sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00
Code

dsdb/tests: add test_login_basics_simple()

Browse Source 
This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3625d13815)
This commit is contained in:
Stefan Metzmacher 2022-03-04 21:53:06 +01:00 committed by Jule Anger
parent 5095476605
commit 2472d44f9c
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/samba4.ldap.login_basics Normal file
View File

@ -0,0 +1 @@
^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple

26
source4/dsdb/tests/python/login_basics.py
View File

@ -56,17 +56,24 @@ class BasicUserAuthTests(BasePasswordTestCase):
session_info=system_session(self.lp), lp=self.lp) session_info=system_session(self.lp), lp=self.lp)
super(BasicUserAuthTests, self).setUp() super(BasicUserAuthTests, self).setUp()
def _test_login_basics(self, creds): def _test_login_basics(self, creds, simple=False):
username = creds.get_username() username = creds.get_username()
userpass = creds.get_password() userpass = creds.get_password()
userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
logoncount_relation = 'greater' logoncount_relation = 'greater'
lastlogon_relation = 'greater' lastlogon_relation = 'greater'
ldap_url = self.host_url
print("Performs a lockout attempt against LDAP using Kerberos") print("Performs a lockout attempt against LDAP using Kerberos")
elif simple:
logoncount_relation = 'equal'
lastlogon_relation = 'equal'
ldap_url = self.host_url_ldaps
print("Performs a lockout attempt against LDAP using Simple")
else: else:
logoncount_relation = 'equal' logoncount_relation = 'equal'
lastlogon_relation = 'equal' lastlogon_relation = 'equal'
ldap_url = self.host_url
print("Performs a lockout attempt against LDAP using NTLM") print("Performs a lockout attempt against LDAP using NTLM")
# get the intial logon values for this user # get the intial logon values for this user
@ -88,7 +95,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
# check logging in with the wrong password fails # check logging in with the wrong password fails
test_creds.set_password("thatsAcomplPASS1xBAD") test_creds.set_password("thatsAcomplPASS1xBAD")
self.assertLoginFailure(self.host_url, test_creds, self.lp) self.assertLoginFailure(ldap_url, test_creds, self.lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=1, badPwdCount=1,
badPasswordTime=("greater", badPasswordTime), badPasswordTime=("greater", badPasswordTime),
@ -102,7 +109,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
# check logging in with the correct password succeeds # check logging in with the correct password succeeds
test_creds.set_password(userpass) test_creds.set_password(userpass)
user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
badPasswordTime=badPasswordTime, badPasswordTime=badPasswordTime,
@ -133,7 +140,7 @@ userPassword: %s
# for Kerberos, logging in with the old password fails # for Kerberos, logging in with the old password fails
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
self.assertLoginFailure(self.host_url, test_creds, self.lp) self.assertLoginFailure(ldap_url, test_creds, self.lp)
info_msg = 'Test Kerberos login with old password fails' info_msg = 'Test Kerberos login with old password fails'
expectBadPwdTime = ("greater", badPasswordTime) expectBadPwdTime = ("greater", badPasswordTime)
res = self._check_account(userdn, res = self._check_account(userdn,
@ -148,8 +155,11 @@ userPassword: %s
badPasswordTime = int(res[0]["badPasswordTime"][0]) badPasswordTime = int(res[0]["badPasswordTime"][0])
else: else:
# for NTLM, logging in with the old password succeeds # for NTLM, logging in with the old password succeeds
user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
info_msg = 'Test NTLM login with old password succeeds' if simple:
info_msg = 'Test simple-bind login with old password succeeds'
else:
info_msg = 'Test NTLM login with old password succeeds'
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
badPasswordTime=badPasswordTime, badPasswordTime=badPasswordTime,
@ -162,7 +172,7 @@ userPassword: %s
# check logging in with the new password succeeds # check logging in with the new password succeeds
test_creds.set_password(new_password) test_creds.set_password(new_password)
user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
res = self._check_account(userdn, res = self._check_account(userdn,
badPwdCount=0, badPwdCount=0,
badPasswordTime=badPasswordTime, badPasswordTime=badPasswordTime,
@ -179,5 +189,7 @@ userPassword: %s
def test_login_basics_ntlm(self): def test_login_basics_ntlm(self):
self._test_login_basics(self.lockout1ntlm_creds) self._test_login_basics(self.lockout1ntlm_creds)
def test_login_basics_simple(self):
self._test_login_basics(self.lockout1simple_creds, simple=True)
TestProgram(module=__name__, opts=subunitopts) TestProgram(module=__name__, opts=subunitopts)