463 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2464 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2465 self.assertTrue(len(res) == 1)
2466 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2467 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2468 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 3)
2469 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2470 self.assertTrue("HOST
/testname3
" in res[0]["servicePrincipalName
"])
2471 self.assertTrue("HOST
/testname2
.testdom
" in res[0]["servicePrincipalName
"])
2474 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2475 m["dNSHostName
"] = MessageElement("testname3
.testdom
",
2476 FLAG_MOD_REPLACE, "dNSHostName
")
2477 m["servicePrincipalName
"] = MessageElement("HOST
/testname3
.testdom
",
2478 FLAG_MOD_ADD, "servicePrincipalName
")
2481 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2482 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2483 self.assertTrue(len(res) == 1)
2484 self.assertEquals(res[0]["dNSHostName
"][0], "testname3
.testdom
")
2485 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2486 self.assertTrue(len(res[0]["servicePrincipalName
"]) == 3)
2487 self.assertTrue("HOST
/testname2
" in res[0]["servicePrincipalName
"])
2488 self.assertTrue("HOST
/testname3
" in res[0]["servicePrincipalName
"])
2489 self.assertTrue("HOST
/testname3
.testdom
" in res[0]["servicePrincipalName
"])
2491 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2493 def test_sam_description_attribute(self):
2494 """Test SAM description attribute"""
2495 print "Test SAM description attribute
"""
2498 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2499 "description": "desc2",
2500 "objectclass": "group",
2501 "description": "desc1"})
2503 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2504 scope=SCOPE_BASE, attrs=["description"])
2505 self.assertTrue(len(res) == 1)
2506 self.assertTrue("description" in res[0])
2507 self.assertTrue(len(res[0]["description"]) == 1)
2508 self.assertEquals(res[0]["description"][0], "desc1")
2510 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2513 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2514 "objectclass": "group",
2515 "description": ["desc1", "desc2"]})
2517 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2518 scope=SCOPE_BASE, attrs=["description"])
2519 self.assertTrue(len(res) == 1)
2520 self.assertTrue("description" in res[0])
2521 self.assertTrue(len(res[0]["description"]) == 2)
2522 self.assertTrue(res[0]["description"][0] == "desc1" or
2523 res[0]["description"][1] == "desc1")
2524 self.assertTrue(res[0]["description"][0] == "desc2" or
2525 res[0]["description"][1] == "desc2")
2528 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2529 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2534 except LdbError, (num, _):
2535 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2538 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2539 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2543 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2546 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2547 "objectclass": "group" })
2550 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2551 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2555 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2556 scope=SCOPE_BASE, attrs=["description"])
2557 self.assertTrue(len(res) == 1)
2558 self.assertTrue("description" in res[0])
2559 self.assertTrue(len(res[0]["description"]) == 1)
2560 self.assertEquals(res[0]["description"][0], "desc1")
2562 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2565 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2566 "objectclass": "group",
2567 "description": ["desc1", "desc2"]})
2570 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2571 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2575 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2576 scope=SCOPE_BASE, attrs=["description"])
2577 self.assertTrue(len(res) == 1)
2578 self.assertTrue("description" in res[0])
2579 self.assertTrue(len(res[0]["description"]) == 1)
2580 self.assertEquals(res[0]["description"][0], "desc1")
2583 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2584 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2589 except LdbError, (num, _):
2590 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2593 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2594 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2599 except LdbError, (num, _):
2600 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2603 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2604 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2607 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2608 scope=SCOPE_BASE, attrs=["description"])
2609 self.assertTrue(len(res) == 1)
2610 self.assertFalse("description" in res[0])
2613 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2614 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2619 except LdbError, (num, _):
2620 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2623 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2624 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2629 except LdbError, (num, _):
2630 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2633 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2634 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2638 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2639 scope=SCOPE_BASE, attrs=["description"])
2640 self.assertTrue(len(res) == 1)
2641 self.assertTrue("description" in res[0])
2642 self.assertTrue(len(res[0]["description"]) == 1)
2643 self.assertEquals(res[0]["description"][0], "desc1")
2646 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2647 m.add(MessageElement("desc1", FLAG_MOD_DELETE, "description"))
2648 m.add(MessageElement("desc2", FLAG_MOD_ADD, "description"))
2651 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2652 scope=SCOPE_BASE, attrs=["description"])
2653 self.assertTrue(len(res) == 1)
2654 self.assertTrue("description" in res[0])
2655 self.assertTrue(len(res[0]["description"]) == 1)
2656 self.assertEquals(res[0]["description"][0], "desc2")
2658 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2661 def test_fSMORoleOwner_attribute(self):
2662 """Test fSMORoleOwner attribute
"""
2663 print "Test fSMORoleOwner attribute"""
2665 ds_service_name
= self
.ldb
.get_dsServiceName()
2667 # The "fSMORoleOwner" attribute can only be set to "nTDSDSA" entries,
2668 # invalid DNs return ERR_UNWILLING_TO_PERFORM
2672 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2673 "objectclass": "group",
2674 "fSMORoleOwner": self
.base_dn
})
2676 except LdbError
, (num
, _
):
2677 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2681 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2682 "objectclass": "group",
2683 "fSMORoleOwner": [] })
2685 except LdbError
, (num
, _
):
2686 self
.assertEquals(num
, ERR_CONSTRAINT_VIOLATION
)
2688 # We are able to set it to a valid "nTDSDSA" entry if the server is
2689 # capable of handling the role
2692 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2693 "objectclass": "group",
2694 "fSMORoleOwner": ds_service_name
})
2696 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2699 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
2700 "objectclass": "group" })
2703 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2704 m
.add(MessageElement(self
.base_dn
, FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2708 except LdbError
, (num
, _
):
2709 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2712 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2713 m
.add(MessageElement([], FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2717 except LdbError
, (num
, _
):
2718 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
2720 # We are able to set it to a valid "nTDSDSA" entry if the server is
2721 # capable of handling the role
2724 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2725 m
.add(MessageElement(ds_service_name
, FLAG_MOD_REPLACE
, "fSMORoleOwner"))
2728 # A clean-out works on plain entries, not master (schema, PDC...) DNs
2731 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2732 m
.add(MessageElement([], FLAG_MOD_DELETE
, "fSMORoleOwner"))
2735 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
2738 if not "://" in host
:
2739 if os
.path
.isfile(host
):
2740 host
= "tdb://%s" % host
2742 host
= "ldap://%s" % host
2744 ldb
= SamDB(host
, credentials
=creds
, session_info
=system_session(lp
), lp
=lp
)
2746 runner
= SubunitTestRunner()
2748 if not runner
.run(unittest
.makeSuite(SamTests
)).wasSuccessful():