2 # -*- coding: utf-8 -*-
3 # This is a port of the original in testprogs/ejs/ldap.js
9 sys
.path
.append("bin/python")
11 samba
.ensure_external_module("testtools", "testtools")
12 samba
.ensure_external_module("subunit", "subunit/python")
14 import samba
.getopt
as options
16 from samba
.auth
import system_session
17 from ldb
import SCOPE_BASE
, LdbError
18 from ldb
import ERR_NO_SUCH_OBJECT
, ERR_ATTRIBUTE_OR_VALUE_EXISTS
19 from ldb
import ERR_ENTRY_ALREADY_EXISTS
, ERR_UNWILLING_TO_PERFORM
20 from ldb
import ERR_OTHER
, ERR_NO_SUCH_ATTRIBUTE
21 from ldb
import ERR_OBJECT_CLASS_VIOLATION
22 from ldb
import ERR_CONSTRAINT_VIOLATION
23 from ldb
import ERR_UNDEFINED_ATTRIBUTE_TYPE
24 from ldb
import Message
, MessageElement
, Dn
25 from ldb
import FLAG_MOD_ADD
, FLAG_MOD_REPLACE
, FLAG_MOD_DELETE
26 from samba
.samdb
import SamDB
27 from samba
.dsdb
import (UF_NORMAL_ACCOUNT
,
28 UF_WORKSTATION_TRUST_ACCOUNT
, UF_SERVER_TRUST_ACCOUNT
,
29 UF_PARTIAL_SECRETS_ACCOUNT
, UF_TEMP_DUPLICATE_ACCOUNT
,
30 UF_PASSWD_NOTREQD
, ATYPE_NORMAL_ACCOUNT
,
31 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
,
32 GTYPE_SECURITY_GLOBAL_GROUP
, GTYPE_SECURITY_UNIVERSAL_GROUP
,
33 GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP
, GTYPE_DISTRIBUTION_GLOBAL_GROUP
,
34 GTYPE_DISTRIBUTION_UNIVERSAL_GROUP
,
35 ATYPE_SECURITY_GLOBAL_GROUP
, ATYPE_SECURITY_UNIVERSAL_GROUP
,
36 ATYPE_SECURITY_LOCAL_GROUP
, ATYPE_DISTRIBUTION_GLOBAL_GROUP
,
37 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP
, ATYPE_DISTRIBUTION_LOCAL_GROUP
,
38 ATYPE_WORKSTATION_TRUST
)
39 from samba
.dcerpc
.security
import (DOMAIN_RID_USERS
, DOMAIN_RID_DOMAIN_MEMBERS
,
40 DOMAIN_RID_DCS
, DOMAIN_RID_READONLY_DCS
)
42 from subunit
.run
import SubunitTestRunner
45 from samba
.ndr
import ndr_unpack
46 from samba
.dcerpc
import security
47 from samba
.tests
import delete_force
49 parser
= optparse
.OptionParser("sam.py [options] <host>")
50 sambaopts
= options
.SambaOptions(parser
)
51 parser
.add_option_group(sambaopts
)
52 parser
.add_option_group(options
.VersionOptions(parser
))
53 # use command line creds if available
54 credopts
= options
.CredentialsOptions(parser
)
55 parser
.add_option_group(credopts
)
56 opts
, args
= parser
.parse_args()
64 lp
= sambaopts
.get_loadparm()
65 creds
= credopts
.get_credentials(lp
)
67 class SamTests(unittest
.TestCase
):
70 super(SamTests
, self
).setUp()
72 self
.base_dn
= ldb
.domain_dn()
74 print "baseDN: %s\n" % self
.base_dn
76 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
77 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
78 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
79 delete_force(self
.ldb
, "cn=ldaptestcomputer,cn=computers," + self
.base_dn
)
80 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
81 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
83 def test_users_groups(self
):
84 """This tests the SAM users and groups behaviour"""
85 print "Testing users and groups behaviour\n"
88 "dn": "cn=ldaptestgroup,cn=users," + self
.base_dn
,
89 "objectclass": "group"})
92 "dn": "cn=ldaptestgroup2,cn=users," + self
.base_dn
,
93 "objectclass": "group"})
95 res1
= ldb
.search("cn=ldaptestgroup,cn=users," + self
.base_dn
,
96 scope
=SCOPE_BASE
, attrs
=["objectSID"])
97 self
.assertTrue(len(res1
) == 1)
98 group_rid_1
= security
.dom_sid(ldb
.schema_format_value("objectSID",
99 res1
[0]["objectSID"][0])).split()[1]
101 res1
= ldb
.search("cn=ldaptestgroup2,cn=users," + self
.base_dn
,
102 scope
=SCOPE_BASE
, attrs
=["objectSID"])
103 self
.assertTrue(len(res1
) == 1)
104 group_rid_2
= security
.dom_sid(ldb
.schema_format_value("objectSID",
105 res1
[0]["objectSID"][0])).split()[1]
107 # Try to create a user with an invalid account name
110 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
111 "objectclass": "user",
112 "sAMAccountName": "administrator"})
114 except LdbError
, (num
, _
):
115 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
116 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
118 # Try to create a user with an invalid account name
121 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
122 "objectclass": "user",
123 "sAMAccountName": []})
125 except LdbError
, (num
, _
):
126 self
.assertEquals(num
, ERR_CONSTRAINT_VIOLATION
)
127 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
129 # Try to create a user with an invalid primary group
132 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
133 "objectclass": "user",
134 "primaryGroupID": "0"})
136 except LdbError
, (num
, _
):
137 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
138 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
140 # Try to Create a user with a valid primary group
143 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
144 "objectclass": "user",
145 "primaryGroupID": str(group_rid_1
)})
147 except LdbError
, (num
, _
):
148 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
149 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
151 # Test to see how we should behave when the user account doesn't
154 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
155 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
160 except LdbError
, (num
, _
):
161 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
163 # Test to see how we should behave when the account isn't a user
165 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
166 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
171 except LdbError
, (num
, _
):
172 self
.assertEquals(num
, ERR_OBJECT_CLASS_VIOLATION
)
174 # Test default primary groups on add operations
177 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
178 "objectclass": "user"})
180 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
181 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
182 self
.assertTrue(len(res1
) == 1)
183 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
185 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
188 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
189 "objectclass": "user",
190 "userAccountControl": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
) })
192 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
193 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
194 self
.assertTrue(len(res1
) == 1)
195 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
197 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
199 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
200 # since such accounts aren't directly creatable (ACCESS_DENIED)
203 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
204 "objectclass": "computer",
205 "userAccountControl": str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
207 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
208 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
209 self
.assertTrue(len(res1
) == 1)
210 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
212 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
215 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
216 "objectclass": "computer",
217 "userAccountControl": str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
219 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
220 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
221 self
.assertTrue(len(res1
) == 1)
222 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
224 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
226 # Read-only DC accounts are only creatable by
227 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
228 # we have a fallback in the assertion)
230 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
231 "objectclass": "computer",
232 "userAccountControl": str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
) })
234 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
235 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
236 self
.assertTrue(len(res1
) == 1)
237 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
238 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
240 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
242 # Test default primary groups on modify operations
245 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
246 "objectclass": "user"})
249 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
250 m
["userAccountControl"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
251 "userAccountControl")
254 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
255 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
256 self
.assertTrue(len(res1
) == 1)
257 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
259 # unfortunately the INTERDOMAIN_TRUST_ACCOUNT case cannot be tested
260 # since such accounts aren't directly creatable (ACCESS_DENIED)
262 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
265 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
266 "objectclass": "computer"})
268 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
269 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
270 self
.assertTrue(len(res1
) == 1)
271 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_USERS
))
274 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
275 m
["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
276 "userAccountControl")
279 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
280 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
281 self
.assertTrue(len(res1
) == 1)
282 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DOMAIN_MEMBERS
))
285 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
286 m
["userAccountControl"] = MessageElement(str(UF_SERVER_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
287 "userAccountControl")
290 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
291 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
292 self
.assertTrue(len(res1
) == 1)
293 self
.assertEquals(res1
[0]["primaryGroupID"][0], str(DOMAIN_RID_DCS
))
295 # Read-only DC accounts are only creatable by
296 # UF_WORKSTATION_TRUST_ACCOUNT and work only on DCs >= 2008 (therefore
297 # we have a fallback in the assertion)
299 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
300 m
["userAccountControl"] = MessageElement(str(UF_PARTIAL_SECRETS_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD
), FLAG_MOD_REPLACE
,
301 "userAccountControl")
304 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
305 scope
=SCOPE_BASE
, attrs
=["primaryGroupID"])
306 self
.assertTrue(len(res1
) == 1)
307 self
.assertTrue(res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_READONLY_DCS
) or
308 res1
[0]["primaryGroupID"][0] == str(DOMAIN_RID_DOMAIN_MEMBERS
))
310 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
312 # Recreate account for further tests
315 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
316 "objectclass": "user"})
318 # Try to set an invalid account name
320 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
321 m
["sAMAccountName"] = MessageElement("administrator", FLAG_MOD_REPLACE
,
326 except LdbError
, (num
, _
):
327 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
329 # But to reset the actual "sAMAccountName" should still be possible
330 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
331 scope
=SCOPE_BASE
, attrs
=["sAMAccountName"])
332 self
.assertTrue(len(res1
) == 1)
334 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
335 m
["sAMAccountName"] = MessageElement(res1
[0]["sAMAccountName"][0], FLAG_MOD_REPLACE
,
339 # And another (free) name should be possible as well
341 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
342 m
["sAMAccountName"] = MessageElement("xxx_ldaptestuser_xxx", FLAG_MOD_REPLACE
,
346 # We should be able to reset our actual primary group
348 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
349 m
["primaryGroupID"] = MessageElement(str(DOMAIN_RID_USERS
), FLAG_MOD_REPLACE
,
353 # Try to add invalid primary group
355 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
356 m
["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE
,
361 except LdbError
, (num
, _
):
362 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
364 # Try to make group 1 primary - should be denied since it is not yet
367 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
368 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
369 FLAG_MOD_REPLACE
, "primaryGroupID")
373 except LdbError
, (num
, _
):
374 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
376 # Make group 1 secondary
378 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
379 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
380 FLAG_MOD_REPLACE
, "member")
383 # Make group 1 primary
385 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
386 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
387 FLAG_MOD_REPLACE
, "primaryGroupID")
390 # Try to delete group 1 - should be denied
392 ldb
.delete("cn=ldaptestgroup,cn=users," + self
.base_dn
)
394 except LdbError
, (num
, _
):
395 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
397 # Try to add group 1 also as secondary - should be denied
399 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
400 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
401 FLAG_MOD_ADD
, "member")
405 except LdbError
, (num
, _
):
406 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
408 # Try to add invalid member to group 1 - should be denied
410 m
.dn
= Dn(ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
411 m
["member"] = MessageElement(
412 "cn=ldaptestuser3,cn=users," + self
.base_dn
,
413 FLAG_MOD_ADD
, "member")
417 except LdbError
, (num
, _
):
418 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
420 # Make group 2 secondary
422 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
423 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
424 FLAG_MOD_ADD
, "member")
429 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
430 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
431 FLAG_MOD_REPLACE
, "primaryGroupID")
434 # Swap the groups (does not really make sense but does the same)
436 m
.dn
= Dn(ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
437 m
["primaryGroupID"] = MessageElement(str(group_rid_1
),
438 FLAG_MOD_REPLACE
, "primaryGroupID")
439 m
["primaryGroupID"] = MessageElement(str(group_rid_2
),
440 FLAG_MOD_REPLACE
, "primaryGroupID")
443 # Old primary group should contain a "member" attribute for the user,
444 # the new shouldn't contain anymore one
445 res1
= ldb
.search("cn=ldaptestgroup, cn=users," + self
.base_dn
,
446 scope
=SCOPE_BASE
, attrs
=["member"])
447 self
.assertTrue(len(res1
) == 1)
448 self
.assertTrue(len(res1
[0]["member"]) == 1)
449 self
.assertEquals(res1
[0]["member"][0].lower(),
450 ("cn=ldaptestuser,cn=users," + self
.base_dn
).lower())
452 res1
= ldb
.search("cn=ldaptestgroup2, cn=users," + self
.base_dn
,
453 scope
=SCOPE_BASE
, attrs
=["member"])
454 self
.assertTrue(len(res1
) == 1)
455 self
.assertFalse("member" in res1
[0])
457 # Primary group member
459 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
460 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
461 FLAG_MOD_DELETE
, "member")
465 except LdbError
, (num
, _
):
466 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
468 # Delete invalid group member
470 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
471 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
472 FLAG_MOD_DELETE
, "member")
476 except LdbError
, (num
, _
):
477 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
479 # Also this should be denied
482 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
483 "objectclass": "user",
484 "primaryGroupID": "0"})
486 except LdbError
, (num
, _
):
487 self
.assertEquals(num
, ERR_UNWILLING_TO_PERFORM
)
489 # Recreate user accounts
491 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
494 "dn": "cn=ldaptestuser,cn=users," + self
.base_dn
,
495 "objectclass": "user"})
498 "dn": "cn=ldaptestuser2,cn=users," + self
.base_dn
,
499 "objectclass": "user"})
502 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
503 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
504 FLAG_MOD_ADD
, "member")
509 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
510 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
511 FLAG_MOD_ADD
, "member")
515 except LdbError
, (num
, _
):
516 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
518 # Already added, but as <SID=...>
519 res1
= ldb
.search("cn=ldaptestuser,cn=users," + self
.base_dn
,
520 scope
=SCOPE_BASE
, attrs
=["objectSid"])
521 self
.assertTrue(len(res1
) == 1)
522 sid_bin
= res1
[0]["objectSid"][0]
523 sid_str
= ("<SID=" + ldb
.schema_format_value("objectSid", sid_bin
) + ">").upper()
526 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
527 m
["member"] = MessageElement(sid_str
, FLAG_MOD_ADD
, "member")
531 except LdbError
, (num
, _
):
532 self
.assertEquals(num
, ERR_ENTRY_ALREADY_EXISTS
)
536 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
537 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
538 FLAG_MOD_REPLACE
, "member")
542 except LdbError
, (num
, _
):
543 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
547 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
548 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
549 "cn=ldaptestuser1,cn=users," + self
.base_dn
],
550 FLAG_MOD_REPLACE
, "member")
554 except LdbError
, (num
, _
):
555 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
559 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
560 m
["member"] = MessageElement("cn=ldaptestuser,cn=users," + self
.base_dn
,
561 FLAG_MOD_REPLACE
, "member")
562 m
["member"] = MessageElement("cn=ldaptestuser1,cn=users," + self
.base_dn
,
563 FLAG_MOD_ADD
, "member")
567 except LdbError
, (num
, _
):
568 self
.assertEquals(num
, ERR_NO_SUCH_OBJECT
)
571 m
.dn
= Dn(ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
572 m
["member"] = MessageElement(["cn=ldaptestuser,cn=users," + self
.base_dn
,
573 "cn=ldaptestuser2,cn=users," + self
.base_dn
],
574 FLAG_MOD_REPLACE
, "member")
577 delete_force(self
.ldb
, "cn=ldaptestuser,cn=users," + self
.base_dn
)
578 delete_force(self
.ldb
, "cn=ldaptestuser2,cn=users," + self
.base_dn
)
579 delete_force(self
.ldb
, "cn=ldaptestgroup,cn=users," + self
.base_dn
)
580 delete_force(self
.ldb
, "cn=ldaptestgroup2,cn=users," + self
.base_dn
)
582 # Make also a small test for accounts with special DNs ("," in this case)
584 "dn": "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
,
585 "objectclass": "user"})
586 delete_force(self
.ldb
, "cn=ldaptest\,specialuser,cn=users," + self
.base_dn
)
588 def test_sam_attributes(self
):
589 """Test the behaviour of special attributes of SAM objects"""
590 print "Testing the behaviour of special attributes of SAM objects\n"""
593 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
594 "objectclass
": "user
"})
596 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
597 "objectclass
": "group
"})
600 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
601 m["groupType
"] = MessageElement(str(GTYPE_SECURITY_GLOBAL_GROUP), FLAG_MOD_ADD,
606 except LdbError, (num, _):
607 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
609 # Delete protection tests
611 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
612 "sAMAccountName
", "groupType
"]:
615 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
616 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
620 except LdbError, (num, _):
621 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
624 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
625 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
629 except LdbError, (num, _):
630 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
633 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
634 m["primaryGroupID
"] = MessageElement("513", FLAG_MOD_ADD,
639 except LdbError, (num, _):
640 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
643 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
644 m["userAccountControl
"] = MessageElement(str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD), FLAG_MOD_ADD,
645 "userAccountControl
")
649 except LdbError, (num, _):
650 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
653 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
654 m["objectSid
"] = MessageElement("xxxxxxxxxxxxxxxx
", FLAG_MOD_ADD,
659 except LdbError, (num, _):
660 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
663 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
664 m["sAMAccountType
"] = MessageElement("0", FLAG_MOD_ADD,
669 except LdbError, (num, _):
670 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
673 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
674 m["sAMAccountName
"] = MessageElement("test
", FLAG_MOD_ADD,
679 except LdbError, (num, _):
680 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
682 # Delete protection tests
684 for attr in ["nTSecurityDescriptor
", "objectSid
", "sAMAccountType
",
685 "sAMAccountName
", "primaryGroupID
", "userAccountControl
",
686 "accountExpires
", "badPasswordTime
", "badPwdCount
",
687 "codePage
", "countryCode
", "lastLogoff
", "lastLogon
",
688 "logonCount
", "pwdLastSet
"]:
691 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
692 m[attr] = MessageElement([], FLAG_MOD_REPLACE, attr)
696 except LdbError, (num, _):
697 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
700 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
701 m[attr] = MessageElement([], FLAG_MOD_DELETE, attr)
705 except LdbError, (num, _):
706 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
708 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
709 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
711 def test_primary_group_token_constructed(self):
712 """Test the primary group token behaviour (hidden-generated-readonly attribute on groups) and some other constructed attributes"""
713 print "Testing primary group token behaviour
and other constructed attributes
\n"
717 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
718 "objectclass
": "group
",
719 "primaryGroupToken
": "100"})
721 except LdbError, (num, _):
722 self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
723 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
726 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
727 "objectclass
": "user
"})
730 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
731 "objectclass
": "group
"})
733 # Testing for one invalid, and one valid operational attribute, but also the things they are built from
734 res1 = ldb.search(self.base_dn,
735 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
", "objectClass
", "objectSid
"])
736 self.assertTrue(len(res1) == 1)
737 self.assertFalse("primaryGroupToken
" in res1[0])
738 self.assertTrue("canonicalName
" in res1[0])
739 self.assertTrue("objectClass
" in res1[0])
740 self.assertTrue("objectSid
" in res1[0])
742 res1 = ldb.search(self.base_dn,
743 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "canonicalName
"])
744 self.assertTrue(len(res1) == 1)
745 self.assertFalse("primaryGroupToken
" in res1[0])
746 self.assertFalse("objectSid
" in res1[0])
747 self.assertFalse("objectClass
" in res1[0])
748 self.assertTrue("canonicalName
" in res1[0])
750 res1 = ldb.search("cn
=users
," + self.base_dn,
751 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
752 self.assertTrue(len(res1) == 1)
753 self.assertFalse("primaryGroupToken
" in res1[0])
755 res1 = ldb.search("cn
=ldaptestuser
, cn
=users
," + self.base_dn,
756 scope=SCOPE_BASE, attrs=["primaryGroupToken
"])
757 self.assertTrue(len(res1) == 1)
758 self.assertFalse("primaryGroupToken
" in res1[0])
760 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
762 self.assertTrue(len(res1) == 1)
763 self.assertFalse("primaryGroupToken
" in res1[0])
765 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
766 scope=SCOPE_BASE, attrs=["primaryGroupToken
", "objectSID
"])
767 self.assertTrue(len(res1) == 1)
768 primary_group_token = int(res1[0]["primaryGroupToken
"][0])
770 rid = security.dom_sid(ldb.schema_format_value("objectSID
", res1[0]["objectSID
"][0])).split()[1]
771 self.assertEquals(primary_group_token, rid)
774 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
775 m["primaryGroupToken
"] = "100"
779 except LdbError, (num, _):
780 self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
782 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
783 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
785 def test_tokenGroups(self):
786 """Test the tokenGroups behaviour (hidden-generated-readonly attribute on SAM objects)"""
787 print "Testing tokenGroups behaviour
\n"
789 # The domain object shouldn't contain any "tokenGroups
" entry
790 res = ldb.search(self.base_dn, scope=SCOPE_BASE, attrs=["tokenGroups
"])
791 self.assertTrue(len(res) == 1)
792 self.assertFalse("tokenGroups
" in res[0])
794 # The domain administrator should contain "tokenGroups
" entries
795 # (the exact number depends on the domain/forest function level and the
796 # DC software versions)
797 res = ldb.search("cn
=Administrator
,cn
=Users
," + self.base_dn,
798 scope=SCOPE_BASE, attrs=["tokenGroups
"])
799 self.assertTrue(len(res) == 1)
800 self.assertTrue("tokenGroups
" in res[0])
803 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
804 "objectclass
": "user
"})
806 # This testuser should contain at least two "tokenGroups
" entries
807 # (exactly two on an unmodified "Domain Users
" and "Users
" group)
808 res = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
809 scope=SCOPE_BASE, attrs=["tokenGroups
"])
810 self.assertTrue(len(res) == 1)
811 self.assertTrue(len(res[0]["tokenGroups
"]) >= 2)
813 # one entry which we need to find should point to domains "Domain Users
"
814 # group and another entry should point to the builtin "Users
"group
815 domain_users_group_found = False
816 users_group_found = False
817 for sid in res[0]["tokenGroups
"]:
818 rid = security.dom_sid(ldb.schema_format_value("objectSID
", sid)).split()[1]
820 domain_users_group_found = True
822 users_group_found = True
824 self.assertTrue(domain_users_group_found)
825 self.assertTrue(users_group_found)
827 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
829 def test_groupType(self):
830 """Test the groupType behaviour"""
831 print "Testing groupType behaviour
\n"
833 # You can never create or change to a
834 # "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP
"
841 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
842 "objectclass
": "group
",
845 except LdbError, (num, _):
846 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
847 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
851 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
852 "objectclass
": "group
",
853 "groupType
": str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP)})
855 except LdbError, (num, _):
856 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
857 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
860 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
861 "objectclass
": "group
",
862 "groupType
": str(GTYPE_SECURITY_GLOBAL_GROUP)})
864 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
865 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
866 self.assertTrue(len(res1) == 1)
867 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
868 ATYPE_SECURITY_GLOBAL_GROUP)
869 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
872 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
873 "objectclass
": "group
",
874 "groupType
": str(GTYPE_SECURITY_UNIVERSAL_GROUP)})
876 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
877 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
878 self.assertTrue(len(res1) == 1)
879 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
880 ATYPE_SECURITY_UNIVERSAL_GROUP)
881 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
884 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
885 "objectclass
": "group
",
886 "groupType
": str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP)})
888 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
889 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
890 self.assertTrue(len(res1) == 1)
891 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
892 ATYPE_SECURITY_LOCAL_GROUP)
893 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
896 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
897 "objectclass
": "group
",
898 "groupType
": str(GTYPE_DISTRIBUTION_GLOBAL_GROUP)})
900 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
901 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
902 self.assertTrue(len(res1) == 1)
903 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
904 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
905 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
908 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
909 "objectclass
": "group
",
910 "groupType
": str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP)})
912 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
913 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
914 self.assertTrue(len(res1) == 1)
915 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
916 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
917 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
920 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
921 "objectclass
": "group
",
922 "groupType
": str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)})
924 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
925 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
926 self.assertTrue(len(res1) == 1)
927 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
928 ATYPE_DISTRIBUTION_LOCAL_GROUP)
929 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
934 "dn
": "cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
935 "objectclass
": "group
"})
937 # We can change in this direction: global <-> universal <-> local
938 # On each step also the group type itself (security/distribution) is
941 # After creation we should have a "security
global group
"
942 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
943 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
944 self.assertTrue(len(res1) == 1)
945 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
946 ATYPE_SECURITY_GLOBAL_GROUP)
951 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
952 m["groupType
"] = MessageElement("0",
953 FLAG_MOD_REPLACE, "groupType
")
956 except LdbError, (num, _):
957 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
961 # Default is "global group
"
964 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
965 m["groupType
"] = MessageElement(
966 str(GTYPE_SECURITY_GLOBAL_GROUP),
967 FLAG_MOD_REPLACE, "groupType
")
970 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
971 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
972 self.assertTrue(len(res1) == 1)
973 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
974 ATYPE_SECURITY_GLOBAL_GROUP)
976 # Change to "local
" (shouldn't work)
980 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
981 m["groupType
"] = MessageElement(
982 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
983 FLAG_MOD_REPLACE, "groupType
")
986 except LdbError, (num, _):
987 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
989 # Change to "universal
"
992 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
993 m["groupType
"] = MessageElement(
994 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
995 FLAG_MOD_REPLACE, "groupType
")
998 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
999 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1000 self.assertTrue(len(res1) == 1)
1001 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1002 ATYPE_SECURITY_UNIVERSAL_GROUP)
1004 # Change back to "global"
1007 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1008 m["groupType
"] = MessageElement(
1009 str(GTYPE_SECURITY_GLOBAL_GROUP),
1010 FLAG_MOD_REPLACE, "groupType
")
1013 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1014 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1015 self.assertTrue(len(res1) == 1)
1016 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1017 ATYPE_SECURITY_GLOBAL_GROUP)
1019 # Change back to "universal
"
1022 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1023 m["groupType
"] = MessageElement(
1024 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1025 FLAG_MOD_REPLACE, "groupType
")
1028 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1029 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1030 self.assertTrue(len(res1) == 1)
1031 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1032 ATYPE_SECURITY_UNIVERSAL_GROUP)
1037 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1038 m["groupType
"] = MessageElement(
1039 str(GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
1040 FLAG_MOD_REPLACE, "groupType
")
1043 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1044 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1045 self.assertTrue(len(res1) == 1)
1046 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1047 ATYPE_SECURITY_LOCAL_GROUP)
1049 # Change to "global" (shouldn't work)
1053 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1054 m["groupType
"] = MessageElement(
1055 str(GTYPE_SECURITY_GLOBAL_GROUP),
1056 FLAG_MOD_REPLACE, "groupType
")
1059 except LdbError, (num, _):
1060 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1062 # Change to "builtin local
" (shouldn't work)
1066 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1067 m["groupType
"] = MessageElement(
1068 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1069 FLAG_MOD_REPLACE, "groupType
")
1072 except LdbError, (num, _):
1073 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1076 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1078 # Change back to "universal
"
1081 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1082 m["groupType
"] = MessageElement(
1083 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1084 FLAG_MOD_REPLACE, "groupType
")
1087 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1088 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1089 self.assertTrue(len(res1) == 1)
1090 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1091 ATYPE_SECURITY_UNIVERSAL_GROUP)
1093 # Change to "builtin local
" (shouldn't work)
1097 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1098 m["groupType
"] = MessageElement(
1099 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1100 FLAG_MOD_REPLACE, "groupType
")
1103 except LdbError, (num, _):
1104 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1106 # Change back to "global"
1109 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1110 m["groupType
"] = MessageElement(
1111 str(GTYPE_SECURITY_GLOBAL_GROUP),
1112 FLAG_MOD_REPLACE, "groupType
")
1115 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1116 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1117 self.assertTrue(len(res1) == 1)
1118 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1119 ATYPE_SECURITY_GLOBAL_GROUP)
1121 # Change to "builtin local
" (shouldn't work)
1125 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1126 m["groupType
"] = MessageElement(
1127 str(GTYPE_SECURITY_BUILTIN_LOCAL_GROUP),
1128 FLAG_MOD_REPLACE, "groupType
")
1131 except LdbError, (num, _):
1132 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1134 # Distribution groups
1136 # Default is "global group
"
1139 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1140 m["groupType
"] = MessageElement(
1141 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1142 FLAG_MOD_REPLACE, "groupType
")
1145 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1146 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1147 self.assertTrue(len(res1) == 1)
1148 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1149 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1151 # Change to local (shouldn't work)
1155 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1156 m["groupType
"] = MessageElement(
1157 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1158 FLAG_MOD_REPLACE, "groupType
")
1161 except LdbError, (num, _):
1162 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1164 # Change to "universal
"
1167 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1168 m["groupType
"] = MessageElement(
1169 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1170 FLAG_MOD_REPLACE, "groupType
")
1173 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1174 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1175 self.assertTrue(len(res1) == 1)
1176 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1177 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1179 # Change back to "global"
1182 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1183 m["groupType
"] = MessageElement(
1184 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1185 FLAG_MOD_REPLACE, "groupType
")
1188 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1189 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1190 self.assertTrue(len(res1) == 1)
1191 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1192 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1194 # Change back to "universal
"
1197 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1198 m["groupType
"] = MessageElement(
1199 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1200 FLAG_MOD_REPLACE, "groupType
")
1203 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1204 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1205 self.assertTrue(len(res1) == 1)
1206 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1207 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1212 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1213 m["groupType
"] = MessageElement(
1214 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1215 FLAG_MOD_REPLACE, "groupType
")
1218 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1219 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1220 self.assertTrue(len(res1) == 1)
1221 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1222 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1224 # Change to "global" (shouldn't work)
1228 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1229 m["groupType
"] = MessageElement(
1230 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1231 FLAG_MOD_REPLACE, "groupType
")
1234 except LdbError, (num, _):
1235 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1237 # Change back to "universal
"
1239 # Try to add invalid member to group 1 - should be denied
1241 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1242 m["member
"] = MessageElement(
1243 "cn
=ldaptestuser3
,cn
=users
," + self.base_dn,
1244 FLAG_MOD_ADD, "member
")
1248 except LdbError, (num, _):
1249 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
1251 # Make group 2 secondary
1253 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1254 m["groupType
"] = MessageElement(
1255 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1256 FLAG_MOD_REPLACE, "groupType
")
1259 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1260 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1261 self.assertTrue(len(res1) == 1)
1262 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1263 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1265 # Change back to "global"
1268 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1269 m["groupType
"] = MessageElement(
1270 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1271 FLAG_MOD_REPLACE, "groupType
")
1274 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1275 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1276 self.assertTrue(len(res1) == 1)
1277 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1278 ATYPE_DISTRIBUTION_GLOBAL_GROUP)
1280 # Both group types: this performs only random checks - all possibilities
1281 # would require too much code.
1283 # Default is "global group
"
1286 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1287 m["groupType
"] = MessageElement(
1288 str(GTYPE_SECURITY_GLOBAL_GROUP),
1289 FLAG_MOD_REPLACE, "groupType
")
1292 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1293 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1294 self.assertTrue(len(res1) == 1)
1295 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1296 ATYPE_SECURITY_GLOBAL_GROUP)
1298 # Change to "local
" (shouldn't work)
1302 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1303 m["groupType
"] = MessageElement(
1304 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1305 FLAG_MOD_REPLACE, "groupType
")
1308 except LdbError, (num, _):
1309 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1311 # Change to "universal
"
1314 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1315 m["groupType
"] = MessageElement(
1316 str(GTYPE_DISTRIBUTION_UNIVERSAL_GROUP),
1317 FLAG_MOD_REPLACE, "groupType
")
1320 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1321 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1322 self.assertTrue(len(res1) == 1)
1323 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1324 ATYPE_DISTRIBUTION_UNIVERSAL_GROUP)
1326 # Change back to "global"
1329 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1330 m["groupType
"] = MessageElement(
1331 str(GTYPE_SECURITY_GLOBAL_GROUP),
1332 FLAG_MOD_REPLACE, "groupType
")
1335 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1336 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1337 self.assertTrue(len(res1) == 1)
1338 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1339 ATYPE_SECURITY_GLOBAL_GROUP)
1341 # Change back to "universal
"
1344 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1345 m["groupType
"] = MessageElement(
1346 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1347 FLAG_MOD_REPLACE, "groupType
")
1350 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1351 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1352 self.assertTrue(len(res1) == 1)
1353 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1354 ATYPE_SECURITY_UNIVERSAL_GROUP)
1359 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1360 m["groupType
"] = MessageElement(
1361 str(GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP),
1362 FLAG_MOD_REPLACE, "groupType
")
1365 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1366 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1367 self.assertTrue(len(res1) == 1)
1368 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1369 ATYPE_DISTRIBUTION_LOCAL_GROUP)
1371 # Change to "global" (shouldn't work)
1375 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1376 m["groupType
"] = MessageElement(
1377 str(GTYPE_DISTRIBUTION_GLOBAL_GROUP),
1378 FLAG_MOD_REPLACE, "groupType
")
1381 except LdbError, (num, _):
1382 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1384 # Change back to "universal
"
1387 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1388 m["groupType
"] = MessageElement(
1389 str(GTYPE_SECURITY_UNIVERSAL_GROUP),
1390 FLAG_MOD_REPLACE, "groupType
")
1393 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1394 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1395 self.assertTrue(len(res1) == 1)
1396 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1397 ATYPE_SECURITY_UNIVERSAL_GROUP)
1399 # Change back to "global"
1402 m.dn = Dn(ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1403 m["groupType
"] = MessageElement(
1404 str(GTYPE_SECURITY_GLOBAL_GROUP),
1405 FLAG_MOD_REPLACE, "groupType
")
1408 res1 = ldb.search("cn
=ldaptestgroup
,cn
=users
," + self.base_dn,
1409 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1410 self.assertTrue(len(res1) == 1)
1411 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1412 ATYPE_SECURITY_GLOBAL_GROUP)
1414 delete_force(self.ldb, "cn
=ldaptestgroup
,cn
=users
," + self.base_dn)
1416 def test_userAccountControl(self):
1417 """Test the userAccountControl behaviour"""
1418 print "Testing userAccountControl behaviour
\n"
1420 # With a user object
1424 # As user you can only set a normal account.
1425 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1427 # With SYSTEM rights you can set a interdomain trust account.
1432 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1433 "objectclass
": "user
",
1434 "userAccountControl
": "0"})
1436 except LdbError, (num, _):
1437 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1438 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1440 # This has to wait until s4 supports it (needs a password module change)
1443 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1444 # "objectclass
": "user
",
1445 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1447 # except LdbError, (num, _):
1448 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1449 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1452 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1453 "objectclass
": "user
",
1454 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1456 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1457 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1458 self.assertTrue(len(res1) == 1)
1459 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1460 ATYPE_NORMAL_ACCOUNT)
1461 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1465 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1466 "objectclass
": "user
",
1467 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1469 except LdbError, (num, _):
1470 self.assertEquals(num, ERR_OTHER)
1471 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1473 # This isn't supported yet in s4
1476 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1477 # "objectclass
": "user
",
1478 # "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1480 # except LdbError, (num, _):
1481 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1482 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1486 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1487 # "objectclass
": "user
",
1488 # "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1489 # except LdbError, (num, _):
1490 # self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1491 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1493 # This isn't supported yet in s4 - needs ACL module adaption
1496 # "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1497 # "objectclass
": "user
",
1498 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1500 # except LdbError, (num, _):
1501 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1502 # delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1507 "dn
": "cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1508 "objectclass
": "user
"})
1510 # After creation we should have a normal account
1511 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1512 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1513 self.assertTrue(len(res1) == 1)
1514 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1515 ATYPE_NORMAL_ACCOUNT)
1517 # As user you can only switch from a normal account to a workstation
1518 # trust account and back.
1519 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1521 # With SYSTEM rights you can switch to a interdomain trust account.
1526 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1527 m["userAccountControl
"] = MessageElement("0",
1528 FLAG_MOD_REPLACE, "userAccountControl
")
1530 except LdbError, (num, _):
1531 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1533 # This has to wait until s4 supports it (needs a password module change)
1536 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1537 # m["userAccountControl
"] = MessageElement(
1538 # str(UF_NORMAL_ACCOUNT),
1539 # FLAG_MOD_REPLACE, "userAccountControl
")
1541 # except LdbError, (num, _):
1542 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1545 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1546 m["userAccountControl
"] = MessageElement(
1547 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1548 FLAG_MOD_REPLACE, "userAccountControl
")
1551 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1552 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1553 self.assertTrue(len(res1) == 1)
1554 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1555 ATYPE_NORMAL_ACCOUNT)
1559 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1560 m["userAccountControl
"] = MessageElement(
1561 str(UF_TEMP_DUPLICATE_ACCOUNT),
1562 FLAG_MOD_REPLACE, "userAccountControl
")
1565 except LdbError, (num, _):
1566 self.assertEquals(num, ERR_OTHER)
1568 # This isn't supported yet in s4
1571 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1572 # m["userAccountControl
"] = MessageElement(
1573 # str(UF_SERVER_TRUST_ACCOUNT),
1574 # FLAG_MOD_REPLACE, "userAccountControl
")
1577 # except LdbError, (num, _):
1578 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1581 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1582 m["userAccountControl
"] = MessageElement(
1583 str(UF_WORKSTATION_TRUST_ACCOUNT),
1584 FLAG_MOD_REPLACE, "userAccountControl
")
1587 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1588 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1589 self.assertTrue(len(res1) == 1)
1590 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1591 ATYPE_WORKSTATION_TRUST)
1594 m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1595 m["userAccountControl
"] = MessageElement(
1596 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1597 FLAG_MOD_REPLACE, "userAccountControl
")
1600 res1 = ldb.search("cn
=ldaptestuser
,cn
=users
," + self.base_dn,
1601 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1602 self.assertTrue(len(res1) == 1)
1603 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1604 ATYPE_NORMAL_ACCOUNT)
1606 # This isn't supported yet in s4 - needs ACL module adaption
1609 # m.dn = Dn(ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1610 # m["userAccountControl
"] = MessageElement(
1611 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1612 # FLAG_MOD_REPLACE, "userAccountControl
")
1615 # except LdbError, (num, _):
1616 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1618 # With a computer object
1622 # As computer you can set a normal account and a server trust account.
1623 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1625 # With SYSTEM rights you can set a interdomain trust account.
1630 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1631 "objectclass
": "computer
",
1632 "userAccountControl
": "0"})
1634 except LdbError, (num, _):
1635 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1636 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1638 # This has to wait until s4 supports it (needs a password module change)
1641 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1642 # "objectclass
": "computer
",
1643 # "userAccountControl
": str(UF_NORMAL_ACCOUNT)})
1645 # except LdbError, (num, _):
1646 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1647 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1650 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1651 "objectclass
": "computer
",
1652 "userAccountControl
": str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD)})
1654 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1655 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1656 self.assertTrue(len(res1) == 1)
1657 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1658 ATYPE_NORMAL_ACCOUNT)
1659 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1663 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1664 "objectclass
": "computer
",
1665 "userAccountControl
": str(UF_TEMP_DUPLICATE_ACCOUNT)})
1667 except LdbError, (num, _):
1668 self.assertEquals(num, ERR_OTHER)
1669 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1672 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1673 "objectclass
": "computer
",
1674 "userAccountControl
": str(UF_SERVER_TRUST_ACCOUNT)})
1676 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1677 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1678 self.assertTrue(len(res1) == 1)
1679 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1680 ATYPE_WORKSTATION_TRUST)
1681 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1685 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1686 "objectclass
": "computer
",
1687 "userAccountControl
": str(UF_WORKSTATION_TRUST_ACCOUNT)})
1688 except LdbError, (num, _):
1689 self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION)
1690 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1692 # This isn't supported yet in s4 - needs ACL module adaption
1695 # "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1696 # "objectclass
": "computer
",
1697 # "userAccountControl
": str(UF_INTERDOMAIN_TRUST_ACCOUNT)})
1699 # except LdbError, (num, _):
1700 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1701 # delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1706 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1707 "objectclass
": "computer
"})
1709 # After creation we should have a normal account
1710 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1711 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1712 self.assertTrue(len(res1) == 1)
1713 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1714 ATYPE_NORMAL_ACCOUNT)
1716 # As computer you can switch from a normal account to a workstation
1717 # or server trust account and back (also swapping between trust
1718 # accounts is allowed).
1719 # The UF_PASSWD_NOTREQD flag is needed since we haven't requested a
1721 # With SYSTEM rights you can switch to a interdomain trust account.
1726 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1727 m["userAccountControl
"] = MessageElement("0",
1728 FLAG_MOD_REPLACE, "userAccountControl
")
1730 except LdbError, (num, _):
1731 self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1733 # This has to wait until s4 supports it (needs a password module change)
1736 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1737 # m["userAccountControl
"] = MessageElement(
1738 # str(UF_NORMAL_ACCOUNT),
1739 # FLAG_MOD_REPLACE, "userAccountControl
")
1741 # except LdbError, (num, _):
1742 # self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
1745 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1746 m["userAccountControl
"] = MessageElement(
1747 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1748 FLAG_MOD_REPLACE, "userAccountControl
")
1751 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1752 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1753 self.assertTrue(len(res1) == 1)
1754 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1755 ATYPE_NORMAL_ACCOUNT)
1759 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1760 m["userAccountControl
"] = MessageElement(
1761 str(UF_TEMP_DUPLICATE_ACCOUNT),
1762 FLAG_MOD_REPLACE, "userAccountControl
")
1765 except LdbError, (num, _):
1766 self.assertEquals(num, ERR_OTHER)
1769 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1770 m["userAccountControl
"] = MessageElement(
1771 str(UF_SERVER_TRUST_ACCOUNT),
1772 FLAG_MOD_REPLACE, "userAccountControl
")
1775 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1776 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1777 self.assertTrue(len(res1) == 1)
1778 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1779 ATYPE_WORKSTATION_TRUST)
1782 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1783 m["userAccountControl
"] = MessageElement(
1784 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1785 FLAG_MOD_REPLACE, "userAccountControl
")
1788 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1789 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1790 self.assertTrue(len(res1) == 1)
1791 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1792 ATYPE_NORMAL_ACCOUNT)
1795 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1796 m["userAccountControl
"] = MessageElement(
1797 str(UF_WORKSTATION_TRUST_ACCOUNT),
1798 FLAG_MOD_REPLACE, "userAccountControl
")
1801 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1802 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1803 self.assertTrue(len(res1) == 1)
1804 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1805 ATYPE_WORKSTATION_TRUST)
1808 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1809 m["userAccountControl
"] = MessageElement(
1810 str(UF_NORMAL_ACCOUNT | UF_PASSWD_NOTREQD),
1811 FLAG_MOD_REPLACE, "userAccountControl
")
1814 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1815 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1816 self.assertTrue(len(res1) == 1)
1817 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1818 ATYPE_NORMAL_ACCOUNT)
1821 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1822 m["userAccountControl
"] = MessageElement(
1823 str(UF_SERVER_TRUST_ACCOUNT),
1824 FLAG_MOD_REPLACE, "userAccountControl
")
1827 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1828 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1829 self.assertTrue(len(res1) == 1)
1830 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1831 ATYPE_WORKSTATION_TRUST)
1834 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1835 m["userAccountControl
"] = MessageElement(
1836 str(UF_WORKSTATION_TRUST_ACCOUNT),
1837 FLAG_MOD_REPLACE, "userAccountControl
")
1840 res1 = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1841 scope=SCOPE_BASE, attrs=["sAMAccountType
"])
1842 self.assertTrue(len(res1) == 1)
1843 self.assertEquals(int(res1[0]["sAMAccountType
"][0]),
1844 ATYPE_WORKSTATION_TRUST)
1846 # This isn't supported yet in s4 - needs ACL module adaption
1849 # m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1850 # m["userAccountControl
"] = MessageElement(
1851 # str(UF_INTERDOMAIN_TRUST_ACCOUNT),
1852 # FLAG_MOD_REPLACE, "userAccountControl
")
1855 # except LdbError, (num, _):
1856 # self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
1858 delete_force(self.ldb, "cn
=ldaptestuser
,cn
=users
," + self.base_dn)
1859 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1861 def test_service_principal_name_updates(self):
1862 """Test the servicePrincipalNames update behaviour"""
1863 print "Testing servicePrincipalNames update behaviour
\n"
1866 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1867 "objectclass
": "computer
",
1868 "dNSHostName
": "testname
.testdom
"})
1870 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1871 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1872 self.assertTrue(len(res) == 1)
1873 self.assertFalse("servicePrincipalName
" in res[0])
1875 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1878 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1879 "objectclass
": "computer
",
1880 "servicePrincipalName
": "HOST
/testname
.testdom
"})
1882 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1883 scope=SCOPE_BASE, attrs=["dNSHostName
"])
1884 self.assertTrue(len(res) == 1)
1885 self.assertFalse("dNSHostName
" in res[0])
1887 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1890 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1891 "objectclass
": "computer
",
1892 "dNSHostName
": "testname2
.testdom
",
1893 "servicePrincipalName
": "HOST
/testname
.testdom
"})
1895 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1896 scope=SCOPE_BASE, attrs=["dNSHostName
"])
1897 self.assertTrue(len(res) == 1)
1898 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
1900 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1901 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1902 self.assertTrue(len(res) == 1)
1903 self.assertEquals(res[0]["servicePrincipalName
"][0],
1904 "HOST
/testname
.testdom
")
1907 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1908 m["dNSHostName
"] = MessageElement("testname
.testdoM
",
1909 FLAG_MOD_REPLACE, "dNSHostName
")
1912 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1913 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1914 self.assertTrue(len(res) == 1)
1915 self.assertEquals(res[0]["servicePrincipalName
"][0],
1916 "HOST
/testname
.testdom
")
1919 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1920 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
1921 FLAG_MOD_REPLACE, "dNSHostName
")
1924 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1925 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1926 self.assertTrue(len(res) == 1)
1927 self.assertEquals(res[0]["servicePrincipalName
"][0],
1928 "HOST
/testname2
.testdom2
")
1931 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1932 m["dNSHostName
"] = MessageElement([],
1933 FLAG_MOD_DELETE, "dNSHostName
")
1936 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1937 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1938 self.assertTrue(len(res) == 1)
1939 self.assertEquals(res[0]["servicePrincipalName
"][0],
1940 "HOST
/testname2
.testdom2
")
1943 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1944 m["dNSHostName
"] = MessageElement("testname
.testdom3
",
1945 FLAG_MOD_REPLACE, "dNSHostName
")
1948 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1949 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1950 self.assertTrue(len(res) == 1)
1951 self.assertEquals(res[0]["servicePrincipalName
"][0],
1952 "HOST
/testname2
.testdom2
")
1955 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1956 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
1957 FLAG_MOD_REPLACE, "dNSHostName
")
1961 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1962 m["dNSHostName
"] = MessageElement("testname3
.testdom3
",
1963 FLAG_MOD_REPLACE, "dNSHostName
")
1964 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
1966 "servicePrincipalName
")
1969 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1970 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1971 self.assertTrue(len(res) == 1)
1972 self.assertEquals(res[0]["servicePrincipalName
"][0],
1973 "HOST
/testname3
.testdom3
")
1976 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1977 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
.testdom2
",
1979 "servicePrincipalName
")
1980 m["dNSHostName
"] = MessageElement("testname4
.testdom4
",
1981 FLAG_MOD_REPLACE, "dNSHostName
")
1984 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
1985 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
1986 self.assertTrue(len(res) == 1)
1987 self.assertEquals(res[0]["servicePrincipalName
"][0],
1988 "HOST
/testname2
.testdom2
")
1991 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1992 m["servicePrincipalName
"] = MessageElement([],
1994 "servicePrincipalName
")
1998 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
1999 m["dNSHostName
"] = MessageElement("testname2
.testdom2
",
2000 FLAG_MOD_REPLACE, "dNSHostName
")
2003 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2004 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2005 self.assertTrue(len(res) == 1)
2006 self.assertFalse("servicePrincipalName
" in res[0])
2008 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2011 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2012 "objectclass
": "computer
",
2013 "sAMAccountName
": "testname$
"})
2015 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2016 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2017 self.assertTrue(len(res) == 1)
2018 self.assertFalse("servicePrincipalName
" in res[0])
2020 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2023 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2024 "objectclass
": "computer
",
2025 "servicePrincipalName
": "HOST
/testname
"})
2027 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2028 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2029 self.assertTrue(len(res) == 1)
2030 self.assertTrue("sAMAccountName
" in res[0])
2032 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2035 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2036 "objectclass
": "computer
",
2037 "sAMAccountName
": "testname$
",
2038 "servicePrincipalName
": "HOST
/testname
"})
2040 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2041 scope=SCOPE_BASE, attrs=["sAMAccountName
"])
2042 self.assertTrue(len(res) == 1)
2043 self.assertEquals(res[0]["sAMAccountName
"][0], "testname$
")
2045 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2046 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2047 self.assertTrue(len(res) == 1)
2048 self.assertEquals(res[0]["servicePrincipalName
"][0],
2052 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2053 m["sAMAccountName
"] = MessageElement("testnamE$
",
2054 FLAG_MOD_REPLACE, "sAMAccountName
")
2057 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2058 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2059 self.assertTrue(len(res) == 1)
2060 self.assertEquals(res[0]["servicePrincipalName
"][0],
2064 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2065 m["sAMAccountName
"] = MessageElement("testname
",
2066 FLAG_MOD_REPLACE, "sAMAccountName
")
2069 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2070 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2071 self.assertTrue(len(res) == 1)
2072 self.assertEquals(res[0]["servicePrincipalName
"][0],
2076 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2077 m["sAMAccountName
"] = MessageElement("test$name$
",
2078 FLAG_MOD_REPLACE, "sAMAccountName
")
2081 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2082 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2083 self.assertTrue(len(res) == 1)
2084 self.assertEquals(res[0]["servicePrincipalName
"][0],
2088 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2089 m["sAMAccountName
"] = MessageElement("testname2
",
2090 FLAG_MOD_REPLACE, "sAMAccountName
")
2093 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2094 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2095 self.assertTrue(len(res) == 1)
2096 self.assertEquals(res[0]["servicePrincipalName
"][0],
2100 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2101 m["sAMAccountName
"] = MessageElement("testname3
",
2102 FLAG_MOD_REPLACE, "sAMAccountName
")
2103 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2105 "servicePrincipalName
")
2108 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2109 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2110 self.assertTrue(len(res) == 1)
2111 self.assertEquals(res[0]["servicePrincipalName
"][0],
2115 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2116 m["servicePrincipalName
"] = MessageElement("HOST
/testname2
",
2118 "servicePrincipalName
")
2119 m["sAMAccountName
"] = MessageElement("testname4
",
2120 FLAG_MOD_REPLACE, "sAMAccountName
")
2123 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2124 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2125 self.assertTrue(len(res) == 1)
2126 self.assertEquals(res[0]["servicePrincipalName
"][0],
2130 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2131 m["servicePrincipalName
"] = MessageElement([],
2133 "servicePrincipalName
")
2137 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2138 m["sAMAccountName
"] = MessageElement("testname2
",
2139 FLAG_MOD_REPLACE, "sAMAccountName
")
2142 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2143 scope=SCOPE_BASE, attrs=["servicePrincipalName
"])
2144 self.assertTrue(len(res) == 1)
2145 self.assertFalse("servicePrincipalName
" in res[0])
2147 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2150 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2151 "objectclass
": "computer
",
2152 "dNSHostName
": "testname
.testdom
",
2153 "sAMAccountName
": "testname$
",
2154 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2158 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2159 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2160 FLAG_MOD_REPLACE, "dNSHostName
")
2161 m["sAMAccountName
"] = MessageElement("testname2$
",
2162 FLAG_MOD_REPLACE, "sAMAccountName
")
2165 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2166 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2167 self.assertTrue(len(res) == 1)
2168 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2169 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2170 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
" or
2171 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
")
2172 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
.testdom
" or
2173 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
.testdom
")
2175 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2178 "dn
": "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2179 "objectclass
": "computer
",
2180 "dNSHostName
": "testname
.testdom
",
2181 "sAMAccountName
": "testname$
",
2182 "servicePrincipalName
": [ "HOST
/testname
.testdom
", "HOST
/testname
" ]
2186 m.dn = Dn(ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2187 m["sAMAccountName
"] = MessageElement("testname2$
",
2188 FLAG_MOD_REPLACE, "sAMAccountName
")
2189 m["dNSHostName
"] = MessageElement("testname2
.testdom
",
2190 FLAG_MOD_REPLACE, "dNSHostName
")
2193 res = ldb.search("cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn,
2194 scope=SCOPE_BASE, attrs=["dNSHostName
", "sAMAccountName
", "servicePrincipalName
"])
2195 self.assertTrue(len(res) == 1)
2196 self.assertEquals(res[0]["dNSHostName
"][0], "testname2
.testdom
")
2197 self.assertEquals(res[0]["sAMAccountName
"][0], "testname2$
")
2198 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
" or
2199 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
")
2200 self.assertTrue(res[0]["servicePrincipalName
"][0] == "HOST
/testname2
.testdom
" or
2201 res[0]["servicePrincipalName
"][1] == "HOST
/testname2
.testdom
")
2203 delete_force(self.ldb, "cn
=ldaptestcomputer
,cn
=computers
," + self.base_dn)
2205 def test_sam_description_attribute(self):
2206 """Test SAM description attribute"""
2207 print "Test SAM description attribute
"""
2210 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2211 "description": "desc2",
2212 "objectclass": "group",
2213 "description": "desc1"})
2215 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2216 scope=SCOPE_BASE, attrs=["description"])
2217 self.assertTrue(len(res) == 1)
2218 self.assertTrue("description" in res[0])
2219 self.assertTrue(len(res[0]["description"]) == 1)
2220 self.assertEquals(res[0]["description"][0], "desc1")
2222 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2225 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2226 "objectclass": "group",
2227 "description": ["desc1", "desc2"]})
2229 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2230 scope=SCOPE_BASE, attrs=["description"])
2231 self.assertTrue(len(res) == 1)
2232 self.assertTrue("description" in res[0])
2233 self.assertTrue(len(res[0]["description"]) == 2)
2234 self.assertTrue(res[0]["description"][0] == "desc1" or
2235 res[0]["description"][1] == "desc1")
2236 self.assertTrue(res[0]["description"][0] == "desc2" or
2237 res[0]["description"][1] == "desc2")
2240 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2241 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2246 except LdbError, (num, _):
2247 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2250 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2251 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2255 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2258 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2259 "objectclass": "group" })
2262 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2263 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2267 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2268 scope=SCOPE_BASE, attrs=["description"])
2269 self.assertTrue(len(res) == 1)
2270 self.assertTrue("description" in res[0])
2271 self.assertTrue(len(res[0]["description"]) == 1)
2272 self.assertEquals(res[0]["description"][0], "desc1")
2274 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2277 "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
2278 "objectclass": "group",
2279 "description": ["desc1", "desc2"]})
2282 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2283 m["description"] = MessageElement("desc1", FLAG_MOD_REPLACE,
2287 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2288 scope=SCOPE_BASE, attrs=["description"])
2289 self.assertTrue(len(res) == 1)
2290 self.assertTrue("description" in res[0])
2291 self.assertTrue(len(res[0]["description"]) == 1)
2292 self.assertEquals(res[0]["description"][0], "desc1")
2295 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2296 m["description"] = MessageElement("desc3", FLAG_MOD_ADD,
2301 except LdbError, (num, _):
2302 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2305 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2306 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_DELETE,
2311 except LdbError, (num, _):
2312 self.assertEquals(num, ERR_NO_SUCH_ATTRIBUTE)
2315 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2316 m["description"] = MessageElement("desc1", FLAG_MOD_DELETE,
2319 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2320 scope=SCOPE_BASE, attrs=["description"])
2321 self.assertTrue(len(res) == 1)
2322 self.assertFalse("description" in res[0])
2325 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2326 m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
2331 except LdbError, (num, _):
2332 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2335 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2336 m["description"] = MessageElement(["desc3", "desc4"], FLAG_MOD_ADD,
2341 except LdbError, (num, _):
2342 self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
2345 m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2346 m["description"] = MessageElement("desc1", FLAG_MOD_ADD,
2350 res = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn,
2351 scope=SCOPE_BASE, attrs=["description"])
2352 self.assertTrue(len(res) == 1)
2353 self.assertTrue("description" in res[0])
2354 self.assertTrue(len(res[0]["description"]) == 1)
2355 self.assertEquals(res[0]["description"][0], "desc1")
2357 delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
2360 if not "://" in host:
2361 if os.path.isfile(host):
2362 host = "tdb://%s" % host
2364 host = "ldap://%s" % host
2366 ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp)
2368 runner = SubunitTestRunner()
2370 if not runner.run(unittest.makeSuite(SamTests)).wasSuccessful():