def test_bind_noMatchingServicesFound_fallback_success(self):
server = self.createServer(
services=['svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode) ],
])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit'), id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc1)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc2)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc3)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit'))
self.assertEquals(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode), id=4)))
def test_unbind_clientUnbinds(self):
"""
The server disconnects from the client gracefully when the
client signals its intent to unbind.
"""
server = self.createServer(
[pureldap.LDAPBindResponse(resultCode=0)],
[],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.reactor.advance(1)
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3)))
server.connectionLost(error.ConnectionDone)
server.reactor.advance(1)
client.assertSent(pureldap.LDAPBindRequest(),
pureldap.LDAPUnbindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_unbind_clientEOF(self):
"""
The server disconects correctly when the client terminates the
connection without sending an unbind request.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)])
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.reactor.advance(1)
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.connectionLost(error.ConnectionDone)
server.reactor.advance(1)
client.assertSent(pureldap.LDAPBindRequest(),
'fake-unbind-by-LDAPClientTestDriver')
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_unbind_clientEOF(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
reactor.iterate() #TODO
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.connectionLost(error.ConnectionDone)
reactor.iterate() #TODO
client.assertSent(pureldap.LDAPBindRequest(),
'fake-unbind-by-LDAPClientTestDriver')
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_unbind_clientUnbinds(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
reactor.iterate() # TODO
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire(),
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3).toWire())
server.connectionLost(error.ConnectionDone)
reactor.iterate() # TODO
client.assertSent(pureldap.LDAPBindRequest(),
pureldap.LDAPUnbindRequest())
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire(),
)
def perform_bind_ntlm(
client,
username,
password,
domain,
workstation,
ntlm_version,
peercert: X509 = None,
):
"""
Perform bind using custom NTLM mechanism. Will return different value
based on ntlm_version.
NTLMv2 using session key for future sign and seal.
We do not support NTLMv1 with sign and seal on purpose.
:returns
NTLMv1 : None
NTLMv2 : session key for sign and seal
"""
sign_seal_enable = client._ntlm_sign_seal_enable(ntlm_version)
ntlm_negotiate_msg = ntlm.create_negotiate_msg(
sign_seal=sign_seal_enable)
op = pureldap.LDAPBindRequest(auth=("GSS-SPNEGO", ntlm_negotiate_msg),
sasl=True)
response = yield client.send(op)
if response.resultCode != ldaperrors.LDAPSaslBindInProgress.resultCode:
raise ldaperrors.get(response.resultCode, response.errorMessage)
ntlm_challenge_msg = response.serverSaslCreds.value
ntlm_authenticate = ntlm.create_ntlm_auth(
ntlm_negotiate_msg,
ntlm_challenge_msg,
username,
password,
domain,
workstation,
ntlm_version,
sign_seal=sign_seal_enable,
peercert=peercert,
)
op = pureldap.LDAPBindRequest(
auth=("GSS-SPNEGO", ntlm_authenticate.get_encoded_msg()),
sasl=True)
response = yield client.send(op)
if response.resultCode != ldaperrors.Success.resultCode:
raise ldaperrors.get(response.resultCode, response.errorMessage)
if ntlm_version == 2 and isinstance(ntlm_authenticate,
ntlm.NTLMv2Auth):
defer.returnValue(ntlm_authenticate.session_key)
def test_reusing_connection_succeeds2(self):
# User Bind, User Bind
server, client = self.create_server_and_client(
[pureldap.LDAPBindResponse(resultCode=0)],
[pureldap.LDAPBindResponse(resultCode=0)])
yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
)
def test_bind(self):
server = self.createServer([ pureldap.LDAPBindResponse(resultCode=0),
])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
reactor.iterate() #TODO
self.assertEqual(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def test_search(self):
"""
When performing an LDAP search against the server; the search results and
a single "search done" response is written to the transport.
"""
server = self.createServer(
[pureldap.LDAPBindResponse(resultCode=0)],
[
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)
],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
server.reactor.advance(1)
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire())
def test_search(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3)))
reactor.iterate() #TODO
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(
pureldap.LDAPBindResponse(resultCode=0), id=2)) + str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3)))
def test_simple_bind(self):
dn = 'uid=thegreathugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client()
service_account_client = self.inject_service_account_server(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('sAMAccountName', ['hugo'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(dn, 'secret')
# Assert that Proxy<->Backend (the actual connection) did not send anything
server.client.assertNothingSent()
# Assert that Proxy<->Backend (the lookup connection) did send something
service_account_client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
pureldap.LDAPSearchRequest(
baseObject='uid=thegreathugo,cn=users,dc=test,dc=local',
scope=0,
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=pureldap.LDAPFilter_present(value='objectClass'),
attributes=()), 'fake-unbind-by-LDAPClientTestDriver')
def test_simple_search(self):
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(dn, 'secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
results = yield entry.search('(objectClass=*)',
scope=pureldap.LDAP_SCOPE_baseObject)
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0]['someattr']), 1)
(value, ) = results[0]['someattr']
self.assertEqual(value, 'somevalue')
def test_realm_mapping_fails_wrong_password(self):
marker = 'markerSecret'
realm = 'realmSecret'
password = '******' # this is the wrong password!
service_dn = 'uid=passthrough,cn=users,dc=test,dc=local'
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(service_dn, 'service-secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' %
marker,
scope=pureldap.LDAP_SCOPE_baseObject)
# sleep a second and then try to bind as hugo
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(
resultCode=0), # for service account (successful hugo bind)
])
d = client2.bind(dn, password)
yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', realm, password, False)])
time.sleep(1) # to clean the reactor
def test_realm_mapping_succeeds_case_sensitive(self):
marker = 'markerSecret'
password = '******'
service_dn = 'uid=passthrough,cn=users,dc=test,dc=local'
dn = 'uid=Hugo,cn=users,dc=test,DC=LOCAL'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(service_dn, 'service-secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' %
marker,
scope=pureldap.LDAP_SCOPE_baseObject)
# sleep half a second and then try to bind as hugo
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(
resultCode=0), # for service account (successful hugo bind)
])
yield client2.bind(
dn.lower(),
password) # this will work even though the DN has differing case
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'realmSecret', password, True)])
time.sleep(1) # to clean the reactor
def test_search(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[
pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com",
[("a", ["b"])]),
pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com",
[("b", ["c"])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
reactor.iterate() # TODO
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(
pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com",
[("a", ["b"])]),
id=3,
).toWire() + pureldap.LDAPMessage(
pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com",
[("b", ["c"])]),
id=3,
).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire(),
)
def test_intercepted_search_response(self):
"""
When performing an LDAP search against the server; the search results are
intercepted and modified by the proxy.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)], [
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)
],
protocol=ResponseInterceptingProxy)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
server.reactor.advance(1)
server.reactor.advance(5)
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b']),
('frotz', ['xyzzy'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c']),
('frotz', ['xyzzy'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire())
def test_bind(self):
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=4).toWire())
def test_passthrough_bind_succeeds(self):
server, client = self.create_server_and_client(
[pureldap.LDAPBindResponse(resultCode=0)])
yield client.bind('uid=passthrough,cn=users,dc=test,dc=local',
'some-secret')
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=passthrough,cn=users,dc=test,dc=local',
auth='some-secret'), )
def _send_sspi_bind(self, dn, current_buffer):
# format request and send it
op = pureldap.LDAPBindRequest(
dn=dn,
auth=('GSS-SPNEGO', current_buffer[0].Buffer),
sasl='True',
)
response = yield self.send(op)
return response
def test_bind_invalidCredentials_nonExisting(self):
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=non-existing,dc=example,dc=com', auth=b'invalid'),
id=78).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=78).toWire())
def test_bind_invalidCredentials_badPassword(self):
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=thingie,ou=stuff,dc=example,dc=com', auth=b'invalid'),
id=734).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=734).toWire())
def test_bind(self):
"""
When binding to the server an `LDAPBindResponse` with a successful
result code.is written to the transport.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
server.reactor.advance(1)
self.assertEqual(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def test_bind_badVersion_4_anonymous(self):
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(version=4),
id=32).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPProtocolError.resultCode,
errorMessage='Version 4 not supported'),
id=32).toWire())
def test_reusing_connection_fails1(self):
# Scenario 1: Passthrough Bind, User Bind
server, client = self.create_server_and_client(
[pureldap.LDAPBindResponse(resultCode=0)])
yield client.bind('uid=passthrough,cn=users,dc=test,dc=local',
'some-secret')
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=passthrough,cn=users,dc=test,dc=local',
auth='some-secret'), )
d = client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
def test_passwordModify_someoneElse(self):
commits = observeCommits(self.thingie)
# first bind to some entry
userPassword = b"{SSHA}yVLLj62rFf3kDAbzwEU0zYAVvbWrze8=" # secret
self.thingie["userPassword"] = [userPassword]
self.server.dataReceived(
pureldap.LDAPMessage(
pureldap.LDAPBindRequest(
dn="cn=thingie,ou=stuff,dc=example,dc=com",
auth=b"secret"),
id=4,
).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(
pureldap.LDAPBindResponse(
resultCode=0,
matchedDN="cn=thingie,ou=stuff,dc=example,dc=com"),
id=4,
).toWire(),
)
self.server.transport.clear()
observer = testing.EventLoggingObserver.createWithCleanup(self, log)
self.server.dataReceived(
pureldap.LDAPMessage(
pureldap.LDAPPasswordModifyRequest(
userIdentity="cn=another,ou=stuff,dc=example,dc=com",
newPasswd="hushhush",
),
id=2,
).toWire())
self.assertEqual(
observer[0]["log_text"],
"User cn=thingie,ou=stuff,dc=example,dc=com "
"tried to change password of "
"b'cn=another,ou=stuff,dc=example,dc=com'",
)
self.assertListEqual(commits, [], "Server committed data.")
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(
pureldap.LDAPExtendedResponse(
resultCode=ldaperrors.LDAPInsufficientAccessRights.
resultCode,
responseName=pureldap.LDAPPasswordModifyRequest.oid,
),
id=2,
).toWire(),
)
self.assertSequenceEqual(
self.thingie.get("userPassword", []),
[userPassword],
)
def test_control_unknown_critical(self):
self.server.dataReceived(pureldap.LDAPMessage(
pureldap.LDAPBindRequest(), id=2,
controls=[('42.42.42.42', True, None),
]).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(
pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPUnavailableCriticalExtension.resultCode,
errorMessage='Unknown control 42.42.42.42'),
id=2).toWire())
def perform_bind_ntlm(self, dn, username, password, domain, workstation,
ntlm_version):
ntlm_negotiate_msg = ntlm.create_negotiate_msg()
op = pureldap.LDAPBindRequest(dn=dn,
auth=('GSS-SPNEGO', ntlm_negotiate_msg),
sasl=True)
response = yield self.send(op)
if response.resultCode != ldaperrors.LDAPSaslBindInProgress.resultCode:
raise ldaperrors.get(response.resultCode, response.errorMessage)
ntlm_challenge_msg = response.serverSaslCreds.value
ntlm_authenticate_msg = ntlm.create_authenticate_msg(
ntlm_negotiate_msg, ntlm_challenge_msg, username, password, domain,
workstation, ntlm_version)
op = pureldap.LDAPBindRequest(dn=dn,
auth=('GSS-SPNEGO',
ntlm_authenticate_msg),
sasl=True)
response = yield self.send(op)
if response.resultCode != ldaperrors.Success.resultCode:
raise ldaperrors.get(response.resultCode, response.errorMessage)
def test_bindBadPassword(self):
"""
When password don't match the BIND fails.
"""
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='*****@*****.**', auth='invalid'),
id=734).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=734).toWire())
def checkSuccessfulBIND(self, bind_dn, password):
"""
Do a BIND request and check that is succeeds.
"""
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(dn=bind_dn,
auth=password),
id=4).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=0, matchedDN='cn=bob,dc=example,dc=com'),
id=4).toWire())
def bind(self, dn='', auth=''):
"""
@depreciated: Use e.bind(auth).
@todo: Remove this method when there are no callers.
"""
if not self.connected:
raise LDAPClientConnectionLostException()
else:
r = pureldap.LDAPBindRequest(dn=dn, auth=auth)
d = self.send(r)
d.addCallback(self._handle_bind_msg)
return d
