Пример #1
0
    def test_last_admin_preservation(self, admin2):
        """ Create a second admin, disable it. Then try to disable and
        remove the original one and receive LastMemberError. Last trial
        are these ops with second admin removed. """
        admin2.ensure_exists()
        admin2.make_admin()
        admin2.disable()
        tracker = Tracker()

        with raises_exact(
                errors.LastMemberError(key=admin1,
                                       label=u'group',
                                       container=admin_group)):
            tracker.run_command('user_disable', admin1)
        with raises_exact(
                errors.LastMemberError(key=admin1,
                                       label=u'group',
                                       container=admin_group)):
            tracker.run_command('user_del', admin1)
        admin2.delete()

        with raises_exact(
                errors.LastMemberError(key=admin1,
                                       label=u'group',
                                       container=admin_group)):
            tracker.run_command('user_disable', admin1)
        with raises_exact(
                errors.LastMemberError(key=admin1,
                                       label=u'group',
                                       container=admin_group)):
            tracker.run_command('user_del', admin1)
Пример #2
0
 def test_remove_admin_from_admins(self, admins):
     """ Remove the original admin from admins group """
     command = admins.make_remove_member_command(dict(user=u'admin'))
     with raises_exact(
             errors.LastMemberError(key=u'admin',
                                    label=u'group',
                                    container=admins.cn)):
         command()
Пример #3
0
 def test_remove_all_admins_from_admins(self, admins, user):
     """ Try to remove both original and our admin from admins group """
     command = admins.make_remove_member_command(
         dict(user=[u'admin', user.uid])
     )
     with raises_exact(errors.LastMemberError(
             key=u'admin', label=u'group', container=admins.cn)):
         command()
Пример #4
0
    def test_disable_original_admin(self):
        """ Try to disable the only admin """
        tracker = Tracker()
        command = tracker.make_command('user_disable', admin1)

        with raises_exact(errors.LastMemberError(
                key=admin1, label=u'group', container=admin_group)):
            command()
Пример #5
0
    def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
        if keys[0] in PROTECTED_HOSTGROUPS and 'host' in options:
            result = api.Command.hostgroup_show(keys[0])
            hosts_left = set(result['result'].get('member_host', []))
            hosts_deleted = set(options['host'])
            if hosts_left.issubset(hosts_deleted):
                raise errors.LastMemberError(key=sorted(hosts_deleted)[0],
                                             label=_(u'hostgroup'),
                                             container=keys[0])

        return dn
Пример #6
0
 def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
     assert isinstance(dn, DN)
     if keys[0] in PROTECTED_GROUPS and 'user' in options:
         protected_group_name = keys[0]
         result = api.Command.group_show(protected_group_name)
         users_left = set(result['result'].get('member_user', []))
         users_deleted = set(options['user'])
         if users_left.issubset(users_deleted):
             raise errors.LastMemberError(key=sorted(users_deleted)[0],
                 label=_(u'group'), container=protected_group_name)
     return dn
Пример #7
0
def check_protected_member(user, protected_group_name=u'admins'):
    '''
    Ensure the last enabled member of a protected group cannot be deleted or
    disabled by raising LastMemberError.
    '''

    # Get all users in the protected group
    result = api.Command.user_find(in_group=protected_group_name)

    # Build list of users in the protected group who are enabled
    result = result['result']
    enabled_users = [entry['uid'][0] for entry in result if not entry['nsaccountlock']]

    # If the user is the last enabled user raise LastMemberError exception
    if enabled_users == [user]:
        raise errors.LastMemberError(key=user, label=_(u'group'),
            container=protected_group_name)
Пример #8
0
class test_group(Declarative):
    cleanup_commands = [
        ('group_del', [group1], {}),
        ('group_del', [group2], {}),
        ('group_del', [group3], {}),
        ('group_del', [renamedgroup1], {}),
        ('user_del', [user1], {}),
    ]

    tests = [

        ################
        # create group1:
        dict(
            desc='Try to retrieve non-existent %r' % group1,
            command=('group_show', [group1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Try to update non-existent %r' % group1,
            command=('group_mod', [group1], dict(description=u'Foo')),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Try to delete non-existent %r' % group1,
            command=('group_del', [group1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Try to rename non-existent %r' % group1,
            command=('group_mod', [group1],
                     dict(setattr=u'cn=%s' % renamedgroup1)),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Create non-POSIX %r' % group1,
            command=('group_add', [group1],
                     dict(description=u'Test desc 1', nonposix=True)),
            expected=dict(
                value=group1,
                summary=u'Added group "testgroup1"',
                result=dict(
                    cn=[group1],
                    description=[u'Test desc 1'],
                    objectclass=objectclasses.group,
                    ipauniqueid=[fuzzy_uuid],
                    dn=get_group_dn('testgroup1'),
                ),
            ),
        ),
        dict(
            desc='Try to create duplicate %r' % group1,
            command=('group_add', [group1], dict(description=u'Test desc 1')),
            expected=errors.DuplicateEntry(
                message=u'group with name "%s" already exists' % group1),
        ),
        dict(
            desc='Retrieve non-POSIX %r' % group1,
            command=('group_show', [group1], {}),
            expected=dict(
                value=group1,
                summary=None,
                result=dict(
                    cn=[group1],
                    description=[u'Test desc 1'],
                    dn=get_group_dn('testgroup1'),
                ),
            ),
        ),
        dict(
            desc='Updated non-POSIX %r' % group1,
            command=('group_mod', [group1], dict(description=u'New desc 1')),
            expected=dict(
                result=dict(
                    cn=[group1],
                    description=[u'New desc 1'],
                ),
                summary=u'Modified group "testgroup1"',
                value=group1,
            ),
        ),
        dict(
            desc='Retrieve %r to verify update' % group1,
            command=('group_show', [group1], {}),
            expected=dict(
                value=group1,
                result=dict(
                    cn=[group1],
                    description=[u'New desc 1'],
                    dn=get_group_dn('testgroup1'),
                ),
                summary=None,
            ),
        ),

        # FIXME: The return value is totally different here than from the above
        # group_mod() test.  I think that for all *_mod() commands we should
        # just return the entry exactly as *_show() does.
        dict(
            desc='Updated %r to promote it to a POSIX group' % group1,
            command=('group_mod', [group1], dict(posix=True)),
            expected=dict(
                result=dict(
                    cn=[group1],
                    description=[u'New desc 1'],
                    gidnumber=[fuzzy_digits],
                ),
                value=group1,
                summary=u'Modified group "testgroup1"',
            ),
        ),
        dict(
            desc="Retrieve %r to verify it's a POSIX group" % group1,
            command=('group_show', [group1], {}),
            expected=dict(
                value=group1,
                result=dict(
                    cn=[group1],
                    description=(u'New desc 1', ),
                    dn=get_group_dn('testgroup1'),
                    gidnumber=[fuzzy_digits],
                ),
                summary=None,
            ),
        ),
        dict(
            desc='Search for %r' % group1,
            command=('group_find', [], dict(cn=group1)),
            expected=dict(
                count=1,
                truncated=False,
                result=[
                    dict(
                        dn=get_group_dn(group1),
                        cn=[group1],
                        description=[u'New desc 1'],
                        gidnumber=[fuzzy_digits],
                    ),
                ],
                summary=u'1 group matched',
            ),
        ),

        ################
        # create group2:
        dict(
            desc='Try to retrieve non-existent %r' % group2,
            command=('group_show', [group2], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Try to update non-existent %r' % group2,
            command=('group_mod', [group2], dict(description=u'Foo')),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Try to delete non-existent %r' % group2,
            command=('group_del', [group2], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Create %r' % group2,
            command=('group_add', [group2], dict(description=u'Test desc 2')),
            expected=dict(
                value=group2,
                summary=u'Added group "testgroup2"',
                result=dict(
                    cn=[group2],
                    description=[u'Test desc 2'],
                    gidnumber=[fuzzy_digits],
                    objectclass=objectclasses.group + [u'posixgroup'],
                    ipauniqueid=[fuzzy_uuid],
                    dn=get_group_dn('testgroup2'),
                ),
            ),
        ),
        dict(
            desc='Try to create duplicate %r' % group2,
            command=('group_add', [group2], dict(description=u'Test desc 2')),
            expected=errors.DuplicateEntry(
                message=u'group with name "%s" already exists' % group2),
        ),
        dict(
            desc='Retrieve %r' % group2,
            command=('group_show', [group2], {}),
            expected=dict(
                value=group2,
                summary=None,
                result=dict(
                    cn=[group2],
                    description=[u'Test desc 2'],
                    gidnumber=[fuzzy_digits],
                    dn=get_group_dn('testgroup2'),
                ),
            ),
        ),
        dict(
            desc='Updated %r' % group2,
            command=('group_mod', [group2], dict(description=u'New desc 2')),
            expected=dict(
                result=dict(
                    cn=[group2],
                    gidnumber=[fuzzy_digits],
                    description=[u'New desc 2'],
                ),
                summary=u'Modified group "testgroup2"',
                value=group2,
            ),
        ),
        dict(
            desc='Retrieve %r to verify update' % group2,
            command=('group_show', [group2], {}),
            expected=dict(
                value=group2,
                result=dict(
                    cn=[group2],
                    description=[u'New desc 2'],
                    gidnumber=[fuzzy_digits],
                    dn=get_group_dn('testgroup2'),
                ),
                summary=None,
            ),
        ),
        dict(
            desc='Search for %r' % group2,
            command=('group_find', [], dict(cn=group2)),
            expected=dict(
                count=1,
                truncated=False,
                result=[
                    dict(
                        dn=get_group_dn('testgroup2'),
                        cn=[group2],
                        description=[u'New desc 2'],
                        gidnumber=[fuzzy_digits],
                    ),
                ],
                summary=u'1 group matched',
            ),
        ),
        dict(
            desc='Search for all groups',
            command=('group_find', [], {}),
            expected=dict(
                summary=u'6 groups matched',
                count=6,
                truncated=False,
                result=[
                    {
                        'dn': get_group_dn('admins'),
                        'member_user': [u'admin'],
                        'gidnumber': [fuzzy_digits],
                        'cn': [u'admins'],
                        'description': [u'Account administrators group'],
                    },
                    {
                        'dn':
                        get_group_dn('editors'),
                        'gidnumber': [fuzzy_digits],
                        'cn': [u'editors'],
                        'description':
                        [u'Limited admins who can edit other users'],
                    },
                    {
                        'dn': get_group_dn('ipausers'),
                        'cn': [u'ipausers'],
                        'description': [u'Default group for all users'],
                    },
                    dict(
                        dn=get_group_dn(group1),
                        cn=[group1],
                        description=[u'New desc 1'],
                        gidnumber=[fuzzy_digits],
                    ),
                    dict(
                        dn=get_group_dn(group2),
                        cn=[group2],
                        description=[u'New desc 2'],
                        gidnumber=[fuzzy_digits],
                    ),
                    {
                        'dn': get_group_dn('trust admins'),
                        'member_user': [u'admin'],
                        'cn': [u'trust admins'],
                        'description': [u'Trusts administrators group'],
                    },
                ],
            ),
        ),

        ###############
        # test external SID members for group3:
        dict(
            desc='Create external %r' % group3,
            command=('group_add', [group3],
                     dict(description=u'Test desc 3', external=True)),
            expected=dict(
                value=group3,
                summary=u'Added group "testgroup3"',
                result=dict(
                    cn=[group3],
                    description=[u'Test desc 3'],
                    objectclass=objectclasses.externalgroup,
                    ipauniqueid=[fuzzy_uuid],
                    dn=get_group_dn(group3),
                ),
            ),
        ),
        dict(
            desc='Convert posix group %r to support external membership' %
            (group2),
            command=('group_mod', [group2], dict(external=True)),
            expected=errors.PosixGroupViolation(),
        ),
        dict(
            desc='Convert external members group %r to posix' % (group3),
            command=('group_mod', [group3], dict(posix=True)),
            expected=errors.ExternalGroupViolation(),
        ),
        dict(
            desc='Add external member %r to %r' % (external_sid1, group3),
            command=('group_add_member', [group3],
                     dict(ipaexternalmember=external_sid1)),
            expected=lambda x, output: type(x) == errors.ValidationError or
            type(x) == errors.NotFound,
        ),
        dict(
            desc='Remove group %r with external membership' % (group3),
            command=('group_del', [group3], {}),
            expected=dict(
                result=dict(failed=u''),
                value=group3,
                summary=u'Deleted group "testgroup3"',
            ),
        ),

        ###############
        # member stuff:
        dict(
            desc='Add member %r to %r' % (group2, group1),
            command=('group_add_member', [group1], dict(group=group2)),
            expected=dict(
                completed=1,
                failed=dict(member=dict(
                    group=tuple(),
                    user=tuple(),
                ), ),
                result={
                    'dn': get_group_dn(group1),
                    'member_group': (group2, ),
                    'gidnumber': [fuzzy_digits],
                    'cn': [group1],
                    'description': [u'New desc 1'],
                },
            ),
        ),
        dict(
            # FIXME: Shouldn't this raise a NotFound instead?
            desc='Try to add non-existent member to %r' % group1,
            command=('group_add_member', [group1], dict(group=u'notfound')),
            expected=dict(
                completed=0,
                failed=dict(member=dict(
                    group=[(u'notfound', u'no such entry')],
                    user=tuple(),
                ), ),
                result={
                    'dn': get_group_dn(group1),
                    'member_group': (group2, ),
                    'gidnumber': [fuzzy_digits],
                    'cn': [group1],
                    'description': [u'New desc 1'],
                },
            ),
        ),
        dict(
            desc='Remove member %r from %r' % (group2, group1),
            command=('group_remove_member', [group1], dict(group=group2)),
            expected=dict(
                completed=1,
                failed=dict(member=dict(
                    group=tuple(),
                    user=tuple(),
                ), ),
                result={
                    'dn': get_group_dn(group1),
                    'cn': [group1],
                    'gidnumber': [fuzzy_digits],
                    'description': [u'New desc 1'],
                },
            ),
        ),
        dict(
            # FIXME: Shouldn't this raise a NotFound instead?
            desc='Try to remove non-existent member from %r' % group1,
            command=('group_remove_member', [group1], dict(group=u'notfound')),
            expected=dict(
                completed=0,
                failed=dict(member=dict(
                    group=[(u'notfound', u'This entry is not a member')],
                    user=tuple(),
                ), ),
                result={
                    'dn': get_group_dn(group1),
                    'cn': [group1],
                    'gidnumber': [fuzzy_digits],
                    'description': [u'New desc 1'],
                },
            ),
        ),
        dict(desc='Rename %r' % group1,
             command=('group_mod', [group1],
                      dict(setattr=u'cn=%s' % renamedgroup1)),
             expected=dict(value=group1,
                           result=dict(
                               cn=[renamedgroup1],
                               description=[u'New desc 1'],
                               gidnumber=[fuzzy_digits],
                           ),
                           summary=u'Modified group "%s"' % group1)),
        dict(desc='Rename %r back' % renamedgroup1,
             command=('group_mod', [renamedgroup1],
                      dict(setattr=u'cn=%s' % group1)),
             expected=dict(value=renamedgroup1,
                           result=dict(
                               cn=[group1],
                               description=[u'New desc 1'],
                               gidnumber=[fuzzy_digits],
                           ),
                           summary=u'Modified group "%s"' % renamedgroup1)),

        ################
        # delete group1:
        dict(desc='Delete %r' % group1,
             command=('group_del', [group1], {}),
             expected=dict(
                 result=dict(failed=u''),
                 value=group1,
                 summary=u'Deleted group "testgroup1"',
             )),
        dict(
            desc='Try to delete non-existent %r' % group1,
            command=('group_del', [group1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Try to retrieve non-existent %r' % group1,
            command=('group_show', [group1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),
        dict(
            desc='Try to update non-existent %r' % group1,
            command=('group_mod', [group1], dict(description=u'Foo')),
            expected=errors.NotFound(reason=u'%s: group not found' % group1),
        ),

        ################
        # delete group2:
        dict(desc='Delete %r' % group2,
             command=('group_del', [group2], {}),
             expected=dict(
                 result=dict(failed=u''),
                 value=group2,
                 summary=u'Deleted group "testgroup2"',
             )),
        dict(
            desc='Try to delete non-existent %r' % group2,
            command=('group_del', [group2], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Try to retrieve non-existent %r' % group2,
            command=('group_show', [group2], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Try to update non-existent %r' % group2,
            command=('group_mod', [group2], dict(description=u'Foo')),
            expected=errors.NotFound(reason=u'%s: group not found' % group2),
        ),
        dict(
            desc='Test an invalid group name %r' % invalidgroup1,
            command=('group_add', [invalidgroup1], dict(description=u'Test')),
            expected=errors.ValidationError(
                name='group_name',
                error=u'may only include letters, numbers, _, -, . and $'),
        ),

        # The assumption on these next 4 tests is that if we don't get a
        # validation error then the request was processed normally.
        dict(
            desc='Test that validation is disabled on mods',
            command=('group_mod', [invalidgroup1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' %
                                     invalidgroup1),
        ),
        dict(
            desc='Test that validation is disabled on deletes',
            command=('group_del', [invalidgroup1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' %
                                     invalidgroup1),
        ),
        dict(
            desc='Test that validation is disabled on show',
            command=('group_show', [invalidgroup1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' %
                                     invalidgroup1),
        ),

        ##### managed entry tests
        dict(
            desc='Create %r' % user1,
            command=('user_add', [], dict(givenname=u'Test', sn=u'User1')),
            expected=dict(
                value=user1,
                summary=u'Added user "%s"' % user1,
                result=dict(
                    gecos=[u'Test User1'],
                    givenname=[u'Test'],
                    homedirectory=[u'/home/%s' % user1],
                    krbprincipalname=[u'%s@%s' % (user1, api.env.realm)],
                    loginshell=[u'/bin/sh'],
                    objectclass=objectclasses.user,
                    sn=[u'User1'],
                    uid=[user1],
                    uidnumber=[fuzzy_digits],
                    gidnumber=[fuzzy_digits],
                    mail=[u'%s@%s' % (user1, api.env.domain)],
                    displayname=[u'Test User1'],
                    cn=[u'Test User1'],
                    initials=[u'TU'],
                    ipauniqueid=[fuzzy_uuid],
                    krbpwdpolicyreference=[
                        DN(('cn', 'global_policy'), ('cn', api.env.realm),
                           ('cn', 'kerberos'), api.env.basedn)
                    ],
                    mepmanagedentry=[get_group_dn(user1)],
                    memberof_group=[u'ipausers'],
                    dn=DN(('uid', user1), ('cn', 'users'), ('cn', 'accounts'),
                          api.env.basedn),
                    has_keytab=False,
                    has_password=False,
                ),
            ),
        ),
        dict(
            desc='Verify the managed group %r was created' % user1,
            command=('group_show', [user1], {}),
            expected=dict(
                value=user1,
                summary=None,
                result=dict(
                    cn=[user1],
                    description=[u'User private group for %s' % user1],
                    gidnumber=[fuzzy_digits],
                    dn=get_group_dn(user1),
                ),
            ),
        ),
        dict(
            desc='Verify that managed group %r can be found' % user1,
            command=('group_find', [], {
                'cn': user1,
                'private': True
            }),
            expected=dict(
                count=1,
                truncated=False,
                result=[
                    dict(
                        dn=get_group_dn(user1),
                        cn=[user1],
                        description=[u'User private group for %s' % user1],
                        gidnumber=[fuzzy_digits],
                    ),
                ],
                summary=u'1 group matched',
            ),
        ),
        dict(
            desc='Try to delete a managed group %r' % user1,
            command=('group_del', [user1], {}),
            expected=errors.ManagedGroupError(),
        ),
        dict(
            desc='Detach managed group %r' % user1,
            command=('group_detach', [user1], {}),
            expected=dict(
                result=True,
                value=user1,
                summary=u'Detached group "%s" from user "%s"' % (user1, user1),
            ),
        ),
        dict(desc='Now delete the unmanaged group %r' % user1,
             command=('group_del', [user1], {}),
             expected=dict(
                 result=dict(failed=u''),
                 value=user1,
                 summary=u'Deleted group "%s"' % user1,
             )),
        dict(
            desc='Verify that %r is really gone' % user1,
            command=('group_show', [user1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % user1),
        ),
        dict(
            desc='Delete %r' % user1,
            command=('user_del', [user1], {}),
            expected=dict(
                result=dict(failed=u''),
                summary=u'Deleted user "tuser1"',
                value=user1,
            ),
        ),
        dict(
            desc='Create %r without User Private Group' % user1,
            command=('user_add', [user1],
                     dict(givenname=u'Test',
                          sn=u'User1',
                          noprivate=True,
                          gidnumber=1000)),
            expected=dict(
                value=user1,
                summary=u'Added user "tuser1"',
                result=dict(
                    gecos=[u'Test User1'],
                    givenname=[u'Test'],
                    description=[],
                    homedirectory=[u'/home/tuser1'],
                    krbprincipalname=[u'tuser1@' + api.env.realm],
                    loginshell=[u'/bin/sh'],
                    objectclass=objectclasses.user_base,
                    sn=[u'User1'],
                    uid=[user1],
                    uidnumber=[fuzzy_digits],
                    gidnumber=[u'1000'],
                    mail=[u'%s@%s' % (user1, api.env.domain)],
                    displayname=[u'Test User1'],
                    cn=[u'Test User1'],
                    initials=[u'TU'],
                    ipauniqueid=[fuzzy_uuid],
                    dn=DN(('uid', 'tuser1'), ('cn', 'users'),
                          ('cn', 'accounts'), api.env.basedn),
                    krbpwdpolicyreference=[
                        DN(('cn', 'global_policy'), ('cn', api.env.realm),
                           ('cn', 'kerberos'), api.env.basedn)
                    ],
                    memberof_group=[u'ipausers'],
                    has_keytab=False,
                    has_password=False,
                ),
            ),
        ),
        dict(
            desc='Verify the managed group %r was not created' % user1,
            command=('group_show', [user1], {}),
            expected=errors.NotFound(reason=u'%s: group not found' % user1),
        ),
        dict(
            desc='Try to remove the admin user from the admins group',
            command=('group_remove_member', [u'admins'],
                     dict(user=[u'admin'])),
            expected=errors.LastMemberError(key=u'admin',
                                            label=u'group',
                                            container='admins'),
        ),
        dict(
            desc='Add %r to the admins group' % user1,
            command=('group_add_member', [u'admins'], dict(user=user1)),
            expected=dict(
                completed=1,
                failed=dict(member=dict(
                    group=tuple(),
                    user=tuple(),
                ), ),
                result={
                    'dn': get_group_dn('admins'),
                    'member_user': [u'admin', user1],
                    'gidnumber': [fuzzy_digits],
                    'cn': [u'admins'],
                    'description': [u'Account administrators group'],
                },
            ),
        ),
        dict(
            desc='Try to remove admin and %r from the admins group' % user1,
            command=('group_remove_member', [u'admins'],
                     dict(user=[u'admin', user1])),
            expected=errors.LastMemberError(key=u'admin',
                                            label=u'group',
                                            container='admins'),
        ),
        dict(
            desc='Try to delete the admins group',
            command=('group_del', [u'admins'], {}),
            expected=errors.ProtectedEntryError(label=u'group',
                                                key='admins',
                                                reason='privileged group'),
        ),
        dict(
            desc='Try to rename the admins group',
            command=('group_mod', [u'admins'], dict(rename=u'loosers')),
            expected=errors.ProtectedEntryError(label=u'group',
                                                key='admins',
                                                reason='Cannot be renamed'),
        ),
        dict(
            desc=
            'Try to modify the admins group to support external membership',
            command=('group_mod', [u'admins'], dict(external=True)),
            expected=errors.ProtectedEntryError(
                label=u'group',
                key='admins',
                reason='Cannot support external non-IPA members'),
        ),
        dict(
            desc='Try to delete the trust admins group',
            command=('group_del', [u'trust admins'], {}),
            expected=errors.ProtectedEntryError(label=u'group',
                                                key='trust admins',
                                                reason='privileged group'),
        ),
        dict(
            desc='Try to rename the trust admins group',
            command=('group_mod', [u'trust admins'], dict(rename=u'loosers')),
            expected=errors.ProtectedEntryError(label=u'group',
                                                key='trust admins',
                                                reason='Cannot be renamed'),
        ),
        dict(
            desc=
            'Try to modify the trust admins group to support external membership',
            command=('group_mod', [u'trust admins'], dict(external=True)),
            expected=errors.ProtectedEntryError(
                label=u'group',
                key='trust admins',
                reason='Cannot support external non-IPA members'),
        ),
        dict(
            desc='Delete %r' % user1,
            command=('user_del', [user1], {}),
            expected=dict(
                result=dict(failed=u''),
                summary=u'Deleted user "%s"' % user1,
                value=user1,
            ),
        ),
    ]