2010-03-24 08:50:50 +03:00
#!/usr/bin/env python
2009-11-05 18:40:54 +03:00
# -*- coding: utf-8 -*-
2010-03-04 16:22:30 +03:00
# This is unit with tests for LDAP access checks
2009-11-05 18:40:54 +03:00
2018-03-09 16:57:01 +03:00
from __future__ import print_function
2009-11-05 18:40:54 +03:00
import optparse
import sys
import base64
import re
2011-02-01 06:43:34 +03:00
sys . path . insert ( 0 , " bin/python " )
2010-06-30 12:57:37 +04:00
import samba
2014-11-02 20:44:05 +03:00
from samba . tests . subunitrun import SubunitOptions , TestProgram
2009-11-05 18:40:54 +03:00
import samba . getopt as options
2018-06-25 08:21:00 +03:00
from samba . join import DCJoinContext
2009-11-05 18:40:54 +03:00
2010-04-08 23:01:17 +04:00
from ldb import (
2010-07-14 15:44:46 +04:00
SCOPE_BASE , SCOPE_SUBTREE , LdbError , ERR_NO_SUCH_OBJECT ,
2010-07-05 01:17:38 +04:00
ERR_UNWILLING_TO_PERFORM , ERR_INSUFFICIENT_ACCESS_RIGHTS )
2010-07-02 17:38:05 +04:00
from ldb import ERR_CONSTRAINT_VIOLATION
2010-07-14 15:44:46 +04:00
from ldb import ERR_OPERATIONS_ERROR
2010-07-02 17:38:05 +04:00
from ldb import Message , MessageElement , Dn
2014-11-04 21:08:58 +03:00
from ldb import FLAG_MOD_REPLACE , FLAG_MOD_ADD , FLAG_MOD_DELETE
2011-01-06 14:40:07 +03:00
from samba . dcerpc import security , drsuapi , misc
2009-11-05 18:40:54 +03:00
from samba . auth import system_session
2011-01-06 14:40:07 +03:00
from samba import gensec , sd_utils
2010-06-11 18:22:21 +04:00
from samba . samdb import SamDB
2012-02-19 14:24:59 +04:00
from samba . credentials import Credentials , DONT_USE_KERBEROS
2010-06-19 20:57:35 +04:00
import samba . tests
2010-11-24 18:48:56 +03:00
from samba . tests import delete_force
2011-08-05 08:03:58 +04:00
import samba . dsdb
2018-05-11 02:03:03 +03:00
from samba . tests . password_test import PasswordCommon
2009-11-05 18:40:54 +03:00
2010-11-10 15:35:30 +03:00
parser = optparse . OptionParser ( " acl.py [options] <host> " )
2009-11-05 18:40:54 +03:00
sambaopts = options . SambaOptions ( parser )
parser . add_option_group ( sambaopts )
parser . add_option_group ( options . VersionOptions ( parser ) )
# use command line creds if available
credopts = options . CredentialsOptions ( parser )
parser . add_option_group ( credopts )
2014-11-02 20:44:05 +03:00
subunitopts = SubunitOptions ( parser )
parser . add_option_group ( subunitopts )
2009-11-05 18:40:54 +03:00
opts , args = parser . parse_args ( )
if len ( args ) < 1 :
parser . print_usage ( )
sys . exit ( 1 )
host = args [ 0 ]
2010-12-22 13:27:50 +03:00
if not " :// " in host :
ldaphost = " ldap:// %s " % host
else :
ldaphost = host
start = host . rindex ( " :// " )
2018-07-30 09:18:25 +03:00
host = host . lstrip ( start + 3 )
2009-11-05 18:40:54 +03:00
lp = sambaopts . get_loadparm ( )
creds = credopts . get_credentials ( lp )
2010-06-11 18:22:21 +04:00
creds . set_gensec_features ( creds . get_gensec_features ( ) | gensec . FEATURE_SEAL )
2009-11-05 18:40:54 +03:00
#
# Tests start here
#
2018-07-30 09:20:39 +03:00
2010-06-19 20:57:35 +04:00
class AclTests ( samba . tests . TestCase ) :
2009-11-05 18:40:54 +03:00
def setUp ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclTests , self ) . setUp ( )
2014-11-02 06:06:52 +03:00
self . ldb_admin = SamDB ( ldaphost , credentials = creds , session_info = system_session ( lp ) , lp = lp )
self . base_dn = self . ldb_admin . domain_dn ( )
self . domain_sid = security . dom_sid ( self . ldb_admin . get_domain_sid ( ) )
2010-03-04 16:22:30 +03:00
self . user_pass = " samba123@ "
2010-11-18 21:43:16 +03:00
self . configuration_dn = self . ldb_admin . get_config_basedn ( ) . get_linearized ( )
2014-11-02 06:06:52 +03:00
self . sd_utils = sd_utils . SDUtils ( self . ldb_admin )
2018-01-08 03:24:25 +03:00
self . addCleanup ( self . delete_admin_connection )
2018-07-30 09:19:49 +03:00
# used for anonymous login
2010-12-15 22:28:59 +03:00
self . creds_tmp = Credentials ( )
self . creds_tmp . set_username ( " " )
self . creds_tmp . set_password ( " " )
self . creds_tmp . set_domain ( creds . get_domain ( ) )
self . creds_tmp . set_realm ( creds . get_realm ( ) )
self . creds_tmp . set_workstation ( creds . get_workstation ( ) )
2018-03-09 16:57:01 +03:00
print ( " baseDN: %s " % self . base_dn )
2009-11-05 18:40:54 +03:00
def get_user_dn ( self , name ) :
return " CN= %s ,CN=Users, %s " % ( name , self . base_dn )
2010-06-11 18:22:21 +04:00
def get_ldb_connection ( self , target_username , target_password ) :
creds_tmp = Credentials ( )
creds_tmp . set_username ( target_username )
creds_tmp . set_password ( target_password )
creds_tmp . set_domain ( creds . get_domain ( ) )
creds_tmp . set_realm ( creds . get_realm ( ) )
creds_tmp . set_workstation ( creds . get_workstation ( ) )
creds_tmp . set_gensec_features ( creds_tmp . get_gensec_features ( )
| gensec . FEATURE_SEAL )
2018-07-30 09:19:33 +03:00
creds_tmp . set_kerberos_state ( DONT_USE_KERBEROS ) # kinit is too expensive to use in a tight loop
2010-12-22 13:27:50 +03:00
ldb_target = SamDB ( url = ldaphost , credentials = creds_tmp , lp = lp )
2009-11-05 18:40:54 +03:00
return ldb_target
2010-03-04 16:22:30 +03:00
# Test if we have any additional groups for users than default ones
def assert_user_no_group_member ( self , username ) :
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " % self . get_user_dn ( username ) )
2010-03-04 16:22:30 +03:00
try :
2010-06-19 20:57:35 +04:00
self . assertEqual ( res [ 0 ] [ " memberOf " ] [ 0 ] , " " )
2010-03-04 16:22:30 +03:00
except KeyError :
pass
else :
self . fail ( )
2009-11-05 18:40:54 +03:00
2018-01-08 03:24:25 +03:00
def delete_admin_connection ( self ) :
del self . sd_utils
del self . ldb_admin
2018-07-30 09:19:49 +03:00
# tests on ldap add operations
2018-07-30 09:20:39 +03:00
2010-03-04 16:22:30 +03:00
class AclAddTests ( AclTests ) :
2010-06-19 20:57:35 +04:00
2010-03-04 16:22:30 +03:00
def setUp ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclAddTests , self ) . setUp ( )
2010-03-04 16:22:30 +03:00
# Domain admin that will be creator of OU parent-child structure
self . usr_admin_owner = " acl_add_user1 "
# Second domain admin that will not be creator of OU parent-child structure
self . usr_admin_not_owner = " acl_add_user2 "
# Regular user
self . regular_user = " acl_add_user3 "
2010-11-23 18:51:40 +03:00
self . test_user1 = " test_add_user1 "
self . test_group1 = " test_add_group1 "
self . ou1 = " OU=test_add_ou1 "
self . ou2 = " OU=test_add_ou2, %s " % self . ou1
self . ldb_admin . newuser ( self . usr_admin_owner , self . user_pass )
self . ldb_admin . newuser ( self . usr_admin_not_owner , self . user_pass )
self . ldb_admin . newuser ( self . regular_user , self . user_pass )
2010-03-04 16:22:30 +03:00
# add admins to the Domain Admins group
2012-06-19 14:43:08 +04:00
self . ldb_admin . add_remove_group_members ( " Domain Admins " , [ self . usr_admin_owner ] ,
2018-07-30 09:16:12 +03:00
add_members_operation = True )
2012-06-19 14:43:08 +04:00
self . ldb_admin . add_remove_group_members ( " Domain Admins " , [ self . usr_admin_not_owner ] ,
2018-07-30 09:16:12 +03:00
add_members_operation = True )
2010-03-04 16:22:30 +03:00
2010-06-11 18:22:21 +04:00
self . ldb_owner = self . get_ldb_connection ( self . usr_admin_owner , self . user_pass )
self . ldb_notowner = self . get_ldb_connection ( self . usr_admin_not_owner , self . user_pass )
self . ldb_user = self . get_ldb_connection ( self . regular_user , self . user_pass )
2010-03-04 16:22:30 +03:00
def tearDown ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclAddTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " CN= %s , %s , %s " %
2018-07-30 09:15:34 +03:00
( self . test_user1 , self . ou2 , self . base_dn ) )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " CN= %s , %s , %s " %
2018-07-30 09:15:34 +03:00
( self . test_group1 , self . ou2 , self . base_dn ) )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " %s , %s " % ( self . ou2 , self . base_dn ) )
delete_force ( self . ldb_admin , " %s , %s " % ( self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . usr_admin_owner ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . usr_admin_not_owner ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . regular_user ) )
2010-12-15 22:28:59 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( " test_add_anonymous " ) )
2010-03-04 16:22:30 +03:00
2018-01-08 03:24:25 +03:00
del self . ldb_notowner
del self . ldb_owner
del self . ldb_user
2010-03-04 16:22:30 +03:00
# Make sure top OU is deleted (and so everything under it)
def assert_top_ou_deleted ( self ) :
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s , %s ) " % (
2010-06-19 20:57:35 +04:00
" OU=test_add_ou1 " , self . base_dn ) )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-03-04 16:22:30 +03:00
def test_add_u1 ( self ) :
""" Testing OU with the rights of Doman Admin not creator of the OU """
self . assert_top_ou_deleted ( )
2009-11-05 18:40:54 +03:00
# Change descriptor for top level OU
2010-11-23 15:32:42 +03:00
self . ldb_owner . create_ou ( " OU=test_add_ou1, " + self . base_dn )
self . ldb_owner . create_ou ( " OU=test_add_ou2,OU=test_add_ou1, " + self . base_dn )
2010-12-10 11:31:19 +03:00
user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . usr_admin_not_owner ) )
2009-11-05 18:40:54 +03:00
mod = " (D;CI;WPCC;;; %s ) " % str ( user_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=test_add_ou1, " + self . base_dn , mod )
2009-11-05 18:40:54 +03:00
# Test user and group creation with another domain admin's credentials
2010-11-23 18:51:40 +03:00
self . ldb_notowner . newuser ( self . test_user1 , self . user_pass , userou = self . ou2 )
2010-11-23 22:59:39 +03:00
self . ldb_notowner . newgroup ( " test_add_group1 " , groupou = " OU=test_add_ou2,OU=test_add_ou1 " ,
2011-08-05 08:03:58 +04:00
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2009-11-05 18:40:54 +03:00
# Make sure we HAVE created the two objects -- user and group
# !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
# !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
self . assertTrue ( len ( res ) > 0 )
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
self . assertTrue ( len ( res ) > 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_add_u2 ( self ) :
""" Testing OU with the regular user that has no rights granted over the OU """
self . assert_top_ou_deleted ( )
2009-11-05 18:40:54 +03:00
# Create a parent-child OU structure with domain admin credentials
2010-11-23 15:32:42 +03:00
self . ldb_owner . create_ou ( " OU=test_add_ou1, " + self . base_dn )
self . ldb_owner . create_ou ( " OU=test_add_ou2,OU=test_add_ou1, " + self . base_dn )
2009-11-05 18:40:54 +03:00
# Test user and group creation with regular user credentials
try :
2010-11-23 18:51:40 +03:00
self . ldb_user . newuser ( self . test_user1 , self . user_pass , userou = self . ou2 )
2010-11-23 22:59:39 +03:00
self . ldb_user . newgroup ( " test_add_group1 " , groupou = " OU=test_add_ou2,OU=test_add_ou1 " ,
2011-08-05 08:03:58 +04:00
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2018-02-23 17:34:23 +03:00
except LdbError as e :
( num , _ ) = e . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
# Make sure we HAVEN'T created any of two objects -- user or group
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_add_u3 ( self ) :
""" Testing OU with the rights of regular user granted the right ' Create User child objects ' """
self . assert_top_ou_deleted ( )
2009-11-05 18:40:54 +03:00
# Change descriptor for top level OU
2010-11-23 15:32:42 +03:00
self . ldb_owner . create_ou ( " OU=test_add_ou1, " + self . base_dn )
2010-12-10 11:31:19 +03:00
user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
2009-11-05 18:40:54 +03:00
mod = " (OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( user_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=test_add_ou1, " + self . base_dn , mod )
2010-11-23 15:32:42 +03:00
self . ldb_owner . create_ou ( " OU=test_add_ou2,OU=test_add_ou1, " + self . base_dn )
2009-11-05 18:40:54 +03:00
# Test user and group creation with granted user only to one of the objects
2010-11-23 18:51:40 +03:00
self . ldb_user . newuser ( self . test_user1 , self . user_pass , userou = self . ou2 , setpassword = False )
2009-11-05 18:40:54 +03:00
try :
2010-11-23 22:59:39 +03:00
self . ldb_user . newgroup ( " test_add_group1 " , groupou = " OU=test_add_ou2,OU=test_add_ou1 " ,
2011-08-05 08:03:58 +04:00
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2018-02-23 17:34:23 +03:00
except LdbError as e1 :
( num , _ ) = e1 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
# Make sure we HAVE created the one of two objects -- user
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s , %s ) " %
( " CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1 " ,
self . base_dn ) )
2010-06-19 20:57:35 +04:00
self . assertNotEqual ( len ( res ) , 0 )
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s , %s ) " %
( " CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1 " ,
2018-07-30 09:17:02 +03:00
self . base_dn ) )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_add_u4 ( self ) :
2009-11-05 18:40:54 +03:00
""" 4 Testing OU with the rights of Doman Admin creator of the OU """
2010-03-04 16:22:30 +03:00
self . assert_top_ou_deleted ( )
2010-11-23 15:32:42 +03:00
self . ldb_owner . create_ou ( " OU=test_add_ou1, " + self . base_dn )
self . ldb_owner . create_ou ( " OU=test_add_ou2,OU=test_add_ou1, " + self . base_dn )
2010-11-23 18:51:40 +03:00
self . ldb_owner . newuser ( self . test_user1 , self . user_pass , userou = self . ou2 )
2010-11-23 22:59:39 +03:00
self . ldb_owner . newgroup ( " test_add_group1 " , groupou = " OU=test_add_ou2,OU=test_add_ou1 " ,
2018-07-30 09:15:34 +03:00
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2009-11-05 18:40:54 +03:00
# Make sure we have successfully created the two objects -- user and group
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
self . assertTrue ( len ( res ) > 0 )
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s , %s ) " % ( " CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1 " , self . base_dn ) )
2010-06-19 20:57:35 +04:00
self . assertTrue ( len ( res ) > 0 )
2009-11-05 18:40:54 +03:00
2010-12-15 22:28:59 +03:00
def test_add_anonymous ( self ) :
""" Test add operation with anonymous user """
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-12-15 22:28:59 +03:00
try :
anonymous . newuser ( " test_add_anonymous " , self . user_pass )
2018-02-23 17:34:23 +03:00
except LdbError as e2 :
( num , _ ) = e2 . args
2010-12-15 22:28:59 +03:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
2018-07-30 09:19:49 +03:00
# tests on ldap modify operations
2018-07-30 09:20:39 +03:00
2010-03-04 16:22:30 +03:00
class AclModifyTests ( AclTests ) :
def setUp ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclModifyTests , self ) . setUp ( )
2010-03-04 16:22:30 +03:00
self . user_with_wp = " acl_mod_user1 "
2010-06-28 11:34:14 +04:00
self . user_with_sm = " acl_mod_user2 "
self . user_with_group_sm = " acl_mod_user3 "
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . user_with_wp , self . user_pass )
self . ldb_admin . newuser ( self . user_with_sm , self . user_pass )
self . ldb_admin . newuser ( self . user_with_group_sm , self . user_pass )
2010-06-11 18:22:21 +04:00
self . ldb_user = self . get_ldb_connection ( self . user_with_wp , self . user_pass )
2010-06-28 11:34:14 +04:00
self . ldb_user2 = self . get_ldb_connection ( self . user_with_sm , self . user_pass )
self . ldb_user3 = self . get_ldb_connection ( self . user_with_group_sm , self . user_pass )
2018-07-30 09:16:43 +03:00
self . user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . user_with_wp ) )
2011-08-05 08:03:58 +04:00
self . ldb_admin . newgroup ( " test_modify_group2 " , grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
self . ldb_admin . newgroup ( " test_modify_group3 " , grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_modify_user2 " , self . user_pass )
2010-03-04 16:22:30 +03:00
def tearDown ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclModifyTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( " test_modify_user1 " ) )
delete_force ( self . ldb_admin , " CN=test_modify_group1,CN=Users, " + self . base_dn )
delete_force ( self . ldb_admin , " CN=test_modify_group2,CN=Users, " + self . base_dn )
delete_force ( self . ldb_admin , " CN=test_modify_group3,CN=Users, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=test_modify_ou1, " + self . base_dn )
delete_force ( self . ldb_admin , self . get_user_dn ( self . user_with_wp ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . user_with_sm ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . user_with_group_sm ) )
delete_force ( self . ldb_admin , self . get_user_dn ( " test_modify_user2 " ) )
2010-12-15 22:28:59 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( " test_anonymous " ) )
2010-03-04 16:22:30 +03:00
2018-01-08 03:24:25 +03:00
del self . ldb_user
del self . ldb_user2
del self . ldb_user3
2010-03-04 16:22:30 +03:00
def test_modify_u1 ( self ) :
""" 5 Modify one attribute if you have DS_WRITE_PROPERTY for it """
mod = " (OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( self . user_sid )
2009-11-05 18:40:54 +03:00
# First test object -- User
2018-03-09 16:57:01 +03:00
print ( " Testing modify on User object " )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_modify_user1 " , self . user_pass )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( " test_modify_user1 " ) , mod )
2009-11-05 18:40:54 +03:00
ldif = """
dn : """ + self.get_user_dn( " test_modify_user1 " ) + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % self . get_user_dn ( " test_modify_user1 " ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
# Second test object -- Group
2018-03-09 16:57:01 +03:00
print ( " Testing modify on Group object " )
2011-08-05 08:03:58 +04:00
self . ldb_admin . newgroup ( " test_modify_group1 " ,
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=test_modify_group1,CN=Users, " + self . base_dn , mod )
2009-11-05 18:40:54 +03:00
ldif = """
dn : CN = test_modify_group1 , CN = Users , """ + self.base_dn + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " % str ( " CN=test_modify_group1,CN=Users, " + self . base_dn ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
2010-03-04 16:22:30 +03:00
# Third test object -- Organizational Unit
2018-03-09 16:57:01 +03:00
print ( " Testing modify on OU object " )
2010-11-24 18:48:56 +03:00
#delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_modify_ou1, " + self . base_dn )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=test_modify_ou1, " + self . base_dn , mod )
2009-11-05 18:40:54 +03:00
ldif = """
dn : OU = test_modify_ou1 , """ + self.base_dn + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " % str ( " OU=test_modify_ou1, " + self . base_dn ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
2010-07-02 17:38:05 +04:00
def test_modify_u2 ( self ) :
2009-11-05 18:40:54 +03:00
""" 6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them """
2010-03-04 16:22:30 +03:00
mod = " (OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( self . user_sid )
2009-11-05 18:40:54 +03:00
# First test object -- User
2018-03-09 16:57:01 +03:00
print ( " Testing modify on User object " )
2010-11-24 18:48:56 +03:00
#delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_modify_user1 " , self . user_pass )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( " test_modify_user1 " ) , mod )
2009-11-05 18:40:54 +03:00
# Modify on attribute you have rights for
ldif = """
dn : """ + self.get_user_dn( " test_modify_user1 " ) + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " %
self . get_user_dn ( " test_modify_user1 " ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
# Modify on attribute you do not have rights for granted
ldif = """
dn : """ + self.get_user_dn( " test_modify_user1 " ) + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e3 :
( num , _ ) = e3 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
# Second test object -- Group
2018-03-09 16:57:01 +03:00
print ( " Testing modify on Group object " )
2011-08-05 08:03:58 +04:00
self . ldb_admin . newgroup ( " test_modify_group1 " ,
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=test_modify_group1,CN=Users, " + self . base_dn , mod )
2009-11-05 18:40:54 +03:00
ldif = """
dn : CN = test_modify_group1 , CN = Users , """ + self.base_dn + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " %
str ( " CN=test_modify_group1,CN=Users, " + self . base_dn ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
# Modify on attribute you do not have rights for granted
ldif = """
dn : CN = test_modify_group1 , CN = Users , """ + self.base_dn + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e4 :
( num , _ ) = e4 . args
2013-01-10 02:30:38 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
# Modify on attribute you do not have rights for granted while also modifying something you do have rights for
ldif = """
dn : CN = test_modify_group1 , CN = Users , """ + self.base_dn + """
changetype : modify
replace : url
url : www . samba . org
replace : displayName
displayName : test_changed """
try :
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e5 :
( num , _ ) = e5 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
# Second test object -- Organizational Unit
2018-03-09 16:57:01 +03:00
print ( " Testing modify on OU object " )
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_modify_ou1, " + self . base_dn )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=test_modify_ou1, " + self . base_dn , mod )
2009-11-05 18:40:54 +03:00
ldif = """
dn : OU = test_modify_ou1 , """ + self.base_dn + """
changetype : modify
replace : displayName
displayName : test_changed """
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % str ( " OU=test_modify_ou1, "
+ self . base_dn ) )
2009-11-05 18:40:54 +03:00
self . assertEqual ( res [ 0 ] [ " displayName " ] [ 0 ] , " test_changed " )
# Modify on attribute you do not have rights for granted
ldif = """
dn : OU = test_modify_ou1 , """ + self.base_dn + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e6 :
( num , _ ) = e6 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
def test_modify_u3 ( self ) :
""" 7 Modify one attribute as you have no what so ever rights granted """
# First test object -- User
2018-03-09 16:57:01 +03:00
print ( " Testing modify on User object " )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_modify_user1 " , self . user_pass )
2009-11-05 18:40:54 +03:00
# Modify on attribute you do not have rights for granted
ldif = """
dn : """ + self.get_user_dn( " test_modify_user1 " ) + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e7 :
( num , _ ) = e7 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
# Second test object -- Group
2018-03-09 16:57:01 +03:00
print ( " Testing modify on Group object " )
2011-08-05 08:03:58 +04:00
self . ldb_admin . newgroup ( " test_modify_group1 " ,
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2009-11-05 18:40:54 +03:00
# Modify on attribute you do not have rights for granted
ldif = """
dn : CN = test_modify_group1 , CN = Users , """ + self.base_dn + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e8 :
( num , _ ) = e8 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
# Second test object -- Organizational Unit
2018-03-09 16:57:01 +03:00
print ( " Testing modify on OU object " )
2010-11-24 18:48:56 +03:00
#delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_modify_ou1, " + self . base_dn )
2009-11-05 18:40:54 +03:00
# Modify on attribute you do not have rights for granted
ldif = """
dn : OU = test_modify_ou1 , """ + self.base_dn + """
changetype : modify
replace : url
url : www . samba . org """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e9 :
( num , _ ) = e9 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
2009-12-17 18:25:11 +03:00
def test_modify_u4 ( self ) :
""" 11 Grant WP to PRINCIPAL_SELF and test modify """
ldif = """
2010-03-04 16:22:30 +03:00
dn : """ + self.get_user_dn(self.user_with_wp) + """
2009-12-17 18:25:11 +03:00
changetype : modify
add : adminDescription
adminDescription : blah blah blah """
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e10 :
( num , _ ) = e10 . args
2009-12-17 18:25:11 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
mod = " (OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2009-12-17 18:25:11 +03:00
# Modify on attribute you have rights for
2010-03-04 16:22:30 +03:00
self . ldb_user . modify_ldif ( ldif )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " \
2018-07-30 09:17:02 +03:00
% self . get_user_dn ( self . user_with_wp ) , attrs = [ " adminDescription " ] )
2009-12-17 18:25:11 +03:00
self . assertEqual ( res [ 0 ] [ " adminDescription " ] [ 0 ] , " blah blah blah " )
2010-06-28 11:34:14 +04:00
def test_modify_u5 ( self ) :
""" 12 test self membership """
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
add : Member
2018-07-30 09:17:44 +03:00
Member : """ + self.get_user_dn(self.user_with_sm)
2018-07-30 09:19:49 +03:00
# the user has no rights granted, this should fail
2010-06-28 11:34:14 +04:00
try :
self . ldb_user2 . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e11 :
( num , _ ) = e11 . args
2010-06-28 11:34:14 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
2018-07-30 09:19:49 +03:00
# grant self-membership, should be able to add himself
2010-12-10 11:31:19 +03:00
user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . user_with_sm ) )
2010-06-28 11:34:14 +04:00
mod = " (OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( user_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=test_modify_group2,CN=Users, " + self . base_dn , mod )
2010-06-28 11:34:14 +04:00
self . ldb_user2 . modify_ldif ( ldif )
2018-07-30 09:16:43 +03:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " \
2018-07-30 09:16:12 +03:00
% ( " CN=test_modify_group2,CN=Users, " + self . base_dn ) , attrs = [ " Member " ] )
2010-06-28 11:34:14 +04:00
self . assertEqual ( res [ 0 ] [ " Member " ] [ 0 ] , self . get_user_dn ( self . user_with_sm ) )
2018-07-30 09:19:49 +03:00
# but not other users
2010-06-28 11:34:14 +04:00
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
add : Member
Member : CN = test_modify_user2 , CN = Users , """ + self.base_dn
try :
self . ldb_user2 . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e12 :
( num , _ ) = e12 . args
2010-06-28 11:34:14 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_modify_u6 ( self ) :
""" 13 test self membership """
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
add : Member
2018-07-30 09:17:44 +03:00
Member : """ + self.get_user_dn(self.user_with_sm) + """
2010-06-28 11:34:14 +04:00
Member : CN = test_modify_user2 , CN = Users , """ + self.base_dn
2018-07-30 09:19:49 +03:00
# grant self-membership, should be able to add himself but not others at the same time
2010-12-10 11:31:19 +03:00
user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . user_with_sm ) )
2010-06-28 11:34:14 +04:00
mod = " (OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( user_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=test_modify_group2,CN=Users, " + self . base_dn , mod )
2010-06-28 11:34:14 +04:00
try :
self . ldb_user2 . modify_ldif ( ldif )
2018-02-23 17:34:23 +03:00
except LdbError as e13 :
( num , _ ) = e13 . args
2010-06-28 11:34:14 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_modify_u7 ( self ) :
""" 13 User with WP modifying Member """
2018-07-30 09:19:49 +03:00
# a second user is given write property permission
2010-12-10 11:31:19 +03:00
user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . user_with_wp ) )
2010-07-02 17:38:05 +04:00
mod = " (A;;WP;;; %s ) " % str ( user_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=test_modify_group2,CN=Users, " + self . base_dn , mod )
2010-06-28 11:34:14 +04:00
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
add : Member
2018-07-30 09:17:44 +03:00
Member : """ + self.get_user_dn(self.user_with_wp)
2010-06-28 11:34:14 +04:00
self . ldb_user . modify_ldif ( ldif )
2018-07-30 09:16:43 +03:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " \
2018-07-30 09:16:12 +03:00
% ( " CN=test_modify_group2,CN=Users, " + self . base_dn ) , attrs = [ " Member " ] )
2010-06-28 11:34:14 +04:00
self . assertEqual ( res [ 0 ] [ " Member " ] [ 0 ] , self . get_user_dn ( self . user_with_wp ) )
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
delete : Member """
self . ldb_user . modify_ldif ( ldif )
ldif = """
dn : CN = test_modify_group2 , CN = Users , """ + self.base_dn + """
changetype : modify
add : Member
Member : CN = test_modify_user2 , CN = Users , """ + self.base_dn
self . ldb_user . modify_ldif ( ldif )
2018-07-30 09:16:43 +03:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " \
2018-07-30 09:16:12 +03:00
% ( " CN=test_modify_group2,CN=Users, " + self . base_dn ) , attrs = [ " Member " ] )
2010-06-28 11:34:14 +04:00
self . assertEqual ( res [ 0 ] [ " Member " ] [ 0 ] , " CN=test_modify_user2,CN=Users, " + self . base_dn )
2010-03-04 16:22:30 +03:00
2010-12-15 22:28:59 +03:00
def test_modify_anonymous ( self ) :
""" Test add operation with anonymous user """
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-12-15 22:28:59 +03:00
self . ldb_admin . newuser ( " test_anonymous " , " samba123@ " )
m = Message ( )
m . dn = Dn ( anonymous , self . get_user_dn ( " test_anonymous " ) )
m [ " description " ] = MessageElement ( " sambauser2 " ,
FLAG_MOD_ADD ,
" description " )
try :
anonymous . modify ( m )
2018-02-23 17:34:23 +03:00
except LdbError as e14 :
( num , _ ) = e14 . args
2010-12-15 22:28:59 +03:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
2018-07-30 09:19:49 +03:00
# enable these when we have search implemented
2018-07-30 09:20:39 +03:00
2010-03-04 16:22:30 +03:00
class AclSearchTests ( AclTests ) :
def setUp ( self ) :
2010-07-14 15:44:46 +04:00
super ( AclSearchTests , self ) . setUp ( )
2018-05-11 02:03:03 +03:00
# permit password changes during this test
PasswordCommon . allow_password_changes ( self , self . ldb_admin )
2014-11-02 06:06:52 +03:00
2010-08-17 18:05:42 +04:00
self . u1 = " search_u1 "
self . u2 = " search_u2 "
self . u3 = " search_u3 "
self . group1 = " group1 "
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . u1 , self . user_pass )
self . ldb_admin . newuser ( self . u2 , self . user_pass )
self . ldb_admin . newuser ( self . u3 , self . user_pass )
2011-08-05 08:03:58 +04:00
self . ldb_admin . newgroup ( self . group1 , grouptype = samba . dsdb . GTYPE_SECURITY_GLOBAL_GROUP )
2012-06-19 14:43:08 +04:00
self . ldb_admin . add_remove_group_members ( self . group1 , [ self . u2 ] ,
2010-11-18 20:12:36 +03:00
add_members_operation = True )
2010-08-17 18:05:42 +04:00
self . ldb_user = self . get_ldb_connection ( self . u1 , self . user_pass )
self . ldb_user2 = self . get_ldb_connection ( self . u2 , self . user_pass )
self . ldb_user3 = self . get_ldb_connection ( self . u3 , self . user_pass )
2018-07-30 09:19:11 +03:00
self . full_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ) ]
2010-12-10 11:31:19 +03:00
self . user_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . u1 ) )
self . group_sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . group1 ) )
2010-08-17 18:05:42 +04:00
def create_clean_ou ( self , object_dn ) :
""" Base repeating setup for unittests to follow """
res = self . ldb_admin . search ( base = self . base_dn , scope = SCOPE_SUBTREE , \
2018-07-30 09:16:12 +03:00
expression = " distinguishedName= %s " % object_dn )
2010-08-17 18:05:42 +04:00
# Make sure top testing OU has been deleted before starting the test
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( object_dn )
2010-12-10 11:31:19 +03:00
desc_sddl = self . sd_utils . get_sd_as_sddl ( object_dn )
2010-08-17 18:05:42 +04:00
# Make sure there are inheritable ACEs initially
self . assertTrue ( " CI " in desc_sddl or " OI " in desc_sddl )
# Find and remove all inherit ACEs
res = re . findall ( " \ (.*? \ ) " , desc_sddl )
res = [ x for x in res if ( " CI " in x ) or ( " OI " in x ) ]
for x in res :
desc_sddl = desc_sddl . replace ( x , " " )
# Add flag 'protected' in both DACL and SACL so no inherit ACEs
# can propagate from above
# remove SACL, we are not interested
desc_sddl = desc_sddl . replace ( " :AI " , " :AIP " )
2010-12-10 11:31:19 +03:00
self . sd_utils . modify_sd_on_dn ( object_dn , desc_sddl )
2010-08-17 18:05:42 +04:00
# Verify all inheritable ACEs are gone
2010-12-10 11:31:19 +03:00
desc_sddl = self . sd_utils . get_sd_as_sddl ( object_dn )
2010-08-17 18:05:42 +04:00
self . assertFalse ( " CI " in desc_sddl )
self . assertFalse ( " OI " in desc_sddl )
2010-03-04 16:22:30 +03:00
def tearDown ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclSearchTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " OU=test_search_ou2,OU=test_search_ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=test_search_ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " OU=ou1, " + self . base_dn )
delete_force ( self . ldb_admin , self . get_user_dn ( " search_u1 " ) )
delete_force ( self . ldb_admin , self . get_user_dn ( " search_u2 " ) )
delete_force ( self . ldb_admin , self . get_user_dn ( " search_u3 " ) )
delete_force ( self . ldb_admin , self . get_user_dn ( " group1 " ) )
2010-03-04 16:22:30 +03:00
2018-01-08 03:24:25 +03:00
del self . ldb_user
del self . ldb_user2
del self . ldb_user3
2010-07-14 15:44:46 +04:00
def test_search_anonymous1 ( self ) :
""" Verify access of rootDSE with the correct request """
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-11-25 22:01:05 +03:00
res = anonymous . search ( " " , expression = " (objectClass=*) " , scope = SCOPE_BASE )
2010-07-14 15:44:46 +04:00
self . assertEquals ( len ( res ) , 1 )
2018-07-30 09:19:49 +03:00
# verify some of the attributes
# don't care about values
2010-07-14 15:44:46 +04:00
self . assertTrue ( " ldapServiceName " in res [ 0 ] )
self . assertTrue ( " namingContexts " in res [ 0 ] )
self . assertTrue ( " isSynchronized " in res [ 0 ] )
self . assertTrue ( " dsServiceName " in res [ 0 ] )
self . assertTrue ( " supportedSASLMechanisms " in res [ 0 ] )
self . assertTrue ( " isGlobalCatalogReady " in res [ 0 ] )
self . assertTrue ( " domainControllerFunctionality " in res [ 0 ] )
self . assertTrue ( " serverName " in res [ 0 ] )
def test_search_anonymous2 ( self ) :
""" Make sure we cannot access anything else """
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-07-14 15:44:46 +04:00
try :
2010-11-25 22:01:05 +03:00
res = anonymous . search ( " " , expression = " (objectClass=*) " , scope = SCOPE_SUBTREE )
2018-02-23 17:34:23 +03:00
except LdbError as e15 :
( num , _ ) = e15 . args
2010-07-14 15:44:46 +04:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
try :
2010-11-25 22:01:05 +03:00
res = anonymous . search ( self . base_dn , expression = " (objectClass=*) " , scope = SCOPE_SUBTREE )
2018-02-23 17:34:23 +03:00
except LdbError as e16 :
( num , _ ) = e16 . args
2010-07-14 15:44:46 +04:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
try :
2011-09-16 05:14:12 +04:00
res = anonymous . search ( anonymous . get_config_basedn ( ) , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2018-02-23 17:34:23 +03:00
except LdbError as e17 :
( num , _ ) = e17 . args
2010-07-14 15:44:46 +04:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
2009-11-05 18:40:54 +03:00
2010-07-14 15:44:46 +04:00
def test_search_anonymous3 ( self ) :
""" Set dsHeuristics and repeat """
2010-11-23 12:21:22 +03:00
self . ldb_admin . set_dsheuristics ( " 0000002 " )
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_search_ou1, " + self . base_dn )
2010-07-14 15:44:46 +04:00
mod = " (A;CI;LC;;;AN) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=test_search_ou1, " + self . base_dn , mod )
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_search_ou2,OU=test_search_ou1, " + self . base_dn )
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-11-25 22:01:05 +03:00
res = anonymous . search ( " OU=test_search_ou2,OU=test_search_ou1, " + self . base_dn ,
expression = " (objectClass=*) " , scope = SCOPE_SUBTREE )
2010-07-14 15:44:46 +04:00
self . assertEquals ( len ( res ) , 1 )
self . assertTrue ( " dn " in res [ 0 ] )
self . assertTrue ( res [ 0 ] [ " dn " ] == Dn ( self . ldb_admin ,
" OU=test_search_ou2,OU=test_search_ou1, " + self . base_dn ) )
2011-09-16 05:14:12 +04:00
res = anonymous . search ( anonymous . get_config_basedn ( ) , expression = " (objectClass=*) " ,
2010-11-25 22:01:05 +03:00
scope = SCOPE_SUBTREE )
2010-07-14 15:44:46 +04:00
self . assertEquals ( len ( res ) , 1 )
self . assertTrue ( " dn " in res [ 0 ] )
self . assertTrue ( res [ 0 ] [ " dn " ] == Dn ( self . ldb_admin , self . configuration_dn ) )
2009-11-05 18:40:54 +03:00
2010-08-17 18:05:42 +04:00
def test_search1 ( self ) :
2010-09-26 22:39:36 +04:00
""" Make sure users can see us if given LC to user and group """
2010-08-17 18:05:42 +04:00
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;;LC;;; %s )(A;;LC;;; %s ) " % ( str ( self . user_sid ) , str ( self . group_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
2010-11-25 20:57:51 +03:00
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
2010-08-17 18:05:42 +04:00
2018-07-30 09:19:49 +03:00
# regular users must see only ou1 and ou2
2010-08-17 18:05:42 +04:00
res = self . ldb_user3 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 2 )
2018-07-30 09:19:11 +03:00
ok_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ]
2010-08-17 18:05:42 +04:00
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2018-07-30 09:19:49 +03:00
# these users should see all ous
2010-08-17 18:05:42 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-08-17 18:05:42 +04:00
self . assertEquals ( len ( res ) , 6 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in self . full_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( self . full_list ) )
res = self . ldb_user2 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 6 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in self . full_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( self . full_list ) )
def test_search2 ( self ) :
2010-09-26 22:39:36 +04:00
""" Make sure users can ' t see us if access is explicitly denied """
2010-08-17 18:05:42 +04:00
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn )
self . ldb_admin . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn )
self . ldb_admin . create_ou ( " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn )
self . ldb_admin . create_ou ( " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn )
self . ldb_admin . create_ou ( " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn )
2010-08-17 18:05:42 +04:00
mod = " (D;;LC;;; %s )(D;;LC;;; %s ) " % ( str ( self . user_sid ) , str ( self . group_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-08-17 18:05:42 +04:00
res = self . ldb_user3 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
2018-07-30 09:19:49 +03:00
# this user should see all ous
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in self . full_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( self . full_list ) )
2018-07-30 09:19:49 +03:00
# these users should see ou1, 2, 5 and 6 but not 3 and 4
2010-08-17 18:05:42 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2018-07-30 09:19:11 +03:00
ok_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ) ]
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
res = self . ldb_user2 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 4 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
def test_search3 ( self ) :
""" Make sure users can ' t see ous if access is explicitly denied - 2 """
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;CI;LC;;; %s )(A;CI;LC;;; %s ) " % ( str ( self . user_sid ) , str ( self . group_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
2010-11-25 20:57:51 +03:00
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
2010-08-17 18:05:42 +04:00
2018-03-09 16:57:01 +03:00
print ( " Testing correct behavior on nonaccessible search base " )
2010-09-26 22:39:36 +04:00
try :
2018-07-30 09:13:57 +03:00
self . ldb_user3 . search ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_BASE )
2018-02-23 17:34:23 +03:00
except LdbError as e18 :
( num , _ ) = e18 . args
2010-09-26 22:39:36 +04:00
self . assertEquals ( num , ERR_NO_SUCH_OBJECT )
else :
self . fail ( )
2010-08-17 18:05:42 +04:00
mod = " (D;;LC;;; %s )(D;;LC;;; %s ) " % ( str ( self . user_sid ) , str ( self . group_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-08-17 18:05:42 +04:00
2018-07-30 09:19:11 +03:00
ok_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ]
2010-08-17 18:05:42 +04:00
res = self . ldb_user3 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2018-07-30 09:19:11 +03:00
ok_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ) ]
2010-08-17 18:05:42 +04:00
2018-07-30 09:19:49 +03:00
# should not see ou3 and ou4, but should see ou5 and ou6
2010-08-17 18:05:42 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-08-17 18:05:42 +04:00
self . assertEquals ( len ( res ) , 4 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
res = self . ldb_user2 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 4 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
def test_search4 ( self ) :
""" There is no difference in visibility if the user is also creator """
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;CI;CC;;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
2010-11-25 20:57:51 +03:00
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_user . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_user . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_user . create_ou ( " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_user . create_ou ( " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_user . create_ou ( " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
2010-08-17 18:05:42 +04:00
2018-07-30 09:19:11 +03:00
ok_list = [ Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn ) ,
Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn ) ]
2010-08-17 18:05:42 +04:00
res = self . ldb_user3 . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 2 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-08-17 18:05:42 +04:00
self . assertEquals ( len ( res ) , 2 )
2018-07-30 09:17:02 +03:00
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in ok_list ]
2010-08-17 18:05:42 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2010-09-26 22:39:36 +04:00
def test_search5 ( self ) :
""" Make sure users can see only attributes they are allowed to see """
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;CI;LC;;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
2010-11-25 20:57:51 +03:00
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
2010-09-26 22:39:36 +04:00
# assert user can only see dn
res = self . ldb_user . search ( " OU=ou2,OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-09-26 22:39:36 +04:00
ok_list = [ ' dn ' ]
self . assertEquals ( len ( res ) , 1 )
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( res_list , ok_list )
res = self . ldb_user . search ( " OU=ou2,OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_BASE , attrs = [ " ou " ] )
2010-09-26 22:39:36 +04:00
self . assertEquals ( len ( res ) , 1 )
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( res_list , ok_list )
2018-07-30 09:19:49 +03:00
# give read property on ou and assert user can only see dn and ou
2010-09-26 22:39:36 +04:00
mod = " (OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
self . sd_utils . dacl_add_ace ( " OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-09-26 22:39:36 +04:00
res = self . ldb_user . search ( " OU=ou2,OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-09-26 22:39:36 +04:00
ok_list = [ ' dn ' , ' ou ' ]
self . assertEquals ( len ( res ) , 1 )
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2018-07-30 09:19:49 +03:00
# give read property on Public Information and assert user can see ou and other members
2010-09-26 22:39:36 +04:00
mod = " (OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
self . sd_utils . dacl_add_ace ( " OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-09-26 22:39:36 +04:00
res = self . ldb_user . search ( " OU=ou2,OU=ou1, " + self . base_dn , expression = " (objectClass=*) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-09-26 22:39:36 +04:00
ok_list = [ ' dn ' , ' objectClass ' , ' ou ' , ' distinguishedName ' , ' name ' , ' objectGUID ' , ' objectCategory ' ]
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
def test_search6 ( self ) :
""" If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist """
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;CI;LCCC;;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
2010-11-25 20:57:51 +03:00
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_user . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
2010-09-26 22:39:36 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (ou=ou3) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2018-07-30 09:19:49 +03:00
# nothing should be returned as ou is not accessible
2011-02-09 21:51:34 +03:00
self . assertEquals ( len ( res ) , 0 )
2010-09-26 22:39:36 +04:00
2018-07-30 09:19:49 +03:00
# give read property on ou and assert user can only see dn and ou
2010-09-26 22:39:36 +04:00
mod = " (OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-09-26 22:39:36 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (ou=ou3) " ,
2018-07-30 09:15:34 +03:00
scope = SCOPE_SUBTREE )
2010-09-26 22:39:36 +04:00
self . assertEquals ( len ( res ) , 1 )
ok_list = [ ' dn ' , ' ou ' ]
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2018-07-30 09:19:49 +03:00
# give read property on Public Information and assert user can see ou and other members
2010-09-26 22:39:36 +04:00
mod = " (OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;; %s ) " % ( str ( self . user_sid ) )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ou2,OU=ou1, " + self . base_dn , mod )
2010-09-26 22:39:36 +04:00
res = self . ldb_user . search ( " OU=ou1, " + self . base_dn , expression = " (ou=ou2) " ,
scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , 1 )
ok_list = [ ' dn ' , ' objectClass ' , ' ou ' , ' distinguishedName ' , ' name ' , ' objectGUID ' , ' objectCategory ' ]
2018-05-04 15:33:03 +03:00
res_list = list ( res [ 0 ] . keys ( ) )
2010-09-26 22:39:36 +04:00
self . assertEquals ( sorted ( res_list ) , sorted ( ok_list ) )
2018-07-25 01:08:34 +03:00
def assert_search_on_attr ( self , dn , samdb , attr , expected_list ) :
expected_num = len ( expected_list )
res = samdb . search ( dn , expression = " ( %s =*) " % attr , scope = SCOPE_SUBTREE )
self . assertEquals ( len ( res ) , expected_num )
res_list = [ x [ " dn " ] for x in res if x [ " dn " ] in expected_list ]
self . assertEquals ( sorted ( res_list ) , sorted ( expected_list ) )
def test_search7 ( self ) :
""" Checks object search visibility when users don ' t have full rights """
self . create_clean_ou ( " OU=ou1, " + self . base_dn )
mod = " (A;;LC;;; %s )(A;;LC;;; %s ) " % ( str ( self . user_sid ) ,
str ( self . group_sid ) )
self . sd_utils . dacl_add_ace ( " OU=ou1, " + self . base_dn , mod )
tmp_desc = security . descriptor . from_sddl ( " D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) " + mod ,
self . domain_sid )
self . ldb_admin . create_ou ( " OU=ou2,OU=ou1, " + self . base_dn , sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ,
sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ,
sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou5,OU=ou3,OU=ou2,OU=ou1, " + self . base_dn ,
sd = tmp_desc )
self . ldb_admin . create_ou ( " OU=ou6,OU=ou4,OU=ou2,OU=ou1, " + self . base_dn ,
sd = tmp_desc )
ou2_dn = Dn ( self . ldb_admin , " OU=ou2,OU=ou1, " + self . base_dn )
ou1_dn = Dn ( self . ldb_admin , " OU=ou1, " + self . base_dn )
# even though unprivileged users can't read these attributes for OU2,
# the object should still be visible in searches, because they have
# 'List Contents' rights still. This isn't really disclosive because
# ALL objects have these attributes
visible_attrs = [ " objectClass " , " distinguishedName " , " name " ,
" objectGUID " ]
two_objects = [ ou2_dn , ou1_dn ]
for attr in visible_attrs :
# a regular user should just see the 2 objects
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user3 , attr ,
expected_list = two_objects )
# whereas the following users have LC rights for all the objects,
# so they should see them all
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user , attr ,
expected_list = self . full_list )
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user2 , attr ,
expected_list = self . full_list )
# however when searching on the following attributes, objects will not
# be visible unless the user has Read Property rights
hidden_attrs = [ " objectCategory " , " instanceType " , " ou " , " uSNChanged " ,
" uSNCreated " , " whenCreated " ]
one_object = [ ou1_dn ]
for attr in hidden_attrs :
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user3 , attr ,
expected_list = one_object )
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user , attr ,
expected_list = one_object )
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_user2 , attr ,
expected_list = one_object )
# admin has RP rights so can still see all the objects
self . assert_search_on_attr ( str ( ou1_dn ) , self . ldb_admin , attr ,
expected_list = self . full_list )
2018-07-30 09:19:49 +03:00
# tests on ldap delete operations
2018-07-30 09:20:39 +03:00
2010-03-04 16:22:30 +03:00
class AclDeleteTests ( AclTests ) :
def setUp ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclDeleteTests , self ) . setUp ( )
2010-03-04 16:22:30 +03:00
self . regular_user = " acl_delete_user1 "
2010-11-23 18:51:40 +03:00
# Create regular user
self . ldb_admin . newuser ( self . regular_user , self . user_pass )
2010-06-11 18:22:21 +04:00
self . ldb_user = self . get_ldb_connection ( self . regular_user , self . user_pass )
2010-03-04 16:22:30 +03:00
def tearDown ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclDeleteTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( " test_delete_user1 " ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . regular_user ) )
2010-12-15 22:28:59 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( " test_anonymous " ) )
2010-03-04 16:22:30 +03:00
2018-01-08 03:24:25 +03:00
del self . ldb_user
2009-11-05 18:40:54 +03:00
def test_delete_u1 ( self ) :
""" User is prohibited by default to delete another User object """
# Create user that we try to delete
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_delete_user1 " , self . user_pass )
2009-11-05 18:40:54 +03:00
# Here delete User object should ALWAYS through exception
try :
2010-03-04 16:22:30 +03:00
self . ldb_user . delete ( self . get_user_dn ( " test_delete_user1 " ) )
2018-02-23 17:34:23 +03:00
except LdbError as e19 :
( num , _ ) = e19 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_delete_u2 ( self ) :
""" User ' s group has RIGHT_DELETE to another User object """
user_dn = self . get_user_dn ( " test_delete_user1 " )
# Create user that we try to delete
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_delete_user1 " , self . user_pass )
2009-11-05 18:40:54 +03:00
mod = " (A;;SD;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
# Try to delete User object
2010-06-19 20:57:35 +04:00
self . ldb_user . delete ( user_dn )
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
def test_delete_u3 ( self ) :
""" User indentified by SID has RIGHT_DELETE to another User object """
user_dn = self . get_user_dn ( " test_delete_user1 " )
# Create user that we try to delete
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( " test_delete_user1 " , self . user_pass )
2010-12-10 11:31:19 +03:00
mod = " (A;;SD;;; %s ) " % self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
# Try to delete User object
2010-06-19 20:57:35 +04:00
self . ldb_user . delete ( user_dn )
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-12-15 22:28:59 +03:00
def test_delete_anonymous ( self ) :
""" Test add operation with anonymous user """
2010-12-22 13:27:50 +03:00
anonymous = SamDB ( url = ldaphost , credentials = self . creds_tmp , lp = lp )
2010-12-15 22:28:59 +03:00
self . ldb_admin . newuser ( " test_anonymous " , " samba123@ " )
try :
anonymous . delete ( self . get_user_dn ( " test_anonymous " ) )
2018-02-23 17:34:23 +03:00
except LdbError as e20 :
( num , _ ) = e20 . args
2010-12-15 22:28:59 +03:00
self . assertEquals ( num , ERR_OPERATIONS_ERROR )
else :
self . fail ( )
2018-07-30 09:19:49 +03:00
# tests on ldap rename operations
2018-07-30 09:20:39 +03:00
2010-03-04 16:22:30 +03:00
class AclRenameTests ( AclTests ) :
def setUp ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclRenameTests , self ) . setUp ( )
2010-03-04 16:22:30 +03:00
self . regular_user = " acl_rename_user1 "
2010-11-23 18:51:40 +03:00
self . ou1 = " OU=test_rename_ou1 "
self . ou2 = " OU=test_rename_ou2 "
self . ou3 = " OU=test_rename_ou3, %s " % self . ou2
self . testuser1 = " test_rename_user1 "
self . testuser2 = " test_rename_user2 "
self . testuser3 = " test_rename_user3 "
self . testuser4 = " test_rename_user4 "
self . testuser5 = " test_rename_user5 "
2010-06-19 20:57:35 +04:00
# Create regular user
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . regular_user , self . user_pass )
2010-06-11 18:22:21 +04:00
self . ldb_user = self . get_ldb_connection ( self . regular_user , self . user_pass )
2010-03-04 16:22:30 +03:00
def tearDown ( self ) :
2010-06-19 20:57:35 +04:00
super ( AclRenameTests , self ) . tearDown ( )
2010-03-04 16:22:30 +03:00
# Rename OU3
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser1 , self . ou3 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser2 , self . ou3 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser5 , self . ou3 , self . base_dn ) )
delete_force ( self . ldb_admin , " %s , %s " % ( self . ou3 , self . base_dn ) )
2010-03-04 16:22:30 +03:00
# Rename OU2
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser1 , self . ou2 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser2 , self . ou2 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser5 , self . ou2 , self . base_dn ) )
delete_force ( self . ldb_admin , " %s , %s " % ( self . ou2 , self . base_dn ) )
2010-03-04 16:22:30 +03:00
# Rename OU1
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser1 , self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser2 , self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , " CN= %s , %s , %s " % ( self . testuser5 , self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , " OU=test_rename_ou3, %s , %s " % ( self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , " %s , %s " % ( self . ou1 , self . base_dn ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . regular_user ) )
2010-03-04 16:22:30 +03:00
2018-01-08 03:24:25 +03:00
del self . ldb_user
2010-03-04 16:22:30 +03:00
def test_rename_u1 ( self ) :
""" Regular user fails to rename ' User object ' within single OU """
2009-11-05 18:40:54 +03:00
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " OU=test_rename_ou1, " + self . base_dn )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser1 , self . user_pass , userou = self . ou1 )
2009-11-05 18:40:54 +03:00
try :
2010-11-23 18:51:40 +03:00
self . ldb_user . rename ( " CN= %s , %s , %s " % ( self . testuser1 , self . ou1 , self . base_dn ) , \
2018-07-30 09:15:34 +03:00
" CN= %s , %s , %s " % ( self . testuser5 , self . ou1 , self . base_dn ) )
2018-02-23 17:34:23 +03:00
except LdbError as e21 :
( num , _ ) = e21 . args
2009-11-05 18:40:54 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_rename_u2 ( self ) :
2010-03-04 16:22:30 +03:00
""" Grant WRITE_PROPERTY to AU so regular user can rename ' User object ' within single OU """
2009-11-05 18:40:54 +03:00
ou_dn = " OU=test_rename_ou1, " + self . base_dn
user_dn = " CN=test_rename_user1, " + ou_dn
rename_user_dn = " CN=test_rename_user5, " + ou_dn
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou_dn )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser1 , self . user_pass , userou = self . ou1 )
2009-11-05 18:40:54 +03:00
mod = " (A;;WP;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having WP to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2010-03-04 16:22:30 +03:00
def test_rename_u3 ( self ) :
""" Test rename with rights granted to ' User object ' SID """
ou_dn = " OU=test_rename_ou1, " + self . base_dn
user_dn = " CN=test_rename_user1, " + ou_dn
rename_user_dn = " CN=test_rename_user5, " + ou_dn
2009-11-05 18:40:54 +03:00
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou_dn )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser1 , self . user_pass , userou = self . ou1 )
2010-12-10 11:31:19 +03:00
sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
2009-11-05 18:40:54 +03:00
mod = " (A;;WP;;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having WP to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_rename_u4 ( self ) :
""" Rename ' User object ' cross OU with WP, SD and CC right granted on reg. user to AU """
2009-11-05 18:40:54 +03:00
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + self . base_dn
user_dn = " CN=test_rename_user2, " + ou1_dn
rename_user_dn = " CN=test_rename_user5, " + ou2_dn
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser2 , self . user_pass , userou = self . ou1 )
2009-11-05 18:40:54 +03:00
mod = " (A;;WPSD;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
mod = " (A;;CC;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having SD and CC to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2010-03-04 16:22:30 +03:00
def test_rename_u5 ( self ) :
""" Test rename with rights granted to ' User object ' SID """
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + self . base_dn
user_dn = " CN=test_rename_user2, " + ou1_dn
rename_user_dn = " CN=test_rename_user5, " + ou2_dn
2009-11-05 18:40:54 +03:00
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser2 , self . user_pass , userou = self . ou1 )
2010-12-10 11:31:19 +03:00
sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
2009-11-05 18:40:54 +03:00
mod = " (A;;WPSD;;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
mod = " (A;;CC;;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having SD and CC to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_rename_u6 ( self ) :
""" Rename ' User object ' cross OU with WP, DC and CC right granted on OU & user to AU """
2009-11-05 18:40:54 +03:00
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + self . base_dn
user_dn = " CN=test_rename_user2, " + ou1_dn
rename_user_dn = " CN=test_rename_user2, " + ou2_dn
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
2009-11-05 18:40:54 +03:00
#mod = "(A;CI;DCWP;;;AU)"
mod = " (A;;DC;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou1_dn , mod )
2009-11-05 18:40:54 +03:00
mod = " (A;;CC;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser2 , self . user_pass , userou = self . ou1 )
2009-11-05 18:40:54 +03:00
mod = " (A;;WP;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( user_dn , mod )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having SD and CC to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-04 16:22:30 +03:00
def test_rename_u7 ( self ) :
""" Rename ' User object ' cross OU (second level) with WP, DC and CC right granted on OU to AU """
2009-11-05 18:40:54 +03:00
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + self . base_dn
ou3_dn = " OU=test_rename_ou3, " + ou2_dn
user_dn = " CN=test_rename_user2, " + ou1_dn
rename_user_dn = " CN=test_rename_user5, " + ou3_dn
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
self . ldb_admin . create_ou ( ou3_dn )
2009-11-05 18:40:54 +03:00
mod = " (A;CI;WPDC;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou1_dn , mod )
2009-11-05 18:40:54 +03:00
mod = " (A;;CC;;;AU) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou3_dn , mod )
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . testuser2 , self . user_pass , userou = self . ou1 )
2009-11-05 18:40:54 +03:00
# Rename 'User object' having SD and CC to AU
2010-03-04 16:22:30 +03:00
self . ldb_user . rename ( user_dn , rename_user_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % user_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn ,
2018-07-30 09:16:12 +03:00
expression = " (distinguishedName= %s ) " % rename_user_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2009-11-05 18:40:54 +03:00
2010-03-07 22:42:53 +03:00
def test_rename_u8 ( self ) :
""" Test rename on an object with and without modify access on the RDN attribute """
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + ou1_dn
ou3_dn = " OU=test_rename_ou3, " + ou1_dn
# Create OU structure
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
2010-12-10 11:31:19 +03:00
sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
2010-03-07 22:42:53 +03:00
mod = " (OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2010-03-07 22:42:53 +03:00
mod = " (OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2010-03-07 22:42:53 +03:00
try :
self . ldb_user . rename ( ou2_dn , ou3_dn )
2018-02-23 17:34:23 +03:00
except LdbError as e22 :
( num , _ ) = e22 . args
2010-03-07 22:42:53 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
# This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self . fail ( )
2010-12-10 11:31:19 +03:00
sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
2010-03-07 22:42:53 +03:00
mod = " (A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( ou2_dn , mod )
2010-03-07 22:42:53 +03:00
self . ldb_user . rename ( ou2_dn , ou3_dn )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " % ou2_dn )
2011-02-09 21:51:34 +03:00
self . assertEqual ( len ( res ) , 0 )
2010-06-19 20:57:35 +04:00
res = self . ldb_admin . search ( self . base_dn , expression = " (distinguishedName= %s ) " % ou3_dn )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2010-03-07 22:42:53 +03:00
2013-10-15 03:06:38 +04:00
def test_rename_u9 ( self ) :
""" Rename ' User object ' cross OU, with explicit deny on sd and dc """
ou1_dn = " OU=test_rename_ou1, " + self . base_dn
ou2_dn = " OU=test_rename_ou2, " + self . base_dn
user_dn = " CN=test_rename_user2, " + ou1_dn
rename_user_dn = " CN=test_rename_user5, " + ou2_dn
# Create OU structure
self . ldb_admin . create_ou ( ou1_dn )
self . ldb_admin . create_ou ( ou2_dn )
self . ldb_admin . newuser ( self . testuser2 , self . user_pass , userou = self . ou1 )
mod = " (D;;SD;;;DA) "
self . sd_utils . dacl_add_ace ( user_dn , mod )
mod = " (D;;DC;;;DA) "
self . sd_utils . dacl_add_ace ( ou1_dn , mod )
# Rename 'User object' having SD and CC to AU
try :
self . ldb_admin . rename ( user_dn , rename_user_dn )
2018-02-23 17:34:23 +03:00
except LdbError as e23 :
( num , _ ) = e23 . args
2013-10-15 03:06:38 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
2018-07-30 09:19:49 +03:00
# add an allow ace so we can delete this ou
2013-10-15 03:06:38 +04:00
mod = " (A;;DC;;;DA) "
self . sd_utils . dacl_add_ace ( ou1_dn , mod )
2018-07-30 09:19:49 +03:00
# tests on Control Access Rights
2010-07-02 17:38:05 +04:00
class AclCARTests ( AclTests ) :
def setUp ( self ) :
super ( AclCARTests , self ) . setUp ( )
2014-11-02 06:06:52 +03:00
# Get the old "dSHeuristics" if it was set
dsheuristics = self . ldb_admin . get_dsheuristics ( )
# Reset the "dSHeuristics" as they were before
self . addCleanup ( self . ldb_admin . set_dsheuristics , dsheuristics )
# Set the "dSHeuristics" to activate the correct "userPassword" behaviour
self . ldb_admin . set_dsheuristics ( " 000000001 " )
# Get the old "minPwdAge"
minPwdAge = self . ldb_admin . get_minPwdAge ( )
# Reset the "minPwdAge" as it was before
self . addCleanup ( self . ldb_admin . set_minPwdAge , minPwdAge )
# Set it temporarely to "0"
self . ldb_admin . set_minPwdAge ( " 0 " )
2010-07-02 17:38:05 +04:00
self . user_with_wp = " acl_car_user1 "
self . user_with_pc = " acl_car_user2 "
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . user_with_wp , self . user_pass )
self . ldb_admin . newuser ( self . user_with_pc , self . user_pass )
2010-07-02 17:38:05 +04:00
self . ldb_user = self . get_ldb_connection ( self . user_with_wp , self . user_pass )
self . ldb_user2 = self . get_ldb_connection ( self . user_with_pc , self . user_pass )
def tearDown ( self ) :
super ( AclCARTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( self . user_with_wp ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . user_with_pc ) )
2010-07-02 17:38:05 +04:00
2018-01-08 03:24:25 +03:00
del self . ldb_user
del self . ldb_user2
2010-07-02 17:38:05 +04:00
def test_change_password1 ( self ) :
""" Try a password change operation without any CARs given """
2018-07-30 09:19:49 +03:00
# users have change password by default - remove for negative testing
2010-12-10 11:31:19 +03:00
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-02 17:38:05 +04:00
sddl = desc . as_sddl ( self . domain_sid )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) " , " " )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) " , " " )
2010-12-10 11:31:19 +03:00
self . sd_utils . modify_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) , sddl )
2010-07-02 17:38:05 +04:00
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
add : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS2 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e24 :
( num , _ ) = e24 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
else :
# for some reason we get constraint violation instead of insufficient access error
self . fail ( )
def test_change_password2 ( self ) :
""" Make sure WP has no influence """
2010-12-10 11:31:19 +03:00
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-02 17:38:05 +04:00
sddl = desc . as_sddl ( self . domain_sid )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) " , " " )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) " , " " )
2010-12-10 11:31:19 +03:00
self . sd_utils . modify_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) , sddl )
2010-07-02 17:38:05 +04:00
mod = " (A;;WP;;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-02 17:38:05 +04:00
sddl = desc . as_sddl ( self . domain_sid )
try :
2010-07-05 01:17:38 +04:00
self . ldb_user . modify_ldif ( """
2010-07-02 17:38:05 +04:00
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
add : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS2 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e25 :
( num , _ ) = e25 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
else :
# for some reason we get constraint violation instead of insufficient access error
self . fail ( )
def test_change_password3 ( self ) :
""" Make sure WP has no influence """
mod = " (D;;WP;;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-02 17:38:05 +04:00
sddl = desc . as_sddl ( self . domain_sid )
2010-07-05 01:17:38 +04:00
self . ldb_user . modify_ldif ( """
2010-07-02 17:38:05 +04:00
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
add : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS2 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
2010-07-05 01:17:38 +04:00
def test_change_password5 ( self ) :
""" Make sure rights have no influence on dBCSPwd """
2010-12-10 11:31:19 +03:00
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-05 01:17:38 +04:00
sddl = desc . as_sddl ( self . domain_sid )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) " , " " )
sddl = sddl . replace ( " (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) " , " " )
2010-12-10 11:31:19 +03:00
self . sd_utils . modify_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) , sddl )
2010-07-05 01:17:38 +04:00
mod = " (D;;WP;;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-05 01:17:38 +04:00
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : dBCSPwd
dBCSPwd : XXXXXXXXXXXXXXXX
add : dBCSPwd
dBCSPwd : YYYYYYYYYYYYYYYY
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e26 :
( num , _ ) = e26 . args
2010-07-05 01:17:38 +04:00
self . assertEquals ( num , ERR_UNWILLING_TO_PERFORM )
else :
self . fail ( )
def test_change_password6 ( self ) :
""" Test uneven delete/adds """
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : userPassword
userPassword : thatsAcomplPASS1
delete : userPassword
userPassword : thatsAcomplPASS1
add : userPassword
userPassword : thatsAcomplPASS2
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e27 :
( num , _ ) = e27 . args
2010-07-05 01:17:38 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
mod = " (OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-05 01:17:38 +04:00
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : userPassword
userPassword : thatsAcomplPASS1
delete : userPassword
userPassword : thatsAcomplPASS1
add : userPassword
userPassword : thatsAcomplPASS2
""" )
2010-11-11 11:33:06 +03:00
# This fails on Windows 2000 domain level with constraint violation
2018-02-23 17:34:23 +03:00
except LdbError as e28 :
( num , _ ) = e28 . args
2010-11-11 11:33:06 +03:00
self . assertTrue ( num == ERR_CONSTRAINT_VIOLATION or
num == ERR_UNWILLING_TO_PERFORM )
2010-07-05 01:17:38 +04:00
else :
self . fail ( )
2010-11-11 11:33:06 +03:00
2010-07-08 16:38:16 +04:00
def test_change_password7 ( self ) :
""" Try a password change operation without any CARs given """
2018-07-30 09:19:49 +03:00
# users have change password by default - remove for negative testing
2010-12-10 11:31:19 +03:00
desc = self . sd_utils . read_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) )
2010-07-08 16:38:16 +04:00
sddl = desc . as_sddl ( self . domain_sid )
2010-12-10 11:31:19 +03:00
self . sd_utils . modify_sd_on_dn ( self . get_user_dn ( self . user_with_wp ) , sddl )
2018-07-30 09:19:49 +03:00
# first change our own password
2010-07-08 16:38:16 +04:00
self . ldb_user2 . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_pc) + """
changetype : modify
delete : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-08 16:38:16 +04:00
add : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS1 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-08 16:38:16 +04:00
""" )
2018-07-30 09:19:49 +03:00
# then someone else's
2010-07-08 16:38:16 +04:00
self . ldb_user2 . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
delete : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-08 16:38:16 +04:00
add : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS2 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-08 16:38:16 +04:00
""" )
2010-07-02 17:38:05 +04:00
def test_reset_password1 ( self ) :
""" Try a user password reset operation (unicodePwd) before and after granting CAR """
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS1 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e29 :
( num , _ ) = e29 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
mod = " (OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-02 17:38:05 +04:00
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS1 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
def test_reset_password2 ( self ) :
""" Try a user password reset operation (userPassword) before and after granting CAR """
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : userPassword
userPassword : thatsAcomplPASS1
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e30 :
( num , _ ) = e30 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
mod = " (OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-11-11 11:33:06 +03:00
try :
self . ldb_user . modify_ldif ( """
2010-07-02 17:38:05 +04:00
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : userPassword
userPassword : thatsAcomplPASS1
""" )
2010-11-11 11:33:06 +03:00
# This fails on Windows 2000 domain level with constraint violation
2018-02-23 17:34:23 +03:00
except LdbError as e31 :
( num , _ ) = e31 . args
2010-11-11 11:33:06 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
2010-07-02 17:38:05 +04:00
def test_reset_password3 ( self ) :
""" Grant WP and see what happens (unicodePwd) """
mod = " (A;;WP;;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-02 17:38:05 +04:00
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS1 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e32 :
( num , _ ) = e32 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_reset_password4 ( self ) :
""" Grant WP and see what happens (userPassword) """
mod = " (A;;WP;;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-02 17:38:05 +04:00
try :
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : userPassword
userPassword : thatsAcomplPASS1
""" )
2018-02-23 17:34:23 +03:00
except LdbError as e33 :
( num , _ ) = e33 . args
2010-07-02 17:38:05 +04:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
else :
self . fail ( )
def test_reset_password5 ( self ) :
""" Explicitly deny WP but grant CAR (unicodePwd) """
mod = " (D;;WP;;;PS)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-07-02 17:38:05 +04:00
self . ldb_user . modify_ldif ( """
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : unicodePwd
2018-05-04 17:27:12 +03:00
unicodePwd : : """ + base64.b64encode( " \" thatsAcomplPASS1 \" " .encode( ' utf-16-le ' )).decode( ' utf8 ' ) + """
2010-07-02 17:38:05 +04:00
""" )
def test_reset_password6 ( self ) :
""" Explicitly deny WP but grant CAR (userPassword) """
mod = " (D;;WP;;;PS)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS) "
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( self . get_user_dn ( self . user_with_wp ) , mod )
2010-11-11 11:33:06 +03:00
try :
self . ldb_user . modify_ldif ( """
2010-07-02 17:38:05 +04:00
dn : """ + self.get_user_dn(self.user_with_wp) + """
changetype : modify
replace : userPassword
userPassword : thatsAcomplPASS1
""" )
2010-11-11 11:33:06 +03:00
# This fails on Windows 2000 domain level with constraint violation
2018-02-23 17:34:23 +03:00
except LdbError as e34 :
( num , _ ) = e34 . args
2010-11-11 11:33:06 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
2010-07-02 17:38:05 +04:00
2018-07-30 09:20:39 +03:00
2010-10-27 16:20:49 +04:00
class AclExtendedTests ( AclTests ) :
def setUp ( self ) :
super ( AclExtendedTests , self ) . setUp ( )
2018-07-30 09:19:49 +03:00
# regular user, will be the creator
2010-10-27 16:20:49 +04:00
self . u1 = " ext_u1 "
2018-07-30 09:19:49 +03:00
# regular user
2010-10-27 16:20:49 +04:00
self . u2 = " ext_u2 "
2018-07-30 09:19:49 +03:00
# admin user
2010-10-27 16:20:49 +04:00
self . u3 = " ext_u3 "
2010-11-23 18:51:40 +03:00
self . ldb_admin . newuser ( self . u1 , self . user_pass )
self . ldb_admin . newuser ( self . u2 , self . user_pass )
self . ldb_admin . newuser ( self . u3 , self . user_pass )
2012-06-19 14:43:08 +04:00
self . ldb_admin . add_remove_group_members ( " Domain Admins " , [ self . u3 ] ,
2010-11-18 20:12:36 +03:00
add_members_operation = True )
2010-10-27 16:20:49 +04:00
self . ldb_user1 = self . get_ldb_connection ( self . u1 , self . user_pass )
self . ldb_user2 = self . get_ldb_connection ( self . u2 , self . user_pass )
self . ldb_user3 = self . get_ldb_connection ( self . u3 , self . user_pass )
2010-12-10 11:31:19 +03:00
self . user_sid1 = self . sd_utils . get_object_sid ( self . get_user_dn ( self . u1 ) )
self . user_sid2 = self . sd_utils . get_object_sid ( self . get_user_dn ( self . u2 ) )
2010-10-27 16:20:49 +04:00
def tearDown ( self ) :
super ( AclExtendedTests , self ) . tearDown ( )
2010-11-24 18:48:56 +03:00
delete_force ( self . ldb_admin , self . get_user_dn ( self . u1 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . u2 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . u3 ) )
delete_force ( self . ldb_admin , " CN=ext_group1,OU=ext_ou1, " + self . base_dn )
delete_force ( self . ldb_admin , " ou=ext_ou1, " + self . base_dn )
2010-10-27 16:20:49 +04:00
2018-01-08 03:24:25 +03:00
del self . ldb_user1
del self . ldb_user2
del self . ldb_user3
2010-10-27 16:20:49 +04:00
def test_ntSecurityDescriptor ( self ) :
2018-07-30 09:19:49 +03:00
# create empty ou
2010-11-23 15:32:42 +03:00
self . ldb_admin . create_ou ( " ou=ext_ou1, " + self . base_dn )
2018-07-30 09:19:49 +03:00
# give u1 Create children access
2010-10-27 16:20:49 +04:00
mod = " (A;;CC;;; %s ) " % str ( self . user_sid1 )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ext_ou1, " + self . base_dn , mod )
2010-10-27 16:20:49 +04:00
mod = " (A;;LC;;; %s ) " % str ( self . user_sid2 )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " OU=ext_ou1, " + self . base_dn , mod )
2018-07-30 09:19:49 +03:00
# create a group under that, grant RP to u2
2011-08-05 08:03:58 +04:00
self . ldb_user1 . newgroup ( " ext_group1 " , groupou = " OU=ext_ou1 " ,
grouptype = samba . dsdb . GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP )
2010-10-27 16:20:49 +04:00
mod = " (A;;RP;;; %s ) " % str ( self . user_sid2 )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=ext_group1,OU=ext_ou1, " + self . base_dn , mod )
2018-07-30 09:19:49 +03:00
# u2 must not read the descriptor
2010-10-27 16:20:49 +04:00
res = self . ldb_user2 . search ( " CN=ext_group1,OU=ext_ou1, " + self . base_dn ,
SCOPE_BASE , None , [ " nTSecurityDescriptor " ] )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2010-10-27 16:20:49 +04:00
self . assertFalse ( " nTSecurityDescriptor " in res [ 0 ] . keys ( ) )
2018-07-30 09:19:49 +03:00
# grant RC to u2 - still no access
2010-10-27 16:20:49 +04:00
mod = " (A;;RC;;; %s ) " % str ( self . user_sid2 )
2010-12-10 11:31:19 +03:00
self . sd_utils . dacl_add_ace ( " CN=ext_group1,OU=ext_ou1, " + self . base_dn , mod )
2010-10-27 16:20:49 +04:00
res = self . ldb_user2 . search ( " CN=ext_group1,OU=ext_ou1, " + self . base_dn ,
SCOPE_BASE , None , [ " nTSecurityDescriptor " ] )
2011-02-09 21:51:34 +03:00
self . assertNotEqual ( len ( res ) , 0 )
2010-10-27 16:20:49 +04:00
self . assertFalse ( " nTSecurityDescriptor " in res [ 0 ] . keys ( ) )
2018-07-30 09:19:49 +03:00
# u3 is member of administrators group, should be able to read sd
2010-10-27 16:20:49 +04:00
res = self . ldb_user3 . search ( " CN=ext_group1,OU=ext_ou1, " + self . base_dn ,
SCOPE_BASE , None , [ " nTSecurityDescriptor " ] )
2018-07-30 09:19:05 +03:00
self . assertEqual ( len ( res ) , 1 )
2010-10-27 16:20:49 +04:00
self . assertTrue ( " nTSecurityDescriptor " in res [ 0 ] . keys ( ) )
2018-07-30 09:20:39 +03:00
2014-11-04 21:08:58 +03:00
class AclUndeleteTests ( AclTests ) :
def setUp ( self ) :
super ( AclUndeleteTests , self ) . setUp ( )
self . regular_user = " undeleter1 "
self . ou1 = " OU=undeleted_ou, "
self . testuser1 = " to_be_undeleted1 "
self . testuser2 = " to_be_undeleted2 "
self . testuser3 = " to_be_undeleted3 "
self . testuser4 = " to_be_undeleted4 "
self . testuser5 = " to_be_undeleted5 "
self . testuser6 = " to_be_undeleted6 "
2018-07-30 09:18:03 +03:00
self . new_dn_ou = " CN= " + self . testuser4 + " , " + self . ou1 + self . base_dn
2014-11-04 21:08:58 +03:00
# Create regular user
self . testuser1_dn = self . get_user_dn ( self . testuser1 )
self . testuser2_dn = self . get_user_dn ( self . testuser2 )
self . testuser3_dn = self . get_user_dn ( self . testuser3 )
self . testuser4_dn = self . get_user_dn ( self . testuser4 )
self . testuser5_dn = self . get_user_dn ( self . testuser5 )
self . deleted_dn1 = self . create_delete_user ( self . testuser1 )
self . deleted_dn2 = self . create_delete_user ( self . testuser2 )
self . deleted_dn3 = self . create_delete_user ( self . testuser3 )
self . deleted_dn4 = self . create_delete_user ( self . testuser4 )
self . deleted_dn5 = self . create_delete_user ( self . testuser5 )
self . ldb_admin . create_ou ( self . ou1 + self . base_dn )
self . ldb_admin . newuser ( self . regular_user , self . user_pass )
self . ldb_admin . add_remove_group_members ( " Domain Admins " , [ self . regular_user ] ,
2018-07-30 09:16:12 +03:00
add_members_operation = True )
2014-11-04 21:08:58 +03:00
self . ldb_user = self . get_ldb_connection ( self . regular_user , self . user_pass )
self . sid = self . sd_utils . get_object_sid ( self . get_user_dn ( self . regular_user ) )
def tearDown ( self ) :
super ( AclUndeleteTests , self ) . tearDown ( )
delete_force ( self . ldb_admin , self . get_user_dn ( self . regular_user ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . testuser1 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . testuser2 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . testuser3 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . testuser4 ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . testuser5 ) )
delete_force ( self . ldb_admin , self . new_dn_ou )
delete_force ( self . ldb_admin , self . ou1 + self . base_dn )
2018-01-08 03:24:25 +03:00
del self . ldb_user
2014-11-04 21:08:58 +03:00
def GUID_string ( self , guid ) :
return ldb . schema_format_value ( " objectGUID " , guid )
def create_delete_user ( self , new_user ) :
self . ldb_admin . newuser ( new_user , self . user_pass )
res = self . ldb_admin . search ( expression = " (objectClass=*) " ,
base = self . get_user_dn ( new_user ) ,
scope = SCOPE_BASE ,
controls = [ " show_deleted:1 " ] )
guid = res [ 0 ] [ " objectGUID " ] [ 0 ]
self . ldb_admin . delete ( self . get_user_dn ( new_user ) )
res = self . ldb_admin . search ( base = " <GUID= %s > " % self . GUID_string ( guid ) ,
2018-07-30 09:16:12 +03:00
scope = SCOPE_BASE , controls = [ " show_deleted:1 " ] )
2014-11-04 21:08:58 +03:00
self . assertEquals ( len ( res ) , 1 )
return str ( res [ 0 ] . dn )
def undelete_deleted ( self , olddn , newdn ) :
msg = Message ( )
msg . dn = Dn ( self . ldb_user , olddn )
msg [ " isDeleted " ] = MessageElement ( [ ] , FLAG_MOD_DELETE , " isDeleted " )
msg [ " distinguishedName " ] = MessageElement ( [ newdn ] , FLAG_MOD_REPLACE , " distinguishedName " )
res = self . ldb_user . modify ( msg , [ " show_recycled:1 " ] )
def undelete_deleted_with_mod ( self , olddn , newdn ) :
msg = Message ( )
msg . dn = Dn ( ldb , olddn )
msg [ " isDeleted " ] = MessageElement ( [ ] , FLAG_MOD_DELETE , " isDeleted " )
msg [ " distinguishedName " ] = MessageElement ( [ newdn ] , FLAG_MOD_REPLACE , " distinguishedName " )
msg [ " url " ] = MessageElement ( [ " www.samba.org " ] , FLAG_MOD_REPLACE , " url " )
res = self . ldb_user . modify ( msg , [ " show_deleted:1 " ] )
def test_undelete ( self ) :
# it appears the user has to have LC on the old parent to be able to move the object
# otherwise we get no such object. Since only System can modify the SD on deleted object
# we cannot grant this permission via LDAP, and this leaves us with "negative" tests at the moment
# deny write property on rdn, should fail
mod = " (OD;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . deleted_dn1 , mod )
try :
self . undelete_deleted ( self . deleted_dn1 , self . testuser1_dn )
self . fail ( )
2018-02-23 17:34:23 +03:00
except LdbError as e35 :
( num , _ ) = e35 . args
2014-11-04 21:08:58 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
# seems that permissions on isDeleted and distinguishedName are irrelevant
mod = " (OD;;WP;bf96798f-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . deleted_dn2 , mod )
mod = " (OD;;WP;bf9679e4-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . deleted_dn2 , mod )
self . undelete_deleted ( self . deleted_dn2 , self . testuser2_dn )
# attempt undelete with simultanious addition of url, WP to which is denied
mod = " (OD;;WP;9a9a0221-4a5b-11d1-a9c3-0000f80367c1;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . deleted_dn3 , mod )
try :
self . undelete_deleted_with_mod ( self . deleted_dn3 , self . testuser3_dn )
self . fail ( )
2018-02-23 17:34:23 +03:00
except LdbError as e36 :
( num , _ ) = e36 . args
2014-11-04 21:08:58 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
# undelete in an ou, in which we have no right to create children
mod = " (D;;CC;;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . ou1 + self . base_dn , mod )
try :
self . undelete_deleted ( self . deleted_dn4 , self . new_dn_ou )
self . fail ( )
2018-02-23 17:34:23 +03:00
except LdbError as e37 :
( num , _ ) = e37 . args
2014-11-04 21:08:58 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
# delete is not required
mod = " (D;;SD;;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . deleted_dn5 , mod )
self . undelete_deleted ( self . deleted_dn5 , self . testuser5_dn )
# deny Reanimate-Tombstone, should fail
mod = " (OD;;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;; %s ) " % str ( self . sid )
self . sd_utils . dacl_add_ace ( self . base_dn , mod )
try :
self . undelete_deleted ( self . deleted_dn4 , self . testuser4_dn )
self . fail ( )
2018-02-23 17:34:23 +03:00
except LdbError as e38 :
( num , _ ) = e38 . args
2014-11-04 21:08:58 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
2011-01-06 16:39:46 +03:00
2018-07-30 09:20:39 +03:00
2010-12-22 13:27:50 +03:00
class AclSPNTests ( AclTests ) :
def setUp ( self ) :
super ( AclSPNTests , self ) . setUp ( )
self . dcname = " TESTSRV8 "
self . rodcname = " TESTRODC8 "
self . computername = " testcomp8 "
self . test_user = " spn_test_user8 "
self . computerdn = " CN= %s ,CN=computers, %s " % ( self . computername , self . base_dn )
self . dc_dn = " CN= %s ,OU=Domain Controllers, %s " % ( self . dcname , self . base_dn )
self . site = " Default-First-Site-Name "
2018-06-25 08:21:00 +03:00
self . rodcctx = DCJoinContext ( server = host , creds = creds , lp = lp ,
site = self . site , netbios_name = self . rodcname ,
targetdir = None , domain = None )
self . dcctx = DCJoinContext ( server = host , creds = creds , lp = lp ,
site = self . site , netbios_name = self . dcname ,
targetdir = None , domain = None )
2010-12-22 13:27:50 +03:00
self . ldb_admin . newuser ( self . test_user , self . user_pass )
self . ldb_user1 = self . get_ldb_connection ( self . test_user , self . user_pass )
self . user_sid1 = self . sd_utils . get_object_sid ( self . get_user_dn ( self . test_user ) )
self . create_computer ( self . computername , self . dcctx . dnsdomain )
self . create_rodc ( self . rodcctx )
self . create_dc ( self . dcctx )
def tearDown ( self ) :
super ( AclSPNTests , self ) . tearDown ( )
self . rodcctx . cleanup_old_join ( )
self . dcctx . cleanup_old_join ( )
delete_force ( self . ldb_admin , " cn= %s ,cn=computers, %s " % ( self . computername , self . base_dn ) )
delete_force ( self . ldb_admin , self . get_user_dn ( self . test_user ) )
2018-01-08 03:24:25 +03:00
del self . ldb_user1
2010-12-22 13:27:50 +03:00
def replace_spn ( self , _ldb , dn , spn ) :
2018-03-09 16:57:01 +03:00
print ( " Setting spn %s on %s " % ( spn , dn ) )
2010-12-22 13:27:50 +03:00
res = self . ldb_admin . search ( dn , expression = " (objectClass=*) " ,
scope = SCOPE_BASE , attrs = [ " servicePrincipalName " ] )
if " servicePrincipalName " in res [ 0 ] . keys ( ) :
flag = FLAG_MOD_REPLACE
else :
flag = FLAG_MOD_ADD
msg = Message ( )
msg . dn = Dn ( self . ldb_admin , dn )
msg [ " servicePrincipalName " ] = MessageElement ( spn , flag ,
2018-07-30 09:15:34 +03:00
" servicePrincipalName " )
2010-12-22 13:27:50 +03:00
_ldb . modify ( msg )
def create_computer ( self , computername , domainname ) :
dn = " CN= %s ,CN=computers, %s " % ( computername , self . base_dn )
samaccountname = computername + " $ "
dnshostname = " %s . %s " % ( computername , domainname )
self . ldb_admin . add ( {
" dn " : dn ,
" objectclass " : " computer " ,
" sAMAccountName " : samaccountname ,
" userAccountControl " : str ( samba . dsdb . UF_WORKSTATION_TRUST_ACCOUNT ) ,
" dNSHostName " : dnshostname } )
# same as for join_RODC, but do not set any SPNs
def create_rodc ( self , ctx ) :
2018-07-30 09:17:02 +03:00
ctx . nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
ctx . full_nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
2018-07-30 09:13:57 +03:00
ctx . krbtgt_dn = " CN=krbtgt_ %s ,CN=Users, %s " % ( ctx . myname , ctx . base_dn )
2018-07-30 09:16:43 +03:00
ctx . never_reveal_sid = [ " <SID= %s - %s > " % ( ctx . domsid , security . DOMAIN_RID_RODC_DENY ) ,
2018-07-30 09:13:57 +03:00
" <SID= %s > " % security . SID_BUILTIN_ADMINISTRATORS ,
" <SID= %s > " % security . SID_BUILTIN_SERVER_OPERATORS ,
" <SID= %s > " % security . SID_BUILTIN_BACKUP_OPERATORS ,
2018-07-30 09:17:02 +03:00
" <SID= %s > " % security . SID_BUILTIN_ACCOUNT_OPERATORS ]
2018-07-30 09:13:57 +03:00
ctx . reveal_sid = " <SID= %s - %s > " % ( ctx . domsid , security . DOMAIN_RID_RODC_ALLOW )
mysid = ctx . get_mysid ( )
admin_dn = " <SID= %s > " % mysid
ctx . managedby = admin_dn
ctx . userAccountControl = ( samba . dsdb . UF_WORKSTATION_TRUST_ACCOUNT |
2018-07-30 09:16:12 +03:00
samba . dsdb . UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |
samba . dsdb . UF_PARTIAL_SECRETS_ACCOUNT )
2018-07-30 09:13:57 +03:00
ctx . connection_dn = " CN=RODC Connection (FRS), %s " % ctx . ntds_dn
ctx . secure_channel_type = misc . SEC_CHAN_RODC
ctx . RODC = True
2018-07-30 09:17:44 +03:00
ctx . replica_flags = ( drsuapi . DRSUAPI_DRS_INIT_SYNC |
drsuapi . DRSUAPI_DRS_PER_SYNC |
drsuapi . DRSUAPI_DRS_GET_ANC |
drsuapi . DRSUAPI_DRS_NEVER_SYNCED |
drsuapi . DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING )
2018-07-30 09:13:57 +03:00
ctx . join_add_objects ( )
2010-12-22 13:27:50 +03:00
def create_dc ( self , ctx ) :
2018-07-30 09:17:02 +03:00
ctx . nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
ctx . full_nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
2010-12-22 13:27:50 +03:00
ctx . userAccountControl = samba . dsdb . UF_SERVER_TRUST_ACCOUNT | samba . dsdb . UF_TRUSTED_FOR_DELEGATION
ctx . secure_channel_type = misc . SEC_CHAN_BDC
ctx . replica_flags = ( drsuapi . DRSUAPI_DRS_WRIT_REP |
drsuapi . DRSUAPI_DRS_INIT_SYNC |
drsuapi . DRSUAPI_DRS_PER_SYNC |
drsuapi . DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
drsuapi . DRSUAPI_DRS_NEVER_SYNCED )
ctx . join_add_objects ( )
def dc_spn_test ( self , ctx ) :
netbiosdomain = self . dcctx . get_domain_name ( )
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s / %s " % ( ctx . myname , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e39 :
( num , _ ) = e39 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
mod = " (OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;; %s ) " % str ( self . user_sid1 )
self . sd_utils . dacl_add_ace ( ctx . acct_dn , mod )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s / %s " % ( ctx . myname , netbiosdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s " % ( ctx . myname ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s . %s / %s " %
( ctx . myname , ctx . dnsdomain , netbiosdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s / %s " % ( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " HOST/ %s . %s / %s " %
( ctx . myname , ctx . dnsdomain , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " GC/ %s . %s / %s " %
2011-08-22 11:43:56 +04:00
( ctx . myname , ctx . dnsdomain , ctx . dnsforest ) )
2010-12-22 13:27:50 +03:00
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s / %s " % ( ctx . myname , netbiosdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s . %s / %s " %
( ctx . myname , ctx . dnsdomain , netbiosdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s " % ( ctx . myname ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s / %s " % ( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s . %s / %s " %
( ctx . myname , ctx . dnsdomain , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " DNS/ %s / %s " % ( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " RestrictedKrbHost/ %s / %s " %
( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " RestrictedKrbHost/ %s " %
( ctx . myname ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ %s / %s " %
( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ %s / %s " %
( ctx . myname , ctx . dnsdomain ) )
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s ._msdcs. %s " %
( ctx . ntds_guid , ctx . dnsdomain ) )
2018-07-30 09:19:49 +03:00
# the following spns do not match the restrictions and should fail
2010-12-22 13:27:50 +03:00
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s . %s /ForestDnsZones. %s " %
( ctx . myname , ctx . dnsdomain , ctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e40 :
( num , _ ) = e40 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " ldap/ %s . %s /DomainDnsZones. %s " %
( ctx . myname , ctx . dnsdomain , ctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e41 :
( num , _ ) = e41 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " nosuchservice/ %s / %s " % ( " abcd " , " abcd " ) )
2018-02-23 17:34:23 +03:00
except LdbError as e42 :
( num , _ ) = e42 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " GC/ %s . %s / %s " %
( ctx . myname , ctx . dnsdomain , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e43 :
( num , _ ) = e43 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , ctx . acct_dn , " E3514235-4B06-11D1-AB04-00C04FC2DCD2/ %s / %s " %
( ctx . ntds_guid , ctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e44 :
( num , _ ) = e44 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
def test_computer_spn ( self ) :
# with WP, any value can be set
netbiosdomain = self . dcctx . get_domain_name ( )
self . replace_spn ( self . ldb_admin , self . computerdn , " HOST/ %s / %s " %
( self . computername , netbiosdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " HOST/ %s " % ( self . computername ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " HOST/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , netbiosdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " HOST/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " HOST/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " GC/ %s . %s / %s " %
2011-08-22 11:43:56 +04:00
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsforest ) )
2010-12-22 13:27:50 +03:00
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s / %s " % ( self . computername , netbiosdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s . %s /ForestDnsZones. %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s . %s /DomainDnsZones. %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , netbiosdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s " % ( self . computername ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " ldap/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " DNS/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " RestrictedKrbHost/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " RestrictedKrbHost/ %s " %
( self . computername ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
self . replace_spn ( self . ldb_admin , self . computerdn , " nosuchservice/ %s / %s " % ( " abcd " , " abcd " ) )
2018-07-30 09:19:49 +03:00
# user has neither WP nor Validated-SPN, access denied expected
2010-12-22 13:27:50 +03:00
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s / %s " % ( self . computername , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e45 :
( num , _ ) = e45 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_INSUFFICIENT_ACCESS_RIGHTS )
mod = " (OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;; %s ) " % str ( self . user_sid1 )
self . sd_utils . dacl_add_ace ( self . computerdn , mod )
2018-07-30 09:19:49 +03:00
# grant Validated-SPN and check which values are accepted
# see 3.1.1.5.3.1.1.4 servicePrincipalName for reference
2010-12-22 13:27:50 +03:00
# for regular computer objects we shouldalways get constraint violation
# This does not pass against Windows, although it should according to docs
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s " % ( self . computername ) )
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s . %s " %
2018-07-30 09:15:34 +03:00
( self . computername , self . dcctx . dnsdomain ) )
2010-12-22 13:27:50 +03:00
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s / %s " % ( self . computername , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e46 :
( num , _ ) = e46 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e47 :
( num , _ ) = e47 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s / %s " %
( self . computername , self . dcctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e48 :
( num , _ ) = e48 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " HOST/ %s . %s / %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e49 :
( num , _ ) = e49 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " GC/ %s . %s / %s " %
2011-08-22 11:43:56 +04:00
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsforest ) )
2018-02-23 17:34:23 +03:00
except LdbError as e50 :
( num , _ ) = e50 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " ldap/ %s / %s " % ( self . computername , netbiosdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e51 :
( num , _ ) = e51 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
try :
self . replace_spn ( self . ldb_user1 , self . computerdn , " ldap/ %s . %s /ForestDnsZones. %s " %
( self . computername , self . dcctx . dnsdomain , self . dcctx . dnsdomain ) )
2018-02-23 17:34:23 +03:00
except LdbError as e52 :
( num , _ ) = e52 . args
2010-12-22 13:27:50 +03:00
self . assertEquals ( num , ERR_CONSTRAINT_VIOLATION )
def test_spn_rwdc ( self ) :
self . dc_spn_test ( self . dcctx )
def test_spn_rodc ( self ) :
self . dc_spn_test ( self . rodcctx )
2009-11-05 18:40:54 +03:00
# Important unit running information
2010-12-22 13:27:50 +03:00
ldb = SamDB ( ldaphost , credentials = creds , session_info = system_session ( lp ) , lp = lp )
2009-11-05 18:40:54 +03:00
2014-11-02 20:44:05 +03:00
TestProgram ( module = __name__ , opts = subunitopts )