def test_dirsync_send_delta(self): """Check that dirsync return correct delta when sending the last cookie""" res = self.ldb_admin.search( self.base_dn, expression="(&(samaccountname=test*)(!(isDeleted=*)))", controls=["dirsync:1:0:10000"]) ctl = str(res.controls[0]).split(":") ctl[1] = "1" ctl[2] = "0" ctl[3] = "10000" control = str(":".join(ctl)) res = self.ldb_admin.search( self.base_dn, expression="(&(samaccountname=test*)(!(isDeleted=*)))", controls=[control]) self.assertEqual(len(res), 0) res = self.ldb_admin.search( self.base_dn, expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))", controls=["dirsync:1:0:100000"]) ctl = str(res.controls[0]).split(":") ctl[1] = "1" ctl[2] = "0" ctl[3] = "10000" control2 = str(":".join(ctl)) # Let's create an OU ouname = "OU=testou2,%s" % self.base_dn self.ouname = ouname self.ldb_admin.create_ou(ouname) res = self.ldb_admin.search( self.base_dn, expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))", controls=[control2]) self.assertEqual(len(res), 1) ctl = str(res.controls[0]).split(":") ctl[1] = "1" ctl[2] = "0" ctl[3] = "10000" control3 = str(":".join(ctl)) delta = Message() delta.dn = Dn(self.ldb_admin, str(ouname)) delta["cn"] = MessageElement("test ou", FLAG_MOD_ADD, "cn") self.ldb_admin.modify(delta) res = self.ldb_admin.search( self.base_dn, expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))", controls=[control3]) self.assertEqual(len(res.msgs), 1) # 3 attributes: instanceType, cn and objectGUID self.assertEqual(len(res.msgs[0]), 3) delta = Message() delta.dn = Dn(self.ldb_admin, str(ouname)) delta["cn"] = MessageElement([], FLAG_MOD_DELETE, "cn") self.ldb_admin.modify(delta) res = self.ldb_admin.search( self.base_dn, expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))", controls=[control3]) self.assertEqual(len(res.msgs), 1) # So we won't have much attribute returned but instanceType and GUID # are. # 3 attributes: instanceType and objectGUID and cn but empty self.assertEqual(len(res.msgs[0]), 3) ouname = "OU=newouname,%s" % self.base_dn self.ldb_admin.rename(str(res[0].dn), str(Dn(self.ldb_admin, ouname))) self.ouname = ouname ctl = str(res.controls[0]).split(":") ctl[1] = "1" ctl[2] = "0" ctl[3] = "10000" control4 = str(":".join(ctl)) res = self.ldb_admin.search( self.base_dn, expression="(&(objectClass=organizationalUnit)(!(isDeleted=*)))", controls=[control3]) self.assertTrue(res[0].get("parentGUID") != None) self.assertTrue(res[0].get("name") != None) delete_force(self.ldb_admin, ouname)
def _link_user_and_group(self, u, g): m = Message() m.dn = Dn(self.ldb, "CN=g%d,%s" % (g, self.ou_groups)) m["member"] = MessageElement("cn=u%d,%s" % (u, self.ou_users), FLAG_MOD_ADD, "member") self.ldb.modify(m)
class SchemaTests_msDS_IntId(samba.tests.TestCase): def setUp(self): super(SchemaTests_msDS_IntId, self).setUp() self.ldb = ldb res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) self.assertEquals(len(res), 1) self.schema_dn = res[0]["schemaNamingContext"][0] self.base_dn = res[0]["defaultNamingContext"][0] self.forest_level = int(res[0]["forestFunctionality"][0]) def _ldap_schemaUpdateNow(self): ldif = """ dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 """ self.ldb.modify_ldif(ldif) def _make_obj_names(self, prefix): class_name = prefix + time.strftime("%s", time.gmtime()) class_ldap_name = class_name.replace("-", "") class_dn = "CN=%s,%s" % (class_name, self.schema_dn) return (class_name, class_ldap_name, class_dn) def _is_schema_base_object(self, ldb_msg): """Test systemFlags for SYSTEM_FLAG_SCHEMA_BASE_OBJECT (16)""" systemFlags = 0 if "systemFlags" in ldb_msg: systemFlags = int(ldb_msg["systemFlags"][0]) return (systemFlags & 16) != 0 def _make_attr_ldif(self, attr_name, attr_dn): ldif = """ dn: """ + attr_dn + """ objectClass: top objectClass: attributeSchema adminDescription: """ + attr_name + """ adminDisplayName: """ + attr_name + """ cn: """ + attr_name + """ attributeId: 1.2.840.""" + str(random.randint(1, 100000)) + """.1.5.9940 attributeSyntax: 2.5.5.12 omSyntax: 64 instanceType: 4 isSingleValued: TRUE systemOnly: FALSE """ return ldif def test_msDS_IntId_on_attr(self): """Testing msDs-IntId creation for Attributes. See MS-ADTS - 3.1.1.Attributes This test should verify that: - Creating attribute with 'msDS-IntId' fails with ERR_UNWILLING_TO_PERFORM - Adding 'msDS-IntId' on existing attribute fails with ERR_CONSTRAINT_VIOLATION - Creating attribute with 'msDS-IntId' set and FLAG_SCHEMA_BASE_OBJECT flag set fails with ERR_UNWILLING_TO_PERFORM - Attributes created with FLAG_SCHEMA_BASE_OBJECT not set have 'msDS-IntId' attribute added internally """ # 1. Create attribute without systemFlags # msDS-IntId should be created if forest functional # level is >= DS_DOMAIN_FUNCTION_2003 # and missing otherwise (attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-1-") ldif = self._make_attr_ldif(attr_name, attr_dn) # try to add msDS-IntId during Attribute creation ldif_fail = ldif + "msDS-IntId: -1993108831\n" try: self.ldb.add_ldif(ldif_fail) self.fail("Adding attribute with preset msDS-IntId should fail") except LdbError, (num, _): self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # add the new attribute and update schema self.ldb.add_ldif(ldif) self._ldap_schemaUpdateNow() # Search for created attribute res = [] res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) self.assertEquals(len(res), 1) self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) if self.forest_level >= DS_DOMAIN_FUNCTION_2003: if self._is_schema_base_object(res[0]): self.assertTrue("msDS-IntId" not in res[0]) else: self.assertTrue("msDS-IntId" in res[0]) else: self.assertTrue("msDS-IntId" not in res[0]) msg = Message() msg.dn = Dn(self.ldb, attr_dn) msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") try: self.ldb.modify(msg) self.fail("Modifying msDS-IntId should return error") except LdbError, (num, _): self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
def test_dirsync_attributes(self): """Check behavior with some attributes """ res = self.ldb_admin.search(self.base_dn, expression="samaccountname=*", controls=["dirsync:1:0:1"]) # Check that nTSecurityDescriptor is returned as it's the case when doing dirsync self.assertTrue(res.msgs[0].get("ntsecuritydescriptor") != None) # Check that non replicated attributes are not returned self.assertTrue(res.msgs[0].get("badPwdCount") == None) # Check that non forward link are not returned self.assertTrue(res.msgs[0].get("memberof") == None) # Asking for instanceType will return also objectGUID res = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", attrs=["instanceType"], controls=["dirsync:1:0:1"]) self.assertTrue(res.msgs[0].get("objectGUID") != None) self.assertTrue(res.msgs[0].get("instanceType") != None) # We don't return an entry if asked for objectGUID res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str(self.base_dn), attrs=["objectGUID"], controls=["dirsync:1:0:1"]) self.assertEquals(len(res.msgs), 0) # a request on the root of a NC didn't return parentGUID res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str(self.base_dn), attrs=["name"], controls=["dirsync:1:0:1"]) self.assertTrue(res.msgs[0].get("objectGUID") != None) self.assertTrue(res.msgs[0].get("name") != None) self.assertTrue(res.msgs[0].get("parentGUID") == None) self.assertTrue(res.msgs[0].get("instanceType") != None) # Asking for name will return also objectGUID and parentGUID # and instanceType and of course name res = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", attrs=["name"], controls=["dirsync:1:0:1"]) self.assertTrue(res.msgs[0].get("objectGUID") != None) self.assertTrue(res.msgs[0].get("name") != None) self.assertTrue(res.msgs[0].get("parentGUID") != None) self.assertTrue(res.msgs[0].get("instanceType") != None) # Asking for dn will not return not only DN but more like if attrs=* # parentGUID should be returned res = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", attrs=["dn"], controls=["dirsync:1:0:1"]) count = len(res.msgs[0]) res2 = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", controls=["dirsync:1:0:1"]) count2 = len(res2.msgs[0]) self.assertEqual(count, count2) # Asking for cn will return nothing on objects that have CN as RDN res = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", attrs=["cn"], controls=["dirsync:1:0:1"]) self.assertEqual(len(res.msgs), 0) # Asking for parentGUID will return nothing too res = self.ldb_admin.search(self.base_dn, expression="samaccountname=Administrator", attrs=["parentGUID"], controls=["dirsync:1:0:1"]) self.assertEqual(len(res.msgs), 0) ouname = "OU=testou,%s" % self.base_dn self.ouname = ouname self.ldb_admin.create_ou(ouname) delta = Message() delta.dn = Dn(self.ldb_admin, str(ouname)) delta["cn"] = MessageElement("test ou", FLAG_MOD_ADD, "cn") self.ldb_admin.modify(delta) res = self.ldb_admin.search(self.base_dn, expression="name=testou", attrs=["cn"], controls=["dirsync:1:0:1"]) self.assertEqual(len(res.msgs), 1) self.assertEqual(len(res.msgs[0]), 3) delete_force(self.ldb_admin, ouname)
def add_attr(self, dn, attr, value): m = Message() m.dn = Dn(self.ldb_admin, dn) m[attr] = MessageElement(value, FLAG_MOD_ADD, attr) self.ldb_admin.modify(m)
# Search for created attribute res = [] res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"]) self.assertEquals(len(res), 1) self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name) if self.forest_level >= DS_DOMAIN_FUNCTION_2003: if self._is_schema_base_object(res[0]): self.assertTrue("msDS-IntId" not in res[0]) else: self.assertTrue("msDS-IntId" in res[0]) else: self.assertTrue("msDS-IntId" not in res[0]) msg = Message() msg.dn = Dn(self.ldb, attr_dn) msg["msDS-IntId"] = MessageElement("-1993108831", FLAG_MOD_REPLACE, "msDS-IntId") try: self.ldb.modify(msg) self.fail("Modifying msDS-IntId should return error") except LdbError, (num, _): self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) def _make_class_ldif(self, class_dn, class_name): ldif = """ dn: """ + class_dn + """ objectClass: top objectClass: classSchema adminDescription: """ + class_name + """ adminDisplayName: """ + class_name + """ cn: """ + class_name + """ governsId: 1.2.840.""" + str(random.randint(1, 100000)) + """.1.5.9939
def test_modify_dsheuristics_userPassword(self): print( "Performs testing about reading userPassword between dsHeuristic modifies" ) # Make sure userPassword cannot be read self.ldb.set_dsheuristics("000000000") # Open a new connection (with dsHeuristic=000000000) ldb1 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Set userPassword to be read # This setting only affects newer connections (ldb2) ldb1.set_dsheuristics("000000001") time.sleep(1) m = Message() m.dn = Dn(ldb1, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("thatsAcomplPASS1", FLAG_MOD_REPLACE, "userPassword") ldb1.modify(m) res = ldb1.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword cannot be read, it wasn't set, instead the # password was self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) # Open another new connection (with dsHeuristic=000000001) ldb2 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # Check on the new connection that userPassword was not stored # from ldb1 or is not readable self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) # Set userPassword to be readable # This setting does not affect this connection ldb2.set_dsheuristics("000000000") time.sleep(1) res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # Check that userPassword was not stored from ldb1 self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) m = Message() m.dn = Dn(ldb2, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("thatsAcomplPASS2", FLAG_MOD_REPLACE, "userPassword") ldb2.modify(m) res = ldb2.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # Check despite setting it with userPassword support disabled # on this connection it should still not be readable self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) # Only password from ldb1 is the user's password creds2 = Credentials() creds2.set_username("testuser") creds2.set_password("thatsAcomplPASS1") creds2.set_domain(creds.get_domain()) creds2.set_realm(creds.get_realm()) creds2.set_workstation(creds.get_workstation()) creds2.set_gensec_features(creds2.get_gensec_features() | gensec.FEATURE_SEAL) try: SamDB(url=host, credentials=creds2, lp=lp) except: self.fail("testuser used the wrong password") ldb3 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Check that userPassword was stored from ldb2 res = ldb3.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword can be read self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(str(res[0]["userPassword"][0]), "thatsAcomplPASS2") # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) self.ldb.set_dsheuristics("000000001") ldb4 = SamDB(url=host, session_info=system_session(lp), credentials=creds, lp=lp) # Check that userPassword that was stored from ldb2 res = ldb4.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) # userPassword can be not be read self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0])
def test_plain_userPassword(self): print("Performs testing about the standard 'userPassword' behaviour") # Delete the "dSHeuristics" self.ldb.set_dsheuristics(None) time.sleep(1) # This switching time is strictly needed! m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("myPassword", FLAG_MOD_ADD, "userPassword") self.ldb.modify(m) res = self.ldb.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(str(res[0]["userPassword"][0]), "myPassword") m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("myPassword2", FLAG_MOD_REPLACE, "userPassword") self.ldb.modify(m) res = self.ldb.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(str(res[0]["userPassword"][0]), "myPassword2") m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement([], FLAG_MOD_DELETE, "userPassword") self.ldb.modify(m) res = self.ldb.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) self.assertTrue(len(res) == 1) self.assertFalse("userPassword" in res[0]) # Set the test "dSHeuristics" to deactivate "userPassword" pwd changes self.ldb.set_dsheuristics("000000000") m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("myPassword3", FLAG_MOD_REPLACE, "userPassword") self.ldb.modify(m) res = self.ldb.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(str(res[0]["userPassword"][0]), "myPassword3") # Set the test "dSHeuristics" to deactivate "userPassword" pwd changes self.ldb.set_dsheuristics("000000002") m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement("myPassword4", FLAG_MOD_REPLACE, "userPassword") self.ldb.modify(m) res = self.ldb.search("cn=testuser,cn=users," + self.base_dn, scope=SCOPE_BASE, attrs=["userPassword"]) self.assertTrue(len(res) == 1) self.assertTrue("userPassword" in res[0]) self.assertEquals(str(res[0]["userPassword"][0]), "myPassword4") # Reset the test "dSHeuristics" (reactivate "userPassword" pwd changes) self.ldb.set_dsheuristics("000000001")
def test_empty_passwords(self): print("Performs some empty passwords testing") try: self.ldb.add({ "dn": "cn=testuser2,cn=users," + self.base_dn, "objectclass": "user", "unicodePwd": [] }) self.fail() except LdbError as e32: (num, _) = e32.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) try: self.ldb.add({ "dn": "cn=testuser2,cn=users," + self.base_dn, "objectclass": "user", "dBCSPwd": [] }) self.fail() except LdbError as e33: (num, _) = e33.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) try: self.ldb.add({ "dn": "cn=testuser2,cn=users," + self.base_dn, "objectclass": "user", "userPassword": [] }) self.fail() except LdbError as e34: (num, _) = e34.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) try: self.ldb.add({ "dn": "cn=testuser2,cn=users," + self.base_dn, "objectclass": "user", "clearTextPassword": [] }) self.fail() except LdbError as e35: (num, _) = e35.args self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or num == ERR_NO_SUCH_ATTRIBUTE) # for Windows delete_force(self.ldb, "cn=testuser2,cn=users," + self.base_dn) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["unicodePwd"] = MessageElement([], FLAG_MOD_ADD, "unicodePwd") try: self.ldb.modify(m) self.fail() except LdbError as e36: (num, _) = e36.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["dBCSPwd"] = MessageElement([], FLAG_MOD_ADD, "dBCSPwd") try: self.ldb.modify(m) self.fail() except LdbError as e37: (num, _) = e37.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement([], FLAG_MOD_ADD, "userPassword") try: self.ldb.modify(m) self.fail() except LdbError as e38: (num, _) = e38.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["clearTextPassword"] = MessageElement([], FLAG_MOD_ADD, "clearTextPassword") try: self.ldb.modify(m) self.fail() except LdbError as e39: (num, _) = e39.args self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or num == ERR_NO_SUCH_ATTRIBUTE) # for Windows m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["unicodePwd"] = MessageElement([], FLAG_MOD_REPLACE, "unicodePwd") try: self.ldb.modify(m) self.fail() except LdbError as e40: (num, _) = e40.args self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["dBCSPwd"] = MessageElement([], FLAG_MOD_REPLACE, "dBCSPwd") try: self.ldb.modify(m) self.fail() except LdbError as e41: (num, _) = e41.args self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement([], FLAG_MOD_REPLACE, "userPassword") try: self.ldb.modify(m) self.fail() except LdbError as e42: (num, _) = e42.args self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["clearTextPassword"] = MessageElement([], FLAG_MOD_REPLACE, "clearTextPassword") try: self.ldb.modify(m) self.fail() except LdbError as e43: (num, _) = e43.args self.assertTrue(num == ERR_UNWILLING_TO_PERFORM or num == ERR_NO_SUCH_ATTRIBUTE) # for Windows m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["unicodePwd"] = MessageElement([], FLAG_MOD_DELETE, "unicodePwd") try: self.ldb.modify(m) self.fail() except LdbError as e44: (num, _) = e44.args self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["dBCSPwd"] = MessageElement([], FLAG_MOD_DELETE, "dBCSPwd") try: self.ldb.modify(m) self.fail() except LdbError as e45: (num, _) = e45.args self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["userPassword"] = MessageElement([], FLAG_MOD_DELETE, "userPassword") try: self.ldb.modify(m) self.fail() except LdbError as e46: (num, _) = e46.args self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) m = Message() m.dn = Dn(self.ldb, "cn=testuser,cn=users," + self.base_dn) m["clearTextPassword"] = MessageElement([], FLAG_MOD_DELETE, "clearTextPassword") try: self.ldb.modify(m) self.fail() except LdbError as e47: (num, _) = e47.args self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
def setUp(self): super(MatchRulesTests, self).setUp() self.lp = lp self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) self.base_dn = self.ldb.domain_dn() self.ou = "ou=matchrulestest,%s" % self.base_dn self.ou_users = "ou=users,%s" % self.ou self.ou_groups = "ou=groups,%s" % self.ou self.ou_computers = "ou=computers,%s" % self.ou # Add a organizational unit to create objects self.ldb.add({ "dn": self.ou, "objectclass": "organizationalUnit"}) # Add the following OU hierarchy and set otherWellKnownObjects, # which has BinaryDN syntax: # # o1 # |--> o2 # | |--> o3 # | | |-->o4 self.ldb.add({ "dn": "OU=o1,%s" % self.ou, "objectclass": "organizationalUnit"}) self.ldb.add({ "dn": "OU=o2,OU=o1,%s" % self.ou, "objectclass": "organizationalUnit"}) self.ldb.add({ "dn": "OU=o3,OU=o2,OU=o1,%s" % self.ou, "objectclass": "organizationalUnit"}) self.ldb.add({ "dn": "OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou, "objectclass": "organizationalUnit"}) m = Message() m.dn = Dn(self.ldb, self.ou) m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000001:OU=o1,%s" % self.ou, FLAG_MOD_ADD, "otherWellKnownObjects") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "OU=o1,%s" % self.ou) m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000002:OU=o2,OU=o1,%s" % self.ou, FLAG_MOD_ADD, "otherWellKnownObjects") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "OU=o2,OU=o1,%s" % self.ou) m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000003:OU=o3,OU=o2,OU=o1,%s" % self.ou, FLAG_MOD_ADD, "otherWellKnownObjects") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "OU=o3,OU=o2,OU=o1,%s" % self.ou) m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000004:OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou, FLAG_MOD_ADD, "otherWellKnownObjects") self.ldb.modify(m) # Create OU for users and groups self.ldb.add({ "dn": self.ou_users, "objectclass": "organizationalUnit"}) self.ldb.add({ "dn": self.ou_groups, "objectclass": "organizationalUnit"}) self.ldb.add({ "dn": self.ou_computers, "objectclass": "organizationalUnit"}) # Add four groups self.ldb.add({ "dn": "cn=g1,%s" % self.ou_groups, "objectclass": "group" }) self.ldb.add({ "dn": "cn=g2,%s" % self.ou_groups, "objectclass": "group" }) self.ldb.add({ "dn": "cn=g3,%s" % self.ou_groups, "objectclass": "group" }) self.ldb.add({ "dn": "cn=g4,%s" % self.ou_groups, "objectclass": "group" }) # Add four users self.ldb.add({ "dn": "cn=u1,%s" % self.ou_users, "objectclass": "user"}) self.ldb.add({ "dn": "cn=u2,%s" % self.ou_users, "objectclass": "user"}) self.ldb.add({ "dn": "cn=u3,%s" % self.ou_users, "objectclass": "user"}) self.ldb.add({ "dn": "cn=u4,%s" % self.ou_users, "objectclass": "user"}) # Add computers to test Object(DN-Binary) syntax self.ldb.add({ "dn": "cn=c1,%s" % self.ou_computers, "objectclass": "computer", "dNSHostName": "c1.%s" % self.lp.get("realm").lower(), "servicePrincipalName": ["HOST/c1"], "sAMAccountName": "c1$", "userAccountControl": "83890178"}) self.ldb.add({ "dn": "cn=c2,%s" % self.ou_computers, "objectclass": "computer", "dNSHostName": "c2.%s" % self.lp.get("realm").lower(), "servicePrincipalName": ["HOST/c2"], "sAMAccountName": "c2$", "userAccountControl": "83890178"}) self.ldb.add({ "dn": "cn=c3,%s" % self.ou_computers, "objectclass": "computer", "dNSHostName": "c3.%s" % self.lp.get("realm").lower(), "servicePrincipalName": ["HOST/c3"], "sAMAccountName": "c3$", "userAccountControl": "83890178"}) # Create the following hierarchy: # g4 # |--> u4 # |--> g3 # | |--> u3 # | |--> g2 # | | |--> u2 # | | |--> g1 # | | | |--> u1 # u1 member of g1 m = Message() m.dn = Dn(self.ldb, "cn=g1,%s" % self.ou_groups) m["member"] = MessageElement("cn=u1,%s" % self.ou_users, FLAG_MOD_ADD, "member") self.ldb.modify(m) # u2 member of g2 m = Message() m.dn = Dn(self.ldb, "cn=g2,%s" % self.ou_groups) m["member"] = MessageElement("cn=u2,%s" % self.ou_users, FLAG_MOD_ADD, "member") self.ldb.modify(m) # u3 member of g3 m = Message() m.dn = Dn(self.ldb, "cn=g3,%s" % self.ou_groups) m["member"] = MessageElement("cn=u3,%s" % self.ou_users, FLAG_MOD_ADD, "member") self.ldb.modify(m) # u4 member of g4 m = Message() m.dn = Dn(self.ldb, "cn=g4,%s" % self.ou_groups) m["member"] = MessageElement("cn=u4,%s" % self.ou_users, FLAG_MOD_ADD, "member") self.ldb.modify(m) # g3 member of g4 m = Message() m.dn = Dn(self.ldb, "cn=g4,%s" % self.ou_groups) m["member"] = MessageElement("cn=g3,%s" % self.ou_groups, FLAG_MOD_ADD, "member") self.ldb.modify(m) # g2 member of g3 m = Message() m.dn = Dn(self.ldb, "cn=g3,%s" % self.ou_groups) m["member"] = MessageElement("cn=g2,%s" % self.ou_groups, FLAG_MOD_ADD, "member") self.ldb.modify(m) # g1 member of g2 m = Message() m.dn = Dn(self.ldb, "cn=g2,%s" % self.ou_groups) m["member"] = MessageElement("cn=g1,%s" % self.ou_groups, FLAG_MOD_ADD, "member") self.ldb.modify(m) # The msDS-RevealedUsers is owned by system and cannot be modified # directly. Set the schemaUpgradeInProgress flag as workaround # and create this hierarchy: # ou=computers # |-> c1 # | |->c2 # | | |->u1 # # While appropriate for this test, this is NOT a good practice # in general. This is only done here because the alternative # is to make a schema modification. # # IF/WHEN Samba protects this attribute better, this # particular part of the test can be removed, as the same code # is covered by the addressBookRoots2 case well enough. # m = Message() m.dn = Dn(self.ldb, "") m["e1"] = MessageElement("1", FLAG_MOD_REPLACE, "schemaUpgradeInProgress") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "cn=c2,%s" % self.ou_computers) m["e1"] = MessageElement("B:8:01010101:cn=c3,%s" % self.ou_computers, FLAG_MOD_ADD, "msDS-RevealedUsers") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "cn=c1,%s" % self.ou_computers) m["e1"] = MessageElement("B:8:01010101:cn=c2,%s" % self.ou_computers, FLAG_MOD_ADD, "msDS-RevealedUsers") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "") m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress") self.ldb.modify(m) # Add a couple of ms-Exch-Configuration-Container to test forward-link # attributes without backward link (addressBookRoots2) # e1 # |--> e2 # | |--> c1 self.ldb.add({ "dn": "cn=e1,%s" % self.ou, "objectclass": "msExchConfigurationContainer"}) self.ldb.add({ "dn": "cn=e2,%s" % self.ou, "objectclass": "msExchConfigurationContainer"}) m = Message() m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, FLAG_MOD_ADD, "addressBookRoots2") self.ldb.modify(m) m = Message() m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) m["e1"] = MessageElement("cn=e2,%s" % self.ou, FLAG_MOD_ADD, "addressBookRoots2") self.ldb.modify(m)
def setUp(self): super(BasePasswordTestCase, self).setUp() self.global_creds.set_gensec_features(self.global_creds.get_gensec_features() | gensec.FEATURE_SEAL) self.template_creds = Credentials() self.template_creds.set_username("testuser") self.template_creds.set_password("thatsAcomplPASS1") self.template_creds.set_domain(self.global_creds.get_domain()) self.template_creds.set_realm(self.global_creds.get_realm()) self.template_creds.set_workstation(self.global_creds.get_workstation()) self.template_creds.set_gensec_features(self.global_creds.get_gensec_features()) self.template_creds.set_kerberos_state(self.global_creds.get_kerberos_state()) # Gets back the basedn base_dn = self.ldb.domain_dn() # Gets back the configuration basedn configuration_dn = self.ldb.get_config_basedn().get_linearized() # Get the old "dSHeuristics" if it was set dsheuristics = self.ldb.get_dsheuristics() # Reset the "dSHeuristics" as they were before self.addCleanup(self.ldb.set_dsheuristics, dsheuristics) res = self.ldb.search(base_dn, scope=SCOPE_BASE, attrs=["lockoutDuration", "lockOutObservationWindow", "lockoutThreshold"]) if "lockoutDuration" in res[0]: lockoutDuration = res[0]["lockoutDuration"][0] else: lockoutDuration = 0 if "lockoutObservationWindow" in res[0]: lockoutObservationWindow = res[0]["lockoutObservationWindow"][0] else: lockoutObservationWindow = 0 if "lockoutThreshold" in res[0]: lockoutThreshold = res[0]["lockoutThreshold"][0] else: lockoutTreshold = 0 self.addCleanup(self.ldb.modify_ldif, """ dn: """ + base_dn + """ changetype: modify replace: lockoutDuration lockoutDuration: """ + str(lockoutDuration) + """ replace: lockoutObservationWindow lockoutObservationWindow: """ + str(lockoutObservationWindow) + """ replace: lockoutThreshold lockoutThreshold: """ + str(lockoutThreshold) + """ """) m = Message() m.dn = Dn(self.ldb, base_dn) self.account_lockout_duration = 2 account_lockout_duration_ticks = -int(self.account_lockout_duration * (1e7)) m["lockoutDuration"] = MessageElement(str(account_lockout_duration_ticks), FLAG_MOD_REPLACE, "lockoutDuration") account_lockout_threshold = 3 m["lockoutThreshold"] = MessageElement(str(account_lockout_threshold), FLAG_MOD_REPLACE, "lockoutThreshold") self.lockout_observation_window = 2 lockout_observation_window_ticks = -int(self.lockout_observation_window * (1e7)) m["lockOutObservationWindow"] = MessageElement(str(lockout_observation_window_ticks), FLAG_MOD_REPLACE, "lockOutObservationWindow") self.ldb.modify(m) # Set the "dSHeuristics" to activate the correct "userPassword" behaviour self.ldb.set_dsheuristics("000000001") # Get the old "minPwdAge" minPwdAge = self.ldb.get_minPwdAge() # Reset the "minPwdAge" as it was before self.addCleanup(self.ldb.set_minPwdAge, minPwdAge) # Set it temporarely to "0" self.ldb.set_minPwdAge("0") self.base_dn = self.ldb.domain_dn() self.domain_sid = security.dom_sid(self.ldb.get_domain_sid()) self.samr = samr.samr("ncacn_ip_tcp:%s[seal]" % self.host, self.lp, self.global_creds) self.samr_handle = self.samr.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED) self.samr_domain = self.samr.OpenDomain(self.samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, self.domain_sid) self.addCleanup(self.delete_ldb_connections) # (Re)adds the test user accounts self.lockout1krb5_creds = self.insta_creds(self.template_creds, username="******", userpass="******", kerberos_state=MUST_USE_KERBEROS) self.lockout1krb5_ldb = self._readd_user(self.lockout1krb5_creds) self.lockout1ntlm_creds = self.insta_creds(self.template_creds, username="******", userpass="******", kerberos_state=DONT_USE_KERBEROS) self.lockout1ntlm_ldb = self._readd_user(self.lockout1ntlm_creds)