diff options
Diffstat (limited to 'source4/lib/ldb/tests/python/ldap.py')
| -rwxr-xr-x | source4/lib/ldb/tests/python/ldap.py | 606 |
1 files changed, 544 insertions, 62 deletions
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py index a30273fc66..5b2d380f11 100755 --- a/source4/lib/ldb/tests/python/ldap.py +++ b/source4/lib/ldb/tests/python/ldap.py @@ -6,6 +6,8 @@ import getopt import optparse import sys import time +import random +import base64 sys.path.append("bin/python") sys.path.append("../lib/subunit/python") @@ -17,11 +19,14 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS from ldb import ERR_ENTRY_ALREADY_EXISTS, ERR_UNWILLING_TO_PERFORM from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX -from samba import Ldb +from ldb import Message, MessageElement, Dn, FLAG_MOD_REPLACE +from samba import Ldb, param, dom_sid_to_rid from subunit import SubunitTestRunner -from samba import param import unittest +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security + parser = optparse.OptionParser("ldap [options] <host>") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) @@ -44,11 +49,11 @@ class BasicTests(unittest.TestCase): def delete_force(self, ldb, dn): try: ldb.delete(dn) - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) def find_basedn(self, ldb): - res = ldb.search(base="", expression="", scope=SCOPE_BASE, + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["defaultNamingContext"]) self.assertEquals(len(res), 1) return res[0]["defaultNamingContext"][0] @@ -63,12 +68,17 @@ class BasicTests(unittest.TestCase): self.assertEquals(len(res), 1) return res[0]["schemaNamingContext"][0] + def find_domain_sid(self): + res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + def setUp(self): self.ldb = ldb self.gc_ldb = gc_ldb self.base_dn = self.find_basedn(ldb) self.configuration_dn = self.find_configurationdn(ldb) self.schema_dn = self.find_schemadn(ldb) + self.domain_sid = self.find_domain_sid() print "baseDN: %s\n" % self.base_dn @@ -78,7 +88,10 @@ class BasicTests(unittest.TestCase): self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestutf8user2 èùéìòà ,cn=users," + self.base_dn) - + self.delete_force(self.ldb, "cn=parentguidtest,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=parentguidtest,cn=testotherusers," + self.base_dn) + self.delete_force(self.ldb, "cn=testotherusers," + self.base_dn) + def test_group_add_invalid_member(self): """Testing group add with invalid member""" try: @@ -87,21 +100,235 @@ class BasicTests(unittest.TestCase): "objectclass": "group", "member": "cn=ldaptestuser,cn=useRs," + self.base_dn}) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) + def test_parentGUID(self): + """Test parentGUID behaviour""" + print "Testing parentGUID behaviour\n" + + self.ldb.add({ + "dn": "cn=parentguidtest,cn=users," + self.base_dn, + "objectclass":"user", + "samaccountname":"parentguidtest"}); + res1 = ldb.search(base="cn=parentguidtest,cn=users," + self.base_dn, scope=SCOPE_BASE, + attrs=["parentGUID"]); + res2 = ldb.search(base="cn=users," + self.base_dn,scope=SCOPE_BASE, + attrs=["objectGUID"]); + self.assertEquals(res1[0]["parentGUID"], res2[0]["objectGUID"]); + + """Test parentGUID behaviour""" + print "Testing parentGUID behaviour on rename\n" + + self.ldb.add({ + "dn": "cn=testotherusers," + self.base_dn, + "objectclass":"container"}); + res1 = ldb.search(base="cn=testotherusers," + self.base_dn,scope=SCOPE_BASE, + attrs=["objectGUID"]); + ldb.rename("cn=parentguidtest,cn=users," + self.base_dn, + "cn=parentguidtest,cn=testotherusers," + self.base_dn); + res2 = ldb.search(base="cn=parentguidtest,cn=testotherusers," + self.base_dn, + scope=SCOPE_BASE, + attrs=["parentGUID"]); + self.assertEquals(res1[0]["objectGUID"], res2[0]["parentGUID"]); + ldb.delete("cn=parentguidtest,cn=testotherusers," + self.base_dn) + ldb.delete("cn=testotherusers," + self.base_dn) + + def test_groupType(self): + """Test groupType behaviour (should appear to be casted to a 32 bit signed integer before comparsion)""" + print "Testing groupType behaviour\n" + + res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, + attrs=["groupType"], expression="groupType=2147483653"); + + res2 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE, + attrs=["groupType"], expression="groupType=-2147483643"); + + self.assertEquals(len(res1), len(res2)) + + self.assertTrue(res1.count > 0) + + self.assertEquals(res1[0]["groupType"][0], "-2147483643") + + def test_primary_group(self): + """This tests the primary group behaviour (setting, changing) of a user account""" + print "Testing primary group behaviour\n" + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + ldb.add({ + "dn": "cn=ldaptestgroup2,cn=users," + self.base_dn, + "objectclass": "group"}) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res1) == 1) + group_rid_1 = dom_sid_to_rid(ldb.schema_format_value("objectSID", + res1[0]["objectSID"][0])) + + res1 = ldb.search("cn=ldaptestgroup2,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res1) == 1) + group_rid_2 = dom_sid_to_rid(ldb.schema_format_value("objectSID", + res1[0]["objectSID"][0])) + + # Try to add invalid primary group + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement("0", FLAG_MOD_REPLACE, + "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # Try to make group 1 primary - should be denied since it is not yet + # secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_1), + FLAG_MOD_REPLACE, "primaryGroupID") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # Make group 1 secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn + ldb.modify(m) + + # Make group 1 primary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_1), + FLAG_MOD_REPLACE, "primaryGroupID") + ldb.modify(m) + + # Try to delete group 1 - should be denied + try: + ldb.delete("cn=ldaptestgroup,cn=users," + self.base_dn) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + + # Try to add group 1 also as secondary - should be denied + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ENTRY_ALREADY_EXISTS) + + # Make group 2 secondary + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + m["member"] = "cn=ldaptestuser,cn=users," + self.base_dn + ldb.modify(m) + + # Swap the groups + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["primaryGroupID"] = MessageElement(str(group_rid_2), + FLAG_MOD_REPLACE, "primaryGroupID") + ldb.modify(m) + + # Old primary group should contain a "member" attribute for the user, + # the new shouldn't contain anymore one + res1 = ldb.search("cn=ldaptestgroup, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["member"]) + self.assertTrue(len(res1) == 1) + self.assertTrue(len(res1[0]["member"]) == 1) + self.assertEquals(res1[0]["member"][0].lower(), + ("cn=ldaptestuser,cn=users," + self.base_dn).lower()) + + res1 = ldb.search("cn=ldaptestgroup2, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["member"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("member" in res1[0]) + + # Also this should be denied + try: + ldb.add({ + "dn": "cn=ldaptestuser1,cn=users," + self.base_dn, + "objectclass": ["user", "person"], + "primaryGroupID": "0"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn) + + def test_primary_group_token(self): + """Test the primary group token behaviour (hidden-generated-readonly attribute on groups)""" + print "Testing primary group token behaviour\n" + + ldb.add({ + "dn": "cn=ldaptestuser,cn=users," + self.base_dn, + "objectclass": ["user", "person"]}) + + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group"}) + + res1 = ldb.search("cn=ldaptestuser, cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken"]) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE) + self.assertTrue(len(res1) == 1) + self.assertFalse("primaryGroupToken" in res1[0]) + + res1 = ldb.search("cn=ldaptestgroup,cn=users," + self.base_dn, + scope=SCOPE_BASE, attrs=["primaryGroupToken", "objectSID"]) + self.assertTrue(len(res1) == 1) + primary_group_token = int(res1[0]["primaryGroupToken"][0]) + + rid = dom_sid_to_rid(ldb.schema_format_value("objectSID", res1[0]["objectSID"][0])) + self.assertEquals(primary_group_token, rid) + +# Has to wait until we support read-only generated attributes correctly +# m = Message() +# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) +# m["primaryGroupToken"] = "100" +# try: +# ldb.modify(m) +# self.fail() +# except LdbError, (num, msg): + + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + def test_all(self): """Basic tests""" + print "Testing user add" + self.delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn) - print "Testing user add" ldb.add({ - "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn, - "objectclass": ["user", "person"], - "cN": "LDAPtestUSER", - "givenname": "ldap", - "sn": "testy"}) + "dn": "cn=ldaptestuser,cn=uSers," + self.base_dn, + "objectclass": ["user", "person"], + "cN": "LDAPtestUSER", + "givenname": "ldap", + "sn": "testy"}) + + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) ldb.add({ "dn": "cn=ldaptestgroup,cn=uSers," + self.base_dn, @@ -128,9 +355,9 @@ class BasicTests(unittest.TestCase): "cn": "LDAPtest2COMPUTER" }) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_INVALID_DN_SYNTAX) - + self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) try: ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, @@ -139,9 +366,9 @@ class BasicTests(unittest.TestCase): "sAMAccountType": "805306368" }) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - + self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) try: ldb.add({"dn": "cn=ldaptestcomputer3,cn=computers," + self.base_dn, @@ -150,9 +377,9 @@ class BasicTests(unittest.TestCase): "userAccountControl": "0" }) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - + self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn) try: ldb.add({"dn": "cn=ldaptestuser7,cn=users," + self.base_dn, @@ -161,9 +388,9 @@ class BasicTests(unittest.TestCase): "userAccountControl": "0" }) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) - + self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn) ldb.add({"dn": "cn=ldaptestuser7,cn=users," + self.base_dn, @@ -171,7 +398,7 @@ class BasicTests(unittest.TestCase): "cn": "LDAPtestuser7", "userAccountControl": "2" }) - + self.delete_force(self.ldb, "cn=ldaptestuser7,cn=users," + self.base_dn) self.delete_force(self.ldb, "cn=ldaptestcomputer3,cn=computers," + self.base_dn) @@ -179,7 +406,7 @@ class BasicTests(unittest.TestCase): "objectClass": "computer", "cn": "LDAPtestCOMPUTER3" }) - + print "Testing ldb.search for (&(cn=ldaptestcomputer3)(objectClass=user))"; res = ldb.search(self.base_dn, expression="(&(cn=ldaptestcomputer3)(objectClass=user))"); self.assertEquals(len(res), 1, "Found only %d for (&(cn=ldaptestcomputer3)(objectClass=user))" % len(res)) @@ -239,7 +466,7 @@ dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ changetype: modify replace: servicePrincipalName """) - + ldb.modify_ldif(""" dn: cn=ldaptest2computer,cn=computers,""" + self.base_dn + """ changetype: modify @@ -276,7 +503,7 @@ servicePrincipalName: host/ldaptest2computer28 servicePrincipalName: host/ldaptest2computer29 """) - res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-*"]) self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") #print len(res[0]["servicePrincipalName;range=0-*"]) @@ -287,7 +514,7 @@ servicePrincipalName: host/ldaptest2computer29 # print res[0]["servicePrincipalName;range=0-19"].length self.assertEquals(len(res[0]["servicePrincipalName;range=0-19"]), 20) - + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=0-30"]) self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") self.assertEquals(len(res[0]["servicePrincipalName;range=0-*"]), 30) @@ -300,7 +527,7 @@ servicePrincipalName: host/ldaptest2computer29 self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") self.assertEquals(len(res[0]["servicePrincipalName;range=30-*"]), 0) - + res = ldb.search(self.base_dn, expression="(cn=ldaptest2computer))", scope=SCOPE_SUBTREE, attrs=["servicePrincipalName;range=10-40"]) self.assertEquals(len(res), 1, "Could not find (cn=ldaptest2computer)") self.assertEquals(len(res[0]["servicePrincipalName;range=10-*"]), 20) @@ -445,7 +672,7 @@ member: cn=ldaptestuser3,cn=users,""" + self.base_dn + """ res_user = ldb.search(self.base_dn, expression="(&(cn=ldaptestUSer2)(objectClass=user))", scope=SCOPE_SUBTREE, attrs=attrs) self.assertEquals(len(res_user), 1, "Could not find (&(cn=ldaptestUSer2)(objectClass=user))") - #Check rename works with extended/alternate DN forms + #Check rename works with extended/alternate DN forms ldb.rename("<SID=" + ldb.schema_format_value("objectSID", res_user[0]["objectSID"][0]) + ">" , "cn=ldaptestuser3,cn=users," + self.base_dn) ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) @@ -512,17 +739,17 @@ member: cn=ldaptestuser3,cn=users,""" + self.base_dn + """ # ensure we cannnot rename it twice try: - ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, + ldb.rename("cn=ldaptestuser3,cn=users," + self.base_dn, "cn=ldaptestuser2,cn=users," + self.base_dn) self.fail() - except LdbError, (num, _): + except LdbError, (num, _): self.assertEquals(num, ERR_NO_SUCH_OBJECT) # ensure can now use that name ldb.add({"dn": "cn=ldaptestuser3,cn=users," + self.base_dn, "objectClass": ["person", "user"], "cn": "LDAPtestUSER3"}) - + # ensure we now cannnot rename try: ldb.rename("cn=ldaptestuser2,cn=users," + self.base_dn, "cn=ldaptestuser3,cn=users," + self.base_dn) @@ -545,11 +772,11 @@ member: cn=ldaptestuser3,cn=users,""" + self.base_dn + """ print "Testing subtree Renames" - ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn, + ldb.add({"dn": "cn=ldaptestcontainer," + self.base_dn, "objectClass": "container"}) - + self.delete_force(self.ldb, "cn=ldaptestuser4,cn=ldaptestcontainer," + self.base_dn) - ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn, + ldb.add({"dn": "CN=ldaptestuser4,CN=ldaptestcontainer," + self.base_dn, "objectClass": ["person", "user"], "cn": "LDAPtestUSER4"}) @@ -559,7 +786,7 @@ changetype: modify add: member member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ """) - + print "Testing ldb.rename of cn=ldaptestcontainer," + self.base_dn + " to cn=ldaptestcontainer2," + self.base_dn ldb.rename("CN=ldaptestcontainer," + self.base_dn, "CN=ldaptestcontainer2," + self.base_dn) @@ -569,8 +796,8 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ print "Testing subtree ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn try: - res = ldb.search("cn=ldaptestcontainer," + self.base_dn, - expression="(&(cn=ldaptestuser4)(objectClass=user))", + res = ldb.search("cn=ldaptestcontainer," + self.base_dn, + expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_SUBTREE) self.fail(res) except LdbError, (num, _): @@ -578,7 +805,7 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ print "Testing one-level ldb.search for (&(cn=ldaptestuser4)(objectClass=user)) in (just renamed from) cn=ldaptestcontainer," + self.base_dn try: - res = ldb.search("cn=ldaptestcontainer," + self.base_dn, + res = ldb.search("cn=ldaptestcontainer," + self.base_dn, expression="(&(cn=ldaptestuser4)(objectClass=user))", scope=SCOPE_ONELEVEL) self.fail() except LdbError, (num, _): @@ -636,7 +863,7 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ ldb.delete(("CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn)) print "Testing delete of renamed cn=ldaptestcontainer2," + self.base_dn ldb.delete("cn=ldaptestcontainer2," + self.base_dn) - + self.delete_force(self.ldb, "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn) ldb.add({"dn": "cn=ldaptestutf8user èùéìòà ,cn=users," + self.base_dn, "objectClass": "user"}) @@ -658,7 +885,7 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ self.assertEquals(int(res[0]["userAccountControl"][0]), 546) self.assertEquals(res[0]["memberOf"][0].upper(), ("CN=ldaptestgroup2,CN=Users," + self.base_dn).upper()) self.assertEquals(len(res[0]["memberOf"]), 1) - + print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))" res2 = ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") self.assertEquals(len(res2), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=cn=person,cn=schema,cn=configuration," + self.base_dn + "))") @@ -675,14 +902,14 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog" res3gc = gc_ldb.search(expression="(&(cn=ldaptestuser)(objectCategory=PerSon))") self.assertEquals(len(res3gc), 1) - + self.assertEquals(res[0].dn, res3gc[0].dn) print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control" - + res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog") - + self.assertEquals(res[0].dn, res3control[0].dn) ldb.delete(res[0].dn) @@ -747,7 +974,7 @@ member: cn=ldaptestuser4,cn=ldaptestcontainer,""" + self.base_dn + """ self.assertEquals(len(res6), 1, "Could not find (&(cn=*daptestcomputer)(objectCategory=compuTER))") self.assertEquals(res[0].dn, res6[0].dn) - + ldb.delete("<GUID=" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + ">") print "Testing ldb.search for (&(cn=ldaptest2computer)(objectClass=user))" @@ -825,14 +1052,14 @@ replace: member member: CN=ldaptestuser2,CN=Users,""" + self.base_dn + """ member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ """) - + ldb.modify_ldif(""" dn: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """> changetype: modify replace: member member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ """) - + ldb.modify_ldif(""" dn: <SID=""" + ldb.schema_format_value("objectSid", res[0]["objectSid"][0]) + """> changetype: modify @@ -846,13 +1073,13 @@ add: member member: <GUID=""" + ldb.schema_format_value("objectGUID", res[0]["objectGUID"][0]) + """> member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ """) - + ldb.modify_ldif(""" dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ changetype: modify replace: member """) - + ldb.modify_ldif(""" dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ changetype: modify @@ -860,14 +1087,14 @@ add: member member: <SID=""" + ldb.schema_format_value("objectSid", res_user[0]["objectSid"][0]) + """> member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ """) - + ldb.modify_ldif(""" dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ changetype: modify delete: member member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ """) - + res = ldb.search(self.base_dn, expression="(&(cn=ldaptestgroup2)(objectClass=group))", scope=SCOPE_SUBTREE, attrs=attrs) self.assertEquals(len(res), 1, "Could not find (&(cn=ldaptestgroup2)(objectClass=group))") @@ -923,14 +1150,14 @@ member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ if gc_ldb is not None: print "Testing that we can get at the configuration DN from the main search base on the GC port with the search_options control == 0" - + res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:0"]) self.assertTrue(len(res) > 0) print "Testing that we do find configuration elements in the global catlog" res = gc_ldb.search(self.base_dn, expression="objectClass=crossRef", scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0) - + print "Testing that we do find configuration elements and user elements at the same time" res = gc_ldb.search(self.base_dn, expression="(|(objectClass=crossRef)(objectClass=person))", scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0) @@ -947,13 +1174,13 @@ member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ res = ldb.search(self.configuration_dn, expression="objectCategory=ntDsDSA", scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=ntDsDSA") self.assertTrue(len(res) != 0) - + res = ldb.search(self.configuration_dn, expression="objectCategory=CN=ntDs-DSA," + self.schema_dn, scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0, "Didn't find any records with objectCategory=CN=ntDs-DSA," + self.schema_dn) self.assertTrue(len(res) != 0) - + print "Testing objectClass attribute order on "+ self.base_dn - res = ldb.search(expression="objectClass=domain", base=self.base_dn, + res = ldb.search(expression="objectClass=domain", base=self.base_dn, scope=SCOPE_BASE, attrs=["objectClass"]) self.assertEquals(len(res), 1) @@ -968,15 +1195,15 @@ member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ print "Testing ldb.search for objectCategory=person with domain scope control" res = ldb.search(self.base_dn, expression="objectCategory=person", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) self.assertTrue(len(res) > 0) - + print "Testing ldb.search for objectCategory=user" res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0) - + print "Testing ldb.search for objectCategory=user with domain scope control" res = ldb.search(self.base_dn, expression="objectCategory=user", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) self.assertTrue(len(res) > 0) - + print "Testing ldb.search for objectCategory=group" res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"]) self.assertTrue(len(res) > 0) @@ -985,6 +1212,189 @@ member: CN=ldaptestutf8user èùéìòà,CN=Users,""" + self.base_dn + """ res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"]) self.assertTrue(len(res) > 0) + def test_security_descriptor_add(self): + """ Testing ldb.add_ldif() for nTSecurityDescriptor """ + user_name = "testdescriptoruser1" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + # + # Test add_ldif() with SDDL security descriptor input + # + self.delete_force(self.ldb, user_dn) + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor: """ + sddl) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack( security.descriptor, desc ) + desc_sddl = desc.as_sddl( self.domain_sid ) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test add_ldif() with BASE64 security descriptor + # + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_binary = ndr_pack(desc) + desc_base64 = base64.b64encode(desc_binary) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor:: """ + desc_base64) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + + def test_security_descriptor_add_neg(self): + """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID + Negative test + """ + user_name = "testdescriptoruser1" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + self.delete_force(self.ldb, user_dn) + try: + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21')) + desc_base64 = base64.b64encode( ndr_pack(desc) ) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name + """ +nTSecurityDescriptor:: """ + desc_base64) + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + print res + self.assertRaises(KeyError, lambda: res[0]["nTSecurityDescriptor"]) + finally: + self.delete_force(self.ldb, user_dn) + + def test_security_descriptor_modify(self): + """ Testing ldb.modify_ldif() for nTSecurityDescriptor """ + user_name = "testdescriptoruser2" + user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn) + # + # Delete user object and test modify_ldif() with SDDL security descriptor input + # Add ACE to the original descriptor test + # + try: + self.delete_force(self.ldb, user_dn) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor: """ + sddl + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with SDDL security descriptor input + # New desctiptor test + # + try: + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor: """ + sddl + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with BASE64 security descriptor input + # Add ACE to the original descriptor test + # + try: + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):] + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_base64 = base64.b64encode(ndr_pack(desc)) + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor:: """ + desc_base64 + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) + # + # Test modify_ldif() with BASE64 security descriptor input + # New descriptor test + # + try: + self.delete_force(self.ldb, user_dn) + self.ldb.add_ldif(""" +dn: """ + user_dn + """ +objectclass: user +sAMAccountName: """ + user_name) + # Modify descriptor + sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" + desc = security.descriptor.from_sddl(sddl, self.domain_sid) + desc_base64 = base64.b64encode(ndr_pack(desc)) + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: nTSecurityDescriptor +nTSecurityDescriptor:: """ + desc_base64 + self.ldb.modify_ldif(mod) + # Read modified descriptor + res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + desc = ndr_unpack(security.descriptor, desc) + desc_sddl = desc.as_sddl(self.domain_sid) + self.assertEqual(desc_sddl, sddl) + finally: + self.delete_force(self.ldb, user_dn) class BaseDnTests(unittest.TestCase): def setUp(self): @@ -1008,23 +1418,36 @@ class BaseDnTests(unittest.TestCase): def test_netlogon_highestcommitted_usn(self): """Testing for netlogon and highestCommittedUSN via LDAP""" - res = self.ldb.search("", scope=SCOPE_BASE, + res = self.ldb.search("", scope=SCOPE_BASE, attrs=["netlogon", "highestCommittedUSN"]) self.assertEquals(len(res), 0) class SchemaTests(unittest.TestCase): + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + def find_schemadn(self, ldb): res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) self.assertEquals(len(res), 1) return res[0]["schemaNamingContext"][0] + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + def setUp(self): self.ldb = ldb self.schema_dn = self.find_schemadn(ldb) + self.base_dn = self.find_basedn(ldb) def test_generated_schema(self): """Testing we can read the generated schema via LDAP""" - res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, + res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, attrs=["objectClasses", "attributeTypes", "dITContentRules"]) self.assertEquals(len(res), 1) self.assertTrue("dITContentRules" in res[0]) @@ -1033,18 +1456,77 @@ class SchemaTests(unittest.TestCase): def test_generated_schema_is_operational(self): """Testing we don't get the generated schema via LDAP by default""" - res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, + res = self.ldb.search("cn=aggregate,"+self.schema_dn, scope=SCOPE_BASE, attrs=["*"]) self.assertEquals(len(res), 1) self.assertFalse("dITContentRules" in res[0]) self.assertFalse("objectClasses" in res[0]) self.assertFalse("attributeTypes" in res[0]) - + + def test_schemaUpdateNow(self): + """Testing schemaUpdateNow""" + class_name = "test-class" + time.strftime("%s", time.gmtime()) + class_ldap_display_name = class_name.replace("-", "") + object_name = "obj" + time.strftime("%s", time.gmtime()) + + ldif = """ +dn: CN=%s,%s""" % (class_name, self.schema_dn) + """ +lDAPDisplayName: """ + class_ldap_display_name + """ +objectClass: top +objectClass: classSchema +adminDescription: """ + class_name + """ +adminDisplayName: """ + class_name + """ +cn: """ + class_name + """ +objectCategory: CN=Class-Schema,""" + self.schema_dn + """ +defaultObjectCategory: CN=%s,%s""" % (class_name, self.schema_dn) + """ +distinguishedName: CN=%s,%s""" % (class_name, self.schema_dn) + """ +governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +name: """ + class_name + """ +objectClassCategory: 1 +subClassOf: organizationalPerson +systemFlags: 16 +rDNAttID: cn +systemMustContain: cn +systemOnly: FALSE +""" + self.ldb.add_ldif(ldif) + ldif = """ +dn: +changetype: modify +add: schemaUpdateNow +schemaUpdateNow: 1 +""" + self.ldb.modify_ldif(ldif) + ldif = """ +dn: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ +objectClass: organizationalPerson +objectClass: person +objectClass: """ + class_ldap_display_name + """ +objectClass: top +cn: """ + object_name + """ +instanceType: 4 +objectCategory: CN=%s,%s"""% (class_name, self.schema_dn) + """ +distinguishedName: CN=%s,CN=Users,%s"""% (object_name, self.base_dn) + """ +name: """ + object_name + """ +""" + self.ldb.add_ldif(ldif) + # Search for created objectClass + res = [] + res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertNotEqual(res, []) + + res = [] + res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertNotEqual(res, []) + # Delete the object + self.delete_force(self.ldb, "cn=%s,cn=Users,%s" % (object_name, self.base_dn)) + if not "://" in host: host = "ldap://%s" % host ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) -gc_ldb = Ldb("%s:3268" % host, credentials=creds, +gc_ldb = Ldb("%s:3268" % host, credentials=creds, session_info=system_session(), lp=lp) runner = SubunitTestRunner() |