2 # -*- coding: utf-8 -*-
12 sys
.path
.append("bin/python")
13 sys
.path
.append("../lib/subunit/python")
15 import samba
.getopt
as options
17 # Some error messages that are being tested
18 from ldb
import SCOPE_SUBTREE
, SCOPE_ONELEVEL
, SCOPE_BASE
, LdbError
19 from ldb
import ERR_NO_SUCH_OBJECT
, ERR_INVALID_DN_SYNTAX
, ERR_UNWILLING_TO_PERFORM
20 from ldb
import ERR_INSUFFICIENT_ACCESS_RIGHTS
22 # For running the test unit
23 from samba
.ndr
import ndr_pack
, ndr_unpack
24 from samba
.dcerpc
import security
26 from samba
.auth
import system_session
27 from samba
import Ldb
, DS_BEHAVIOR_WIN2008
28 from subunit
import SubunitTestRunner
31 parser
= optparse
.OptionParser("ldap [options] <host>")
32 sambaopts
= options
.SambaOptions(parser
)
33 parser
.add_option_group(sambaopts
)
34 parser
.add_option_group(options
.VersionOptions(parser
))
36 # use command line creds if available
37 credopts
= options
.CredentialsOptions(parser
)
38 parser
.add_option_group(credopts
)
39 opts
, args
= parser
.parse_args()
47 lp
= sambaopts
.get_loadparm()
48 creds
= credopts
.get_credentials(lp
)
54 class DescriptorTests(unittest
.TestCase
):
56 def delete_force(self
, ldb
, dn
):
59 except LdbError
, (num
, _
):
60 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
62 def find_basedn(self
, ldb
):
63 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
,
64 attrs
=["defaultNamingContext"])
65 self
.assertEquals(len(res
), 1)
66 return res
[0]["defaultNamingContext"][0]
68 def find_configurationdn(self
, ldb
):
69 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["configurationNamingContext"])
70 self
.assertEquals(len(res
), 1)
71 return res
[0]["configurationNamingContext"][0]
73 def find_schemadn(self
, ldb
):
74 res
= ldb
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["schemaNamingContext"])
75 self
.assertEquals(len(res
), 1)
76 return res
[0]["schemaNamingContext"][0]
78 def find_domain_sid(self
, ldb
):
79 res
= ldb
.search(base
=self
.base_dn
, expression
="(objectClass=*)", scope
=SCOPE_BASE
)
80 return ndr_unpack( security
.dom_sid
,res
[0]["objectSid"][0])
82 def get_users_domain_dn(self
, name
):
83 return "CN=%s,CN=Users,%s" % (name
, self
.base_dn
)
85 def modify_desc(self
, object_dn
, desc
):
86 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
88 dn: """ + object_dn
+ """
90 replace: nTSecurityDescriptor
92 if isinstance(desc
, str):
93 mod
+= "nTSecurityDescriptor: %s" % desc
94 elif isinstance(desc
, security
.descriptor
):
95 mod
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
96 self
.ldb_admin
.modify_ldif(mod
)
98 def create_domain_ou(self
, _ldb
, ou_dn
, desc
=None):
100 dn: """ + ou_dn
+ """
101 ou: """ + ou_dn
.split(",")[0][3:] + """
102 objectClass: organizationalUnit
106 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
107 if isinstance(desc
, str):
108 ldif
+= "nTSecurityDescriptor: %s" % desc
109 elif isinstance(desc
, security
.descriptor
):
110 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
113 def create_domain_user(self
, _ldb
, user_dn
, desc
=None):
115 dn: """ + user_dn
+ """
116 sAMAccountName: """ + user_dn
.split(",")[0][3:] + """
118 userPassword: samba123@
122 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
123 if isinstance(desc
, str):
124 ldif
+= "nTSecurityDescriptor: %s" % desc
125 elif isinstance(desc
, security
.descriptor
):
126 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
129 def create_domain_group(self
, _ldb
, group_dn
, desc
=None):
131 dn: """ + group_dn
+ """
133 sAMAccountName: """ + group_dn
.split(",")[0][3:] + """
138 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
139 if isinstance(desc
, str):
140 ldif
+= "nTSecurityDescriptor: %s" % desc
141 elif isinstance(desc
, security
.descriptor
):
142 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
145 def get_unique_schema_class_name(self
):
147 class_name
= "test-class%s" % random
.randint(1,100000)
148 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
150 self
.ldb_admin
.search(base
=class_dn
, attrs
=["*"])
151 except LdbError
, (num
, _
):
152 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
155 def create_schema_class(self
, _ldb
, object_dn
, desc
=None):
157 dn: """ + object_dn
+ """
158 objectClass: classSchema
159 objectCategory: CN=Class-Schema,""" + self
.schema_dn
+ """
160 defaultObjectCategory: """ + object_dn
+ """
161 distinguishedName: """ + object_dn
+ """
162 governsID: 1.2.840.""" + str(random
.randint(1,100000)) + """.1.5.9939
164 objectClassCategory: 1
165 subClassOf: organizationalPerson
168 systemMustContain: cn
172 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
173 if isinstance(desc
, str):
174 ldif
+= "nTSecurityDescriptor: %s" % desc
175 elif isinstance(desc
, security
.descriptor
):
176 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
179 def create_configuration_container(self
, _ldb
, object_dn
, desc
=None):
181 dn: """ + object_dn
+ """
182 objectClass: container
183 objectCategory: CN=Container,""" + self
.schema_dn
+ """
184 showInAdvancedViewOnly: TRUE
188 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
189 if isinstance(desc
, str):
190 ldif
+= "nTSecurityDescriptor: %s" % desc
191 elif isinstance(desc
, security
.descriptor
):
192 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
195 def create_configuration_specifier(self
, _ldb
, object_dn
, desc
=None):
197 dn: """ + object_dn
+ """
198 objectClass: displaySpecifier
199 showInAdvancedViewOnly: TRUE
202 assert(isinstance(desc
, str) or isinstance(desc
, security
.descriptor
))
203 if isinstance(desc
, str):
204 ldif
+= "nTSecurityDescriptor: %s" % desc
205 elif isinstance(desc
, security
.descriptor
):
206 ldif
+= "nTSecurityDescriptor:: %s" % base64
.b64encode(ndr_pack(desc
))
209 def read_desc(self
, object_dn
):
210 res
= self
.ldb_admin
.search(base
=object_dn
, attrs
=["nTSecurityDescriptor"])
211 desc
= res
[0]["nTSecurityDescriptor"][0]
212 return ndr_unpack( security
.descriptor
, desc
)
214 def enable_account(self
, user_dn
):
215 """Enable an account.
216 :param user_dn: Dn of the account to enable.
218 res
= self
.ldb_admin
.search(user_dn
, SCOPE_BASE
, None, ["userAccountControl"])
220 userAccountControl
= res
[0]["userAccountControl"][0]
221 userAccountControl
= int(userAccountControl
)
222 if (userAccountControl
& 0x2):
223 userAccountControl
= userAccountControl
& ~
0x2 # remove disabled bit
224 if (userAccountControl
& 0x20):
225 userAccountControl
= userAccountControl
& ~
0x20 # remove 'no password required' bit
227 dn: """ + user_dn
+ """
229 replace: userAccountControl
230 userAccountControl: %s""" % userAccountControl
232 mod
= re
.sub("userAccountControl: \d.*", "userAccountControl: 544", mod
)
233 self
.ldb_admin
.modify_ldif(mod
)
235 def get_ldb_connection(self
, target_username
, target_password
):
236 username_save
= creds
.get_username(); password_save
= creds
.get_password()
237 creds
.set_username(target_username
)
238 creds
.set_password(target_password
)
239 ldb_target
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
)
240 creds
.set_username(username_save
); creds
.set_password(password_save
)
243 def get_object_sid(self
, object_dn
):
244 res
= self
.ldb_admin
.search(object_dn
)
245 return ndr_unpack( security
.dom_sid
, res
[0]["objectSid"][0] )
247 def dacl_add_ace(self
, object_dn
, ace
):
248 desc
= self
.read_desc( object_dn
)
249 desc_sddl
= desc
.as_sddl( self
.domain_sid
)
252 desc_sddl
= desc_sddl
[0:desc_sddl
.index("(")] + ace
+ desc_sddl
[desc_sddl
.index("("):]
253 self
.modify_desc(object_dn
, desc_sddl
)
255 def get_desc_sddl(self
, object_dn
):
256 """ Return object nTSecutiryDescriptor in SDDL format
258 desc
= self
.read_desc(object_dn
)
259 return desc
.as_sddl(self
.domain_sid
)
263 self
.base_dn
= self
.find_basedn(self
.ldb_admin
)
264 self
.configuration_dn
= self
.find_configurationdn(self
.ldb_admin
)
265 self
.schema_dn
= self
.find_schemadn(self
.ldb_admin
)
266 self
.domain_sid
= self
.find_domain_sid(self
.ldb_admin
)
267 print "baseDN: %s" % self
.base_dn
268 self
.SAMBA
= False; self
.WIN2003
= False
269 res
= self
.ldb_admin
.search(base
="", expression
="", scope
=SCOPE_BASE
, attrs
=["vendorName"])
270 if "vendorName" in res
[0].keys() and "Samba Team" in res
[0]["vendorName"][0]:
274 #print "self.SAMBA:", self.SAMBA
275 #print "self.WIN2003:", self.WIN2003
277 ################################################################################################
281 # Default descriptor tests #####################################################################
283 class OwnerGroupDescriptorTests(DescriptorTests
):
286 DescriptorTests
.setUp(self
)
290 user_dn
= self
.get_users_domain_dn("testuser1")
291 self
.create_domain_user(self
.ldb_admin
, user_dn
)
292 self
.enable_account(user_dn
)
294 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
296 member: """ + user_dn
297 self
.ldb_admin
.modify_ldif(ldif
)
299 user_dn
= self
.get_users_domain_dn("testuser2")
300 self
.create_domain_user(self
.ldb_admin
, user_dn
)
301 self
.enable_account(user_dn
)
303 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
305 member: """ + user_dn
306 self
.ldb_admin
.modify_ldif(ldif
)
308 user_dn
= self
.get_users_domain_dn("testuser3")
309 self
.create_domain_user(self
.ldb_admin
, user_dn
)
310 self
.enable_account(user_dn
)
312 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
314 member: """ + user_dn
315 self
.ldb_admin
.modify_ldif(ldif
)
317 user_dn
= self
.get_users_domain_dn("testuser4")
318 self
.create_domain_user(self
.ldb_admin
, user_dn
)
319 self
.enable_account(user_dn
)
321 user_dn
= self
.get_users_domain_dn("testuser5")
322 self
.create_domain_user(self
.ldb_admin
, user_dn
)
323 self
.enable_account(user_dn
)
325 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
327 member: """ + user_dn
+ """
329 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
331 member: """ + user_dn
332 self
.ldb_admin
.modify_ldif(ldif
)
334 user_dn
= self
.get_users_domain_dn("testuser6")
335 self
.create_domain_user(self
.ldb_admin
, user_dn
)
336 self
.enable_account(user_dn
)
338 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
340 member: """ + user_dn
+ """
342 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
344 member: """ + user_dn
+ """
346 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
348 member: """ + user_dn
349 self
.ldb_admin
.modify_ldif(ldif
)
351 user_dn
= self
.get_users_domain_dn("testuser7")
352 self
.create_domain_user(self
.ldb_admin
, user_dn
)
353 self
.enable_account(user_dn
)
355 dn: CN=Domain Admins,CN=Users,""" + self
.base_dn
+ """
357 member: """ + user_dn
+ """
359 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
361 member: """ + user_dn
362 self
.ldb_admin
.modify_ldif(ldif
)
364 user_dn
= self
.get_users_domain_dn("testuser8")
365 self
.create_domain_user(self
.ldb_admin
, user_dn
)
366 self
.enable_account(user_dn
)
368 dn: CN=Enterprise Admins,CN=Users,""" + self
.base_dn
+ """
370 member: """ + user_dn
+ """
372 dn: CN=Schema Admins,CN=Users,""" + self
.base_dn
+ """
374 member: """ + user_dn
375 self
.ldb_admin
.modify_ldif(ldif
)
377 # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
378 "ds_behavior_win2003" : {
428 # msDS-Behavior-Version >= 3
429 "ds_behavior_win2008" : {
480 # Discover 'msDS-Behavior-Version'
481 res
= self
.ldb_admin
.search(base
=self
.base_dn
, expression
="distinguishedName=%s" % self
.base_dn
, \
482 attrs
=['msDS-Behavior-Version'])
483 res
= int(res
[0]['msDS-Behavior-Version'][0])
484 if res
< DS_BEHAVIOR_WIN2008
:
485 self
.DS_BEHAVIOR
= "ds_behavior_win2003"
487 self
.DS_BEHAVIOR
= "ds_behavior_win2008"
491 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser1"))
492 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser2"))
493 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser3"))
494 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser4"))
495 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser5"))
496 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser6"))
497 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser7"))
498 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("testuser8"))
500 self
.delete_force(self
.ldb_admin
, self
.get_users_domain_dn("test_domain_group1"))
501 self
.delete_force(self
.ldb_admin
, "CN=test_domain_user1,OU=test_domain_ou1," + self
.base_dn
)
502 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou2,OU=test_domain_ou1," + self
.base_dn
)
503 self
.delete_force(self
.ldb_admin
, "OU=test_domain_ou1," + self
.base_dn
)
506 self
.delete_force(self
.ldb_admin
, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
507 + self
.configuration_dn
)
508 self
.delete_force(self
.ldb_admin
, "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
)
510 def check_user_belongs(self
, user_dn
, groups
=[]):
511 """ Test wether user is member of the expected group(s) """
513 # User is member of at least one additional group
514 res
= self
.ldb_admin
.search(user_dn
, attrs
=["memberOf"])
515 res
= [x
.upper() for x
in sorted(list(res
[0]["memberOf"]))]
518 expected
.append(self
.get_users_domain_dn(x
))
519 expected
= [x
.upper() for x
in sorted(expected
)]
520 self
.assertEqual(expected
, res
)
522 # User is not a member of any additional groups but default
523 res
= self
.ldb_admin
.search(user_dn
, attrs
=["*"])
524 res
= [x
.upper() for x
in res
[0].keys()]
525 self
.assertFalse( "MEMBEROF" in res
)
528 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
530 user_name
= "testuser1"
531 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
532 # Open Ldb connection with the tested user
533 _ldb
= self
.get_ldb_connection("testuser1", "samba123@")
534 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
535 self
.delete_force(self
.ldb_admin
, group_dn
)
536 self
.create_domain_group(_ldb
, group_dn
)
537 desc_sddl
= self
.get_desc_sddl(group_dn
)
538 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
539 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["100"], res
)
542 """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
544 user_name
= "testuser2"
545 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
546 # Open Ldb connection with the tested user
547 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
548 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
549 self
.delete_force(self
.ldb_admin
, group_dn
)
550 self
.create_domain_group(_ldb
, group_dn
)
551 desc_sddl
= self
.get_desc_sddl(group_dn
)
552 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
553 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["101"], res
)
556 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
558 user_name
= "testuser3"
559 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
560 # Open Ldb connection with the tested user
561 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
562 object_dn
= "OU=test_domain_ou1," + self
.base_dn
563 self
.delete_force(self
.ldb_admin
, object_dn
)
564 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
565 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
566 mod
= "(A;;CC;;;%s)" % str(user_sid
)
567 self
.dacl_add_ace(object_dn
, mod
)
568 # Create additional object into the first one
569 object_dn
= "CN=test_domain_user1," + object_dn
570 self
.delete_force(self
.ldb_admin
, object_dn
)
571 self
.create_domain_user(_ldb
, object_dn
)
572 desc_sddl
= self
.get_desc_sddl(object_dn
)
573 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
574 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["102"] % str(user_sid
), res
)
577 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
579 user_name
= "testuser4"
580 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
581 # Open Ldb connection with the tested user
582 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
583 object_dn
= "OU=test_domain_ou1," + self
.base_dn
584 self
.delete_force(self
.ldb_admin
, object_dn
)
585 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
586 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
587 mod
= "(A;;CC;;;%s)" % str(user_sid
)
588 self
.dacl_add_ace(object_dn
, mod
)
589 # Create additional object into the first one
590 object_dn
= "CN=test_domain_user1," + object_dn
591 self
.delete_force(self
.ldb_admin
, object_dn
)
592 self
.create_domain_user(_ldb
, object_dn
)
593 desc_sddl
= self
.get_desc_sddl(object_dn
)
594 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
595 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["103"] % str(user_sid
), res
)
598 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
600 user_name
= "testuser5"
601 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
602 # Open Ldb connection with the tested user
603 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
604 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
605 self
.delete_force(self
.ldb_admin
, group_dn
)
606 self
.create_domain_group(_ldb
, group_dn
)
607 desc_sddl
= self
.get_desc_sddl(group_dn
)
608 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
609 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["104"], res
)
612 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
614 user_name
= "testuser6"
615 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
616 # Open Ldb connection with the tested user
617 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
618 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
619 self
.delete_force(self
.ldb_admin
, group_dn
)
620 self
.create_domain_group(_ldb
, group_dn
)
621 desc_sddl
= self
.get_desc_sddl(group_dn
)
622 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
623 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["105"], res
)
626 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
628 user_name
= "testuser7"
629 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
632 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
633 self
.delete_force(self
.ldb_admin
, group_dn
)
634 self
.create_domain_group(_ldb
, group_dn
)
635 desc_sddl
= self
.get_desc_sddl(group_dn
)
636 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
637 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["106"], res
)
640 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
642 user_name
= "testuser8"
643 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
644 # Open Ldb connection with the tested user
645 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
646 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
647 self
.delete_force(self
.ldb_admin
, group_dn
)
648 self
.create_domain_group(_ldb
, group_dn
)
649 desc_sddl
= self
.get_desc_sddl(group_dn
)
650 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
651 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["107"], res
)
653 # Control descriptor tests #####################################################################
656 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
658 user_name
= "testuser1"
659 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
660 # Open Ldb connection with the tested user
661 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
662 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
663 self
.delete_force(self
.ldb_admin
, group_dn
)
664 # Create a custom security descriptor
665 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
666 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
667 desc_sddl
= self
.get_desc_sddl(group_dn
)
668 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
669 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["108"], res
)
672 """ Domain admin group member creates object (custom descriptor) in DOMAIN
674 user_name
= "testuser2"
675 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
676 # Open Ldb connection with the tested user
677 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
678 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
679 self
.delete_force(self
.ldb_admin
, group_dn
)
680 # Create a custom security descriptor
681 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
682 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
683 desc_sddl
= self
.get_desc_sddl(group_dn
)
684 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
685 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["109"], res
)
688 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
690 user_name
= "testuser3"
691 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
692 # Open Ldb connection with the tested user
693 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
694 object_dn
= "OU=test_domain_ou1," + self
.base_dn
695 self
.delete_force(self
.ldb_admin
, object_dn
)
696 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
697 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
698 mod
= "(A;;CC;;;%s)" % str(user_sid
)
699 self
.dacl_add_ace(object_dn
, mod
)
700 # Create a custom security descriptor
701 # NB! Problematic owner part won't accept DA only <User Sid> !!!
702 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
703 # Create additional object into the first one
704 object_dn
= "CN=test_domain_user1," + object_dn
705 self
.delete_force(self
.ldb_admin
, object_dn
)
706 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
707 desc
= self
.read_desc(object_dn
)
708 desc_sddl
= self
.get_desc_sddl(object_dn
)
709 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
710 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["110"] % str(user_sid
), res
)
713 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
715 user_name
= "testuser4"
716 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
717 # Open Ldb connection with the tested user
718 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
719 object_dn
= "OU=test_domain_ou1," + self
.base_dn
720 self
.delete_force(self
.ldb_admin
, object_dn
)
721 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
722 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
723 mod
= "(A;;CC;;;%s)" % str(user_sid
)
724 self
.dacl_add_ace(object_dn
, mod
)
725 # Create a custom security descriptor
726 # NB! Problematic owner part won't accept DA only <User Sid> !!!
727 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
728 # Create additional object into the first one
729 object_dn
= "CN=test_domain_user1," + object_dn
730 self
.delete_force(self
.ldb_admin
, object_dn
)
731 self
.create_domain_user(_ldb
, object_dn
, desc_sddl
)
732 desc
= self
.read_desc(object_dn
)
733 desc_sddl
= self
.get_desc_sddl(object_dn
)
734 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
735 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["111"] % str(user_sid
), res
)
738 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
740 user_name
= "testuser5"
741 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
742 # Open Ldb connection with the tested user
743 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
744 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
745 self
.delete_force(self
.ldb_admin
, group_dn
)
746 # Create a custom security descriptor
747 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
748 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
749 desc_sddl
= self
.get_desc_sddl(group_dn
)
750 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
751 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["112"], res
)
754 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
756 user_name
= "testuser6"
757 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
758 # Open Ldb connection with the tested user
759 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
760 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
761 self
.delete_force(self
.ldb_admin
, group_dn
)
762 # Create a custom security descriptor
763 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
764 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
765 desc_sddl
= self
.get_desc_sddl(group_dn
)
766 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
767 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["113"], res
)
770 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
772 user_name
= "testuser7"
773 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
774 # Open Ldb connection with the tested user
775 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
776 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
777 self
.delete_force(self
.ldb_admin
, group_dn
)
778 # Create a custom security descriptor
779 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
780 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
781 desc_sddl
= self
.get_desc_sddl(group_dn
)
782 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
783 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["114"], res
)
786 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
788 user_name
= "testuser8"
789 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
790 # Open Ldb connection with the tested user
791 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
792 group_dn
= "CN=test_domain_group1,CN=Users," + self
.base_dn
793 self
.delete_force(self
.ldb_admin
, group_dn
)
794 # Create a custom security descriptor
795 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
796 self
.create_domain_group(_ldb
, group_dn
, desc_sddl
)
797 desc_sddl
= self
.get_desc_sddl(group_dn
)
798 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
799 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["115"], res
)
803 user_name
= "Administrator"
804 object_dn
= "OU=test_domain_ou1," + self
.base_dn
805 self
.delete_force(self
.ldb_admin
, object_dn
)
806 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
807 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
808 mod
= "(D;CI;WP;;;S-1-3-0)"
810 self
.dacl_add_ace(object_dn
, mod
)
811 desc_sddl
= self
.get_desc_sddl(object_dn
)
813 # Create additional object into the first one
814 object_dn
= "OU=test_domain_ou2," + object_dn
815 self
.delete_force(self
.ldb_admin
, object_dn
)
816 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
817 desc_sddl
= self
.get_desc_sddl(object_dn
)
822 # Defalt descriptor tests ##################################################################
825 user_name
= "testuser1"
826 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
827 # Open Ldb connection with the tested user
828 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
829 # Change Schema partition descriptor
830 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
832 self
.dacl_add_ace(self
.schema_dn
, mod
)
833 # Create example Schema class
834 class_name
= self
.get_unique_schema_class_name()
835 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
836 self
.create_schema_class(_ldb
, class_dn
)
837 desc_sddl
= self
.get_desc_sddl(class_dn
)
838 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
839 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["130"], res
)
842 user_name
= "testuser2"
843 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
844 # Open Ldb connection with the tested user
845 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
846 # Change Schema partition descriptor
848 self
.dacl_add_ace(self
.schema_dn
, mod
)
849 # Create example Schema class
850 class_name
= self
.get_unique_schema_class_name()
851 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
852 self
.create_schema_class(_ldb
, class_dn
)
853 desc_sddl
= self
.get_desc_sddl(class_dn
)
854 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
855 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["131"], res
)
858 user_name
= "testuser3"
859 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
860 # Open Ldb connection with the tested user
861 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
862 # Change Schema partition descriptor
864 self
.dacl_add_ace(self
.schema_dn
, mod
)
865 # Create example Schema class
866 class_name
= self
.get_unique_schema_class_name()
867 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
868 self
.create_schema_class(_ldb
, class_dn
)
869 desc_sddl
= self
.get_desc_sddl(class_dn
)
870 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
871 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["132"], res
)
874 user_name
= "testuser4"
875 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
876 # Open Ldb connection with the tested user
877 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
878 #Change Schema partition descriptor
879 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
881 self
.dacl_add_ace(self
.schema_dn
, mod
)
882 # Create example Schema class
883 class_name
= self
.get_unique_schema_class_name()
884 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
885 self
.create_schema_class(_ldb
, class_dn
)
886 desc_sddl
= self
.get_desc_sddl(class_dn
)
887 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
888 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["133"] % str(user_sid
), res
)
891 user_name
= "testuser5"
892 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
893 # Open Ldb connection with the tested user
894 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
895 #Change Schema partition descriptor
897 self
.dacl_add_ace(self
.schema_dn
, mod
)
898 # Create example Schema class
899 class_name
= self
.get_unique_schema_class_name()
900 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
901 self
.create_schema_class(_ldb
, class_dn
)
902 desc_sddl
= self
.get_desc_sddl(class_dn
)
903 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
904 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["134"], res
)
907 user_name
= "testuser6"
908 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909 # Open Ldb connection with the tested user
910 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
911 # Change Schema partition descriptor
913 self
.dacl_add_ace(self
.schema_dn
, mod
)
914 # Create example Schema class
915 class_name
= self
.get_unique_schema_class_name()
916 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
917 self
.create_schema_class(_ldb
, class_dn
)
918 desc_sddl
= self
.get_desc_sddl(class_dn
)
919 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
920 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["135"], res
)
923 user_name
= "testuser7"
924 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
925 # Open Ldb connection with the tested user
926 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
927 # Change Schema partition descriptor
929 self
.dacl_add_ace(self
.schema_dn
, mod
)
930 # Create example Schema class
931 class_name
= self
.get_unique_schema_class_name()
932 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
933 self
.create_schema_class(_ldb
, class_dn
)
934 desc_sddl
= self
.get_desc_sddl(class_dn
)
935 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
936 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["136"], res
)
939 user_name
= "testuser8"
940 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
941 # Open Ldb connection with the tested user
942 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
943 # Change Schema partition descriptor
945 self
.dacl_add_ace(self
.schema_dn
, mod
)
946 # Create example Schema class
947 class_name
= self
.get_unique_schema_class_name()
948 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
949 self
.create_schema_class(_ldb
, class_dn
)
950 desc_sddl
= self
.get_desc_sddl(class_dn
)
951 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
952 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["137"], res
)
954 # Custom descriptor tests ##################################################################
957 user_name
= "testuser1"
958 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
959 # Open Ldb connection with the tested user
960 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
961 # Change Schema partition descriptor
963 self
.dacl_add_ace(self
.schema_dn
, mod
)
964 # Create a custom security descriptor
965 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
966 # Create example Schema class
967 class_name
= self
.get_unique_schema_class_name()
968 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
969 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
970 desc_sddl
= self
.get_desc_sddl(class_dn
)
971 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
972 self
.assertEqual("O:DAG:DA", res
)
975 user_name
= "testuser2"
976 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
977 # Open Ldb connection with the tested user
978 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
979 # Change Schema partition descriptor
981 self
.dacl_add_ace(self
.schema_dn
, mod
)
982 # Create a custom security descriptor
983 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
984 # Create example Schema class
985 class_name
= self
.get_unique_schema_class_name()
986 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
987 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
988 desc_sddl
= self
.get_desc_sddl(class_dn
)
989 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
990 self
.assertEqual("O:DAG:DA", res
)
993 user_name
= "testuser3"
994 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
995 # Open Ldb connection with the tested user
996 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
997 # Create a custom security descriptor
998 # NB! Problematic owner part won't accept DA only <User Sid> !!!
999 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1000 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1001 # Create example Schema class
1002 class_name
= self
.get_unique_schema_class_name()
1003 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1004 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1005 desc_sddl
= self
.get_desc_sddl(class_dn
)
1006 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1007 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["140"] % str(user_sid
), res
)
1010 user_name
= "testuser4"
1011 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1012 # Open Ldb connection with the tested user
1013 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1014 # Create a custom security descriptor
1015 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1016 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1017 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1018 # Create example Schema class
1019 class_name
= self
.get_unique_schema_class_name()
1020 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1021 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1022 desc_sddl
= self
.get_desc_sddl(class_dn
)
1023 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1024 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["141"] % str(user_sid
), res
)
1027 user_name
= "testuser5"
1028 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1029 # Open Ldb connection with the tested user
1030 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1031 # Change Schema partition descriptor
1032 mod
= "(A;;CC;;;AU)"
1033 self
.dacl_add_ace(self
.schema_dn
, mod
)
1034 # Create a custom security descriptor
1035 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1036 # Create example Schema class
1037 class_name
= self
.get_unique_schema_class_name()
1038 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1039 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1040 desc_sddl
= self
.get_desc_sddl(class_dn
)
1041 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1042 self
.assertEqual("O:DAG:DA", res
)
1045 user_name
= "testuser6"
1046 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1047 # Open Ldb connection with the tested user
1048 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1049 # Change Schema partition descriptor
1050 mod
= "(A;;CC;;;AU)"
1051 self
.dacl_add_ace(self
.schema_dn
, mod
)
1052 # Create a custom security descriptor
1053 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1054 # Create example Schema class
1055 class_name
= self
.get_unique_schema_class_name()
1056 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1057 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1058 desc_sddl
= self
.get_desc_sddl(class_dn
)
1059 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1060 self
.assertEqual("O:DAG:DA", res
)
1063 user_name
= "testuser7"
1064 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1065 # Open Ldb connection with the tested user
1066 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1067 # Change Schema partition descriptor
1068 mod
= "(A;;CC;;;AU)"
1069 self
.dacl_add_ace(self
.schema_dn
, mod
)
1070 # Create a custom security descriptor
1071 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1072 # Create example Schema class
1073 class_name
= self
.get_unique_schema_class_name()
1074 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1075 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1076 desc_sddl
= self
.get_desc_sddl(class_dn
)
1077 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1078 self
.assertEqual("O:DAG:DA", res
)
1081 user_name
= "testuser8"
1082 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1083 # Open Ldb connection with the tested user
1084 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1085 # Change Schema partition descriptor
1086 mod
= "(A;;CC;;;AU)"
1087 self
.dacl_add_ace(self
.schema_dn
, mod
)
1088 # Create a custom security descriptor
1089 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1090 # Create example Schema class
1091 class_name
= self
.get_unique_schema_class_name()
1092 class_dn
= "CN=%s,%s" % (class_name
, self
.schema_dn
)
1093 self
.create_schema_class(_ldb
, class_dn
, desc_sddl
)
1094 desc_sddl
= self
.get_desc_sddl(class_dn
)
1095 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1096 self
.assertEqual("O:DAG:DA", res
)
1098 ## Tests for CONFIGURATION
1100 # Defalt descriptor tests ##################################################################
1103 user_name
= "testuser1"
1104 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1105 # Open Ldb connection with the tested user
1106 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1107 # Create example Configuration container
1108 container_name
= "test-container1"
1109 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1110 self
.delete_force(self
.ldb_admin
, object_dn
)
1111 self
.create_configuration_container(_ldb
, object_dn
, )
1112 desc_sddl
= self
.get_desc_sddl(object_dn
)
1113 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1114 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["160"], res
)
1117 user_name
= "testuser2"
1118 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1119 # Open Ldb connection with the tested user
1120 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1121 # Create example Configuration container
1122 container_name
= "test-container1"
1123 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1124 self
.delete_force(self
.ldb_admin
, object_dn
)
1125 self
.create_configuration_container(_ldb
, object_dn
, )
1126 desc_sddl
= self
.get_desc_sddl(object_dn
)
1127 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1128 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["161"], res
)
1131 user_name
= "testuser3"
1132 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1133 # Open Ldb connection with the tested user
1134 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1135 # Create example Configuration container
1136 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1137 self
.delete_force(self
.ldb_admin
, object_dn
)
1138 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1139 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1140 mod
= "(A;;CC;;;AU)"
1141 self
.dacl_add_ace(object_dn
, mod
)
1142 # Create child object with user's credentials
1143 object_dn
= "CN=test-specifier1," + object_dn
1144 self
.delete_force(self
.ldb_admin
, object_dn
)
1145 self
.create_configuration_specifier(_ldb
, object_dn
)
1146 desc_sddl
= self
.get_desc_sddl(object_dn
)
1147 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1148 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["162"] % str(user_sid
), res
)
1151 user_name
= "testuser4"
1152 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1153 # Open Ldb connection with the tested user
1154 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1155 # Create example Configuration container
1156 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1157 self
.delete_force(self
.ldb_admin
, object_dn
)
1158 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1159 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1160 mod
= "(A;;CC;;;AU)"
1161 self
.dacl_add_ace(object_dn
, mod
)
1162 # Create child object with user's credentials
1163 object_dn
= "CN=test-specifier1," + object_dn
1164 self
.delete_force(self
.ldb_admin
, object_dn
)
1165 self
.create_configuration_specifier(_ldb
, object_dn
)
1166 desc_sddl
= self
.get_desc_sddl(object_dn
)
1167 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1168 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["163"] % str(user_sid
), res
)
1171 user_name
= "testuser5"
1172 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1173 # Open Ldb connection with the tested user
1174 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1175 # Create example Configuration container
1176 container_name
= "test-container1"
1177 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1178 self
.delete_force(self
.ldb_admin
, object_dn
)
1179 self
.create_configuration_container(_ldb
, object_dn
, )
1180 desc_sddl
= self
.get_desc_sddl(object_dn
)
1181 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1182 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["164"], res
)
1185 user_name
= "testuser6"
1186 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1187 # Open Ldb connection with the tested user
1188 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1189 # Create example Configuration container
1190 container_name
= "test-container1"
1191 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1192 self
.delete_force(self
.ldb_admin
, object_dn
)
1193 self
.create_configuration_container(_ldb
, object_dn
, )
1194 desc_sddl
= self
.get_desc_sddl(object_dn
)
1195 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1196 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["165"], res
)
1199 user_name
= "testuser7"
1200 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1201 # Open Ldb connection with the tested user
1202 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1203 # Create example Configuration container
1204 container_name
= "test-container1"
1205 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1206 self
.delete_force(self
.ldb_admin
, object_dn
)
1207 self
.create_configuration_container(_ldb
, object_dn
, )
1208 desc_sddl
= self
.get_desc_sddl(object_dn
)
1209 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1210 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["166"], res
)
1213 user_name
= "testuser8"
1214 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1215 # Open Ldb connection with the tested user
1216 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1217 # Create example Configuration container
1218 container_name
= "test-container1"
1219 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1220 self
.delete_force(self
.ldb_admin
, object_dn
)
1221 self
.create_configuration_container(_ldb
, object_dn
, )
1222 desc_sddl
= self
.get_desc_sddl(object_dn
)
1223 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1224 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["167"], res
)
1226 # Custom descriptor tests ##################################################################
1229 user_name
= "testuser1"
1230 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins"])
1231 # Open Ldb connection with the tested user
1232 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1233 # Create example Configuration container
1234 container_name
= "test-container1"
1235 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1236 self
.delete_force(self
.ldb_admin
, object_dn
)
1237 # Create a custom security descriptor
1238 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1239 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1240 desc_sddl
= self
.get_desc_sddl(object_dn
)
1241 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1242 self
.assertEqual("O:DAG:DA", res
)
1245 user_name
= "testuser2"
1246 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins"])
1247 # Open Ldb connection with the tested user
1248 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1249 # Create example Configuration container
1250 container_name
= "test-container1"
1251 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1252 self
.delete_force(self
.ldb_admin
, object_dn
)
1253 # Create a custom security descriptor
1254 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1255 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1256 desc_sddl
= self
.get_desc_sddl(object_dn
)
1257 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1258 self
.assertEqual("O:DAG:DA", res
)
1261 user_name
= "testuser3"
1262 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Schema Admins"])
1263 # Open Ldb connection with the tested user
1264 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1265 # Create example Configuration container
1266 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1267 self
.delete_force(self
.ldb_admin
, object_dn
)
1268 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1269 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1270 mod
= "(A;;CC;;;AU)"
1271 self
.dacl_add_ace(object_dn
, mod
)
1272 # Create child object with user's credentials
1273 object_dn
= "CN=test-specifier1," + object_dn
1274 self
.delete_force(self
.ldb_admin
, object_dn
)
1275 # Create a custom security descriptor
1276 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1277 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1278 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1279 desc_sddl
= self
.get_desc_sddl(object_dn
)
1280 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1281 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["170"] % str(user_sid
), res
)
1284 user_name
= "testuser4"
1285 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), [])
1286 # Open Ldb connection with the tested user
1287 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1288 # Create example Configuration container
1289 object_dn
= "CN=test-container1,CN=DisplaySpecifiers," + self
.configuration_dn
1290 self
.delete_force(self
.ldb_admin
, object_dn
)
1291 self
.create_configuration_container(self
.ldb_admin
, object_dn
, )
1292 user_sid
= self
.get_object_sid( self
.get_users_domain_dn(user_name
) )
1293 mod
= "(A;;CC;;;AU)"
1294 self
.dacl_add_ace(object_dn
, mod
)
1295 # Create child object with user's credentials
1296 object_dn
= "CN=test-specifier1," + object_dn
1297 self
.delete_force(self
.ldb_admin
, object_dn
)
1298 # Create a custom security descriptor
1299 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1300 desc_sddl
= "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid
)
1301 self
.create_configuration_specifier(_ldb
, object_dn
, desc_sddl
)
1302 desc_sddl
= self
.get_desc_sddl(object_dn
)
1303 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1304 self
.assertEqual(self
.results
[self
.DS_BEHAVIOR
]["171"] % str(user_sid
), res
)
1307 user_name
= "testuser5"
1308 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins"])
1309 # Open Ldb connection with the tested user
1310 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1311 # Create example Configuration container
1312 container_name
= "test-container1"
1313 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1314 self
.delete_force(self
.ldb_admin
, object_dn
)
1315 # Create a custom security descriptor
1316 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1317 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1318 desc_sddl
= self
.get_desc_sddl(object_dn
)
1319 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1320 self
.assertEqual("O:DAG:DA", res
)
1323 user_name
= "testuser6"
1324 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1325 # Open Ldb connection with the tested user
1326 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1327 # Create example Configuration container
1328 container_name
= "test-container1"
1329 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1330 self
.delete_force(self
.ldb_admin
, object_dn
)
1331 # Create a custom security descriptor
1332 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1333 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1334 desc_sddl
= self
.get_desc_sddl(object_dn
)
1335 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1336 self
.assertEqual("O:DAG:DA", res
)
1339 user_name
= "testuser7"
1340 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Domain Admins", "Schema Admins"])
1341 # Open Ldb connection with the tested user
1342 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1343 # Create example Configuration container
1344 container_name
= "test-container1"
1345 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1346 self
.delete_force(self
.ldb_admin
, object_dn
)
1347 # Create a custom security descriptor
1348 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1349 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1350 desc_sddl
= self
.get_desc_sddl(object_dn
)
1351 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1352 self
.assertEqual("O:DAG:DA", res
)
1355 user_name
= "testuser8"
1356 self
.check_user_belongs(self
.get_users_domain_dn(user_name
), ["Enterprise Admins", "Schema Admins"])
1357 # Open Ldb connection with the tested user
1358 _ldb
= self
.get_ldb_connection(user_name
, "samba123@")
1359 # Create example Configuration container
1360 container_name
= "test-container1"
1361 object_dn
= "CN=%s,CN=DisplaySpecifiers,%s" % (container_name
, self
.configuration_dn
)
1362 self
.delete_force(self
.ldb_admin
, object_dn
)
1363 # Create a custom security descriptor
1364 desc_sddl
= "O:DAG:DAD:(A;;RP;;;DU)"
1365 self
.create_configuration_container(_ldb
, object_dn
, desc_sddl
)
1366 desc_sddl
= self
.get_desc_sddl(object_dn
)
1367 res
= re
.search("(O:.*G:.*?)D:", desc_sddl
).group(1)
1368 self
.assertEqual("O:DAG:DA", res
)
1370 ########################################################################################
1371 # Inharitance tests for DACL
1373 class DaclDescriptorTests(DescriptorTests
):
1376 DescriptorTests
.setUp(self
)
1379 self
.delete_force(self
.ldb_admin
, "CN=test_inherit_group,OU=test_inherit_ou," + self
.base_dn
)
1380 self
.delete_force(self
.ldb_admin
, "OU=test_inherit_ou," + self
.base_dn
)
1382 def create_clean_ou(self
, object_dn
):
1383 """ Base repeating setup for unittests to follow """
1384 res
= self
.ldb_admin
.search(base
=self
.base_dn
, scope
=SCOPE_SUBTREE
, \
1385 expression
="distinguishedName=%s" % object_dn
)
1386 # Make sure top testing OU has been deleted before starting the test
1387 self
.assertEqual(res
, [])
1388 self
.create_domain_ou(self
.ldb_admin
, object_dn
)
1389 desc_sddl
= self
.get_desc_sddl(object_dn
)
1390 # Make sutre there are inheritable ACEs initially
1391 self
.assertTrue("CI" in desc_sddl
or "OI" in desc_sddl
)
1392 # Find and remove all inherit ACEs
1393 res
= re
.findall("\(.*?\)", desc_sddl
)
1394 res
= [x
for x
in res
if ("CI" in x
) or ("OI" in x
)]
1396 desc_sddl
= desc_sddl
.replace(x
, "")
1397 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1398 # can propagate from above
1399 desc_sddl
= desc_sddl
.replace(":AI", ":AIP")
1400 self
.modify_desc(object_dn
, desc_sddl
)
1401 # Verify all inheritable ACEs are gone
1402 desc_sddl
= self
.get_desc_sddl(object_dn
)
1403 self
.assertFalse("CI" in desc_sddl
)
1404 self
.assertFalse("OI" in desc_sddl
)
1407 """ OU with protected flag and child group. See if the group has inherit ACEs.
1409 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1410 group_dn
= "CN=test_inherit_group," + ou_dn
1411 # Create inheritable-free OU
1412 self
.create_clean_ou(ou_dn
)
1413 # Create group child object
1414 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1415 # Make sure created group object contains NO inherit ACEs
1416 desc_sddl
= self
.get_desc_sddl(group_dn
)
1417 self
.assertFalse("ID" in desc_sddl
)
1420 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1421 Verify group has custom and default ACEs only.
1423 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1424 group_dn
= "CN=test_inherit_group," + ou_dn
1425 # Create inheritable-free OU
1426 self
.create_clean_ou(ou_dn
)
1427 # Create group child object using custom security descriptor
1428 sddl
= "O:AUG:AUD:AI(D;;WP;;;DU)"
1429 self
.create_domain_group(self
.ldb_admin
, group_dn
, sddl
)
1430 # Make sure created group descriptor has NO additional ACEs
1431 desc_sddl
= self
.get_desc_sddl(group_dn
)
1432 self
.assertEqual(desc_sddl
, sddl
)
1435 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1436 See if the group has any of the added ACEs.
1438 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1439 group_dn
= "CN=test_inherit_group," + ou_dn
1440 # Create inheritable-free OU
1441 self
.create_clean_ou(ou_dn
)
1442 # Add some custom non-inheritable ACEs
1443 mod
= "(D;;WP;;;DU)(A;;RP;;;DU)"
1444 self
.dacl_add_ace(ou_dn
, mod
)
1445 # Verify all inheritable ACEs are gone
1446 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1447 # Create group child object
1448 self
.create_domain_group(self
.ldb_admin
, group_dn
)
1449 # Make sure created group object contains NO inherit ACEs
1450 # also make sure the added above non-inheritable ACEs are absant too
1451 desc_sddl
= self
.get_desc_sddl(group_dn
)
1452 self
.assertFalse("ID" in desc_sddl
)
1453 for x
in re
.findall("\(.*?\)", mod
):
1454 self
.assertFalse(x
in desc_sddl
)
1457 """ OU with protected flag and add 'CI' ACE, child group.
1458 See if the group has the added inherited ACE.
1460 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1461 group_dn
= "CN=test_inherit_group," + ou_dn
1462 # Create inheritable-free OU
1463 self
.create_clean_ou(ou_dn
)
1464 # Add some custom 'CI' ACE
1465 mod
= "(D;CI;WP;;;DU)"
1466 self
.dacl_add_ace(ou_dn
, mod
)
1467 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1468 # Create group child object
1469 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1470 # Make sure created group object contains only the above inherited ACE
1471 # that we've added manually
1472 desc_sddl
= self
.get_desc_sddl(group_dn
)
1473 mod
= mod
.replace(";CI;", ";CIID;")
1474 self
.assertTrue(mod
in desc_sddl
)
1477 """ OU with protected flag and add 'OI' ACE, child group.
1478 See if the group has the added inherited ACE.
1480 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1481 group_dn
= "CN=test_inherit_group," + ou_dn
1482 # Create inheritable-free OU
1483 self
.create_clean_ou(ou_dn
)
1484 # Add some custom 'CI' ACE
1485 mod
= "(D;OI;WP;;;DU)"
1486 self
.dacl_add_ace(ou_dn
, mod
)
1487 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1488 # Create group child object
1489 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1490 # Make sure created group object contains only the above inherited ACE
1491 # that we've added manually
1492 desc_sddl
= self
.get_desc_sddl(group_dn
)
1493 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1494 self
.assertTrue(mod
in desc_sddl
)
1497 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1498 See if the group has the added inherited ACE.
1500 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1501 group_dn
= "CN=test_inherit_group," + ou_dn
1502 # Create inheritable-free OU
1503 self
.create_clean_ou(ou_dn
)
1504 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1505 mod
= "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1506 self
.dacl_add_ace(ou_dn
, mod
)
1507 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1508 # Create group child object
1509 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1510 # Make sure created group object contains only the above inherited ACE
1511 # that we've added manually
1512 desc_sddl
= self
.get_desc_sddl(group_dn
)
1513 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1514 self
.assertTrue(mod
in desc_sddl
)
1517 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1518 See if the group has the added inherited ACE.
1520 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1521 group_dn
= "CN=test_inherit_group," + ou_dn
1522 # Create inheritable-free OU
1523 self
.create_clean_ou(ou_dn
)
1524 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1525 mod
= "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1526 self
.dacl_add_ace(ou_dn
, mod
)
1527 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1528 # Create group child object
1529 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1530 # Make sure created group object contains only the above inherited ACE
1531 # that we've added manually
1532 desc_sddl
= self
.get_desc_sddl(group_dn
)
1533 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1534 self
.assertTrue(mod
in desc_sddl
)
1537 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1538 See if the group has the added inherited ACE.
1540 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1541 group_dn
= "CN=test_inherit_group," + ou_dn
1542 # Create inheritable-free OU
1543 self
.create_clean_ou(ou_dn
)
1544 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1545 mod
= "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1546 self
.dacl_add_ace(ou_dn
, mod
)
1547 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1548 # Create group child object
1549 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1550 # Make sure created group object contains only the above inherited ACE
1551 # that we've added manually
1552 desc_sddl
= self
.get_desc_sddl(group_dn
)
1553 mod
= mod
.replace(";CI;", ";CIID;") # change it how it's gonna look like
1554 self
.assertTrue(mod
in desc_sddl
)
1557 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1558 See if the group has the added inherited ACE.
1560 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1561 group_dn
= "CN=test_inherit_group," + ou_dn
1562 # Create inheritable-free OU
1563 self
.create_clean_ou(ou_dn
)
1564 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1565 mod
= "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1566 self
.dacl_add_ace(ou_dn
, mod
)
1567 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1568 # Create group child object
1569 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1570 # Make sure created group object contains only the above inherited ACE
1571 # that we've added manually
1572 desc_sddl
= self
.get_desc_sddl(group_dn
)
1573 mod
= mod
.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1574 self
.assertTrue(mod
in desc_sddl
)
1577 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1578 See if the group has the added inherited ACE.
1580 ou_dn
= "OU=test_inherit_ou," + self
.base_dn
1581 group_dn
= "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self
.create_clean_ou(ou_dn
)
1584 # Add some custom 'CI' ACE
1585 mod
= "(D;CI;WP;;;CO)"
1586 self
.dacl_add_ace(ou_dn
, mod
)
1587 desc_sddl
= self
.get_desc_sddl(ou_dn
)
1588 # Create group child object
1589 self
.create_domain_group(self
.ldb_admin
, group_dn
, "O:AUG:AUD:AI(A;;CC;;;AU)")
1590 # Make sure created group object contains only the above inherited ACE(s)
1591 # that we've added manually
1592 desc_sddl
= self
.get_desc_sddl(group_dn
)
1594 self
.assertTrue("(D;ID;WP;;;AU)" in desc_sddl
)
1595 self
.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl
)
1597 ########################################################################################
1599 if not "://" in host
:
1600 host
= "ldap://%s" % host
1601 ldb
= Ldb(host
, credentials
=creds
, session_info
=system_session(), lp
=lp
, options
=["modules:paged_searches"])
1603 runner
= SubunitTestRunner()
1605 if not runner
.run(unittest
.makeSuite(OwnerGroupDescriptorTests
)).wasSuccessful():
1607 if not runner
.run(unittest
.makeSuite(DaclDescriptorTests
)).wasSuccessful():