[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Fri Dec 10 03:04:02 MST 2010
The branch, master has been updated
via b285d03 s4-tests: Modified sec_descriptor.py to use the sd_utils helpers.
via c9264bb s4-tests: Modified acl.py to use the sd_utils helpers.
via c5480e6 s4-tests: Moved some commonly redefined security descriptor methods to a utils class
from 378295c build: detect if conf.env['CPP'] is an array or not
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b285d0304a58fbacb9fcaa8359271bcd717c16f7
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Fri Dec 10 10:31:58 2010 +0200
s4-tests: Modified sec_descriptor.py to use the sd_utils helpers.
Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date: Fri Dec 10 11:03:28 CET 2010 on sn-devel-104
commit c9264bb04e58c7549e4f21bddae731e9b9dffa38
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Fri Dec 10 10:31:19 2010 +0200
s4-tests: Modified acl.py to use the sd_utils helpers.
commit c5480e659e270852a3e099eb3fafbae19bbb8988
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Fri Dec 10 10:29:14 2010 +0200
s4-tests: Moved some commonly redefined security descriptor methods to a utils class
These methods are used in more than one testsuite now so they are now in a utility class instead of being defined everywhere.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/tests/python/acl.py | 213 ++++++---------
source4/dsdb/tests/python/sec_descriptor.py | 379 ++++++++++++---------------
source4/scripting/python/samba/sd_utils.py | 79 ++++++
3 files changed, 336 insertions(+), 335 deletions(-)
create mode 100644 source4/scripting/python/samba/sd_utils.py
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index c540e7e..d336fa9 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -25,7 +25,7 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba.auth import system_session
-from samba import gensec
+from samba import gensec, sd_utils
from samba.samdb import SamDB
from samba.credentials import Credentials
import samba.tests
@@ -66,32 +66,12 @@ class AclTests(samba.tests.TestCase):
self.domain_sid = security.dom_sid(ldb.get_domain_sid())
self.user_pass = "samba123@"
self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
+ self.sd_utils = sd_utils.SDUtils(ldb)
print "baseDN: %s" % self.base_dn
def get_user_dn(self, name):
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
- def modify_desc(self, object_dn, desc):
- """ Modify security descriptor using either SDDL string
- or security.descriptor object
- """
- assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
- mod = """
-dn: """ + object_dn + """
-changetype: modify
-replace: nTSecurityDescriptor
-"""
- if isinstance(desc, str):
- mod += "nTSecurityDescriptor: %s" % desc
- elif isinstance(desc, security.descriptor):
- mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- self.ldb_admin.modify_ldif(mod)
-
- def read_desc(self, object_dn):
- res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"])
- desc = res[0]["nTSecurityDescriptor"][0]
- return ndr_unpack(security.descriptor, desc)
-
def get_ldb_connection(self, target_username, target_password):
creds_tmp = Credentials()
creds_tmp.set_username(target_username)
@@ -104,27 +84,6 @@ replace: nTSecurityDescriptor
ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
return ldb_target
- def get_object_sid(self, object_dn):
- res = self.ldb_admin.search(object_dn)
- return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
-
- def dacl_add_ace(self, object_dn, ace):
- desc = self.read_desc(object_dn)
- desc_sddl = desc.as_sddl(self.domain_sid)
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
- else:
- desc_sddl = desc_sddl + ace
- self.modify_desc(object_dn, desc_sddl)
-
- def get_desc_sddl(self, object_dn):
- """ Return object nTSecutiryDescriptor in SDDL format
- """
- desc = self.read_desc(object_dn)
- return desc.as_sddl(self.domain_sid)
-
# Test if we have any additional groups for users than default ones
def assert_user_no_group_member(self, username):
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username))
@@ -189,9 +148,9 @@ class AclAddTests(AclTests):
# Change descriptor for top level OU
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner))
+ user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.usr_admin_not_owner))
mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
- self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
# Test user and group creation with another domain admin's credentials
self.ldb_notowner.newuser(self.test_user1, self.user_pass, userou=self.ou2)
self.ldb_notowner.newgroup("test_add_group1", groupou="OU=test_add_ou2,OU=test_add_ou1",
@@ -230,9 +189,9 @@ class AclAddTests(AclTests):
self.assert_top_ou_deleted()
# Change descriptor for top level OU
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+ user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
# Test user and group creation with granted user only to one of the objects
self.ldb_user.newuser(self.test_user1, self.user_pass, userou=self.ou2, setpassword=False)
@@ -284,7 +243,7 @@ class AclModifyTests(AclTests):
self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass)
self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass)
self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass)
- self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp))
+ self.user_sid = self.sd_utils.get_object_sid( self.get_user_dn(self.user_with_wp))
self.ldb_admin.newgroup("test_modify_group2", grouptype=4)
self.ldb_admin.newgroup("test_modify_group3", grouptype=4)
self.ldb_admin.newuser("test_modify_user2", self.user_pass)
@@ -307,7 +266,7 @@ class AclModifyTests(AclTests):
# First test object -- User
print "Testing modify on User object"
self.ldb_admin.newuser("test_modify_user1", self.user_pass)
- self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
+ self.sd_utils.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
ldif = """
dn: """ + self.get_user_dn("test_modify_user1") + """
changetype: modify
@@ -320,7 +279,7 @@ displayName: test_changed"""
# Second test object -- Group
print "Testing modify on Group object"
self.ldb_admin.newgroup("test_modify_group1", grouptype=4)
- self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
ldif = """
dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
changetype: modify
@@ -333,7 +292,7 @@ displayName: test_changed"""
print "Testing modify on OU object"
#delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)
- self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
ldif = """
dn: OU=test_modify_ou1,""" + self.base_dn + """
changetype: modify
@@ -350,7 +309,7 @@ displayName: test_changed"""
print "Testing modify on User object"
#delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
self.ldb_admin.newuser("test_modify_user1", self.user_pass)
- self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
+ self.sd_utils.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
# Modify on attribute you have rights for
ldif = """
dn: """ + self.get_user_dn("test_modify_user1") + """
@@ -378,7 +337,7 @@ url: www.samba.org"""
# Second test object -- Group
print "Testing modify on Group object"
self.ldb_admin.newgroup("test_modify_group1", grouptype=4)
- self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
ldif = """
dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
changetype: modify
@@ -405,7 +364,7 @@ url: www.samba.org"""
# Second test object -- Organizational Unit
print "Testing modify on OU object"
self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)
- self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
ldif = """
dn: OU=test_modify_ou1,""" + self.base_dn + """
changetype: modify
@@ -501,7 +460,7 @@ adminDescription: blah blah blah"""
self.fail()
mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
- self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ self.sd_utils.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
# Modify on attribute you have rights for
self.ldb_user.modify_ldif(ldif)
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \
@@ -525,9 +484,9 @@ Member: """ + self.get_user_dn(self.user_with_sm)
self.fail()
#grant self-membership, should be able to add himself
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm))
+ user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_sm))
mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
self.ldb_user2.modify_ldif(ldif)
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
% ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"])
@@ -555,9 +514,9 @@ Member: """ + self.get_user_dn(self.user_with_sm) + """
Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
#grant self-membership, should be able to add himself but not others at the same time
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm))
+ user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_sm))
mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
try:
self.ldb_user2.modify_ldif(ldif)
except LdbError, (num, _):
@@ -568,9 +527,9 @@ Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
def test_modify_u7(self):
"""13 User with WP modifying Member"""
#a second user is given write property permission
- user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp))
+ user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_wp))
mod = "(A;;WP;;;%s)" % str(user_sid)
- self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
ldif = """
dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
changetype: modify
@@ -625,8 +584,8 @@ class AclSearchTests(AclTests):
Dn(self.ldb_admin, "OU=ou4,OU=ou2,OU=ou1," + self.base_dn),
Dn(self.ldb_admin, "OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn),
Dn(self.ldb_admin, "OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn)]
- self.user_sid = self.get_object_sid(self.get_user_dn(self.u1))
- self.group_sid = self.get_object_sid(self.get_user_dn(self.group1))
+ self.user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.u1))
+ self.group_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.group1))
def create_clean_ou(self, object_dn):
""" Base repeating setup for unittests to follow """
@@ -635,7 +594,7 @@ class AclSearchTests(AclTests):
# Make sure top testing OU has been deleted before starting the test
self.assertEqual(res, [])
self.ldb_admin.create_ou(object_dn)
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
# Make sure there are inheritable ACEs initially
self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
# Find and remove all inherit ACEs
@@ -647,9 +606,9 @@ class AclSearchTests(AclTests):
# can propagate from above
# remove SACL, we are not interested
desc_sddl = desc_sddl.replace(":AI", ":AIP")
- self.modify_desc(object_dn, desc_sddl)
+ self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
# Verify all inheritable ACEs are gone
- desc_sddl = self.get_desc_sddl(object_dn)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
self.assertFalse("CI" in desc_sddl)
self.assertFalse("OI" in desc_sddl)
@@ -712,7 +671,7 @@ class AclSearchTests(AclTests):
self.ldb_admin.set_dsheuristics("0000002")
self.ldb_admin.create_ou("OU=test_search_ou1," + self.base_dn)
mod = "(A;CI;LC;;;AN)"
- self.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn)
anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
res = anonymous.search("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn,
@@ -731,7 +690,7 @@ class AclSearchTests(AclTests):
"""Make sure users can see us if given LC to user and group"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;;LC;;;%s)(A;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
@@ -772,7 +731,7 @@ class AclSearchTests(AclTests):
self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn)
self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn)
mod = "(D;;LC;;;%s)(D;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
- self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
res = self.ldb_user3.search("OU=ou1," + self.base_dn, expression="(objectClass=*)",
scope=SCOPE_SUBTREE)
#this user should see all ous
@@ -799,7 +758,7 @@ class AclSearchTests(AclTests):
"""Make sure users can't see ous if access is explicitly denied - 2"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LC;;;%s)(A;CI;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
@@ -818,7 +777,7 @@ class AclSearchTests(AclTests):
self.fail()
mod = "(D;;LC;;;%s)(D;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid))
- self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
ok_list = [Dn(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn),
Dn(self.ldb_admin, "OU=ou1," + self.base_dn)]
@@ -850,7 +809,7 @@ class AclSearchTests(AclTests):
"""There is no difference in visibility if the user is also creator"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;CC;;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
@@ -877,7 +836,7 @@ class AclSearchTests(AclTests):
"""Make sure users can see only attributes they are allowed to see"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LC;;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
@@ -898,8 +857,8 @@ class AclSearchTests(AclTests):
#give read property on ou and assert user can only see dn and ou
mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
- self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)",
scope=SCOPE_SUBTREE)
ok_list = ['dn', 'ou']
@@ -909,8 +868,8 @@ class AclSearchTests(AclTests):
#give read property on Public Information and assert user can see ou and other members
mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
- self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)",
scope=SCOPE_SUBTREE)
@@ -922,7 +881,7 @@ class AclSearchTests(AclTests):
"""If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc)
@@ -935,7 +894,7 @@ class AclSearchTests(AclTests):
#give read property on ou and assert user can only see dn and ou
mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, mod)
res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)",
scope=SCOPE_SUBTREE)
self.assertEquals(len(res), 1)
@@ -945,7 +904,7 @@ class AclSearchTests(AclTests):
#give read property on Public Information and assert user can see ou and other members
mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid))
- self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
+ self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod)
res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou2)",
scope=SCOPE_SUBTREE)
self.assertEquals(len(res), 1)
@@ -986,7 +945,7 @@ class AclDeleteTests(AclTests):
# Create user that we try to delete
self.ldb_admin.newuser("test_delete_user1", self.user_pass)
mod = "(A;;SD;;;AU)"
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
# Try to delete User object
self.ldb_user.delete(user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -998,8 +957,8 @@ class AclDeleteTests(AclTests):
user_dn = self.get_user_dn("test_delete_user1")
# Create user that we try to delete
self.ldb_admin.newuser("test_delete_user1", self.user_pass)
- mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user))
- self.dacl_add_ace(user_dn, mod)
+ mod = "(A;;SD;;;%s)" % self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
+ self.sd_utils.dacl_add_ace(user_dn, mod)
# Try to delete User object
self.ldb_user.delete(user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1066,7 +1025,7 @@ class AclRenameTests(AclTests):
self.ldb_admin.create_ou(ou_dn)
self.ldb_admin.newuser(self.testuser1, self.user_pass, userou=self.ou1)
mod = "(A;;WP;;;AU)"
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
# Rename 'User object' having WP to AU
self.ldb_user.rename(user_dn, rename_user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1084,9 +1043,9 @@ class AclRenameTests(AclTests):
# Create OU structure
self.ldb_admin.create_ou(ou_dn)
self.ldb_admin.newuser(self.testuser1, self.user_pass, userou=self.ou1)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+ sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(A;;WP;;;%s)" % str(sid)
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
# Rename 'User object' having WP to AU
self.ldb_user.rename(user_dn, rename_user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1107,9 +1066,9 @@ class AclRenameTests(AclTests):
self.ldb_admin.create_ou(ou2_dn)
self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
mod = "(A;;WPSD;;;AU)"
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
# Rename 'User object' having SD and CC to AU
self.ldb_user.rename(user_dn, rename_user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1129,11 +1088,11 @@ class AclRenameTests(AclTests):
self.ldb_admin.create_ou(ou1_dn)
self.ldb_admin.create_ou(ou2_dn)
self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+ sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(A;;WPSD;;;%s)" % str(sid)
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
mod = "(A;;CC;;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
# Rename 'User object' having SD and CC to AU
self.ldb_user.rename(user_dn, rename_user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1154,12 +1113,12 @@ class AclRenameTests(AclTests):
self.ldb_admin.create_ou(ou2_dn)
#mod = "(A;CI;DCWP;;;AU)"
mod = "(A;;DC;;;AU)"
- self.dacl_add_ace(ou1_dn, mod)
+ self.sd_utils.dacl_add_ace(ou1_dn, mod)
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
mod = "(A;;WP;;;AU)"
- self.dacl_add_ace(user_dn, mod)
+ self.sd_utils.dacl_add_ace(user_dn, mod)
# Rename 'User object' having SD and CC to AU
self.ldb_user.rename(user_dn, rename_user_dn)
res = self.ldb_admin.search(self.base_dn,
@@ -1181,9 +1140,9 @@ class AclRenameTests(AclTests):
self.ldb_admin.create_ou(ou2_dn)
self.ldb_admin.create_ou(ou3_dn)
mod = "(A;CI;WPDC;;;AU)"
- self.dacl_add_ace(ou1_dn, mod)
+ self.sd_utils.dacl_add_ace(ou1_dn, mod)
mod = "(A;;CC;;;AU)"
- self.dacl_add_ace(ou3_dn, mod)
+ self.sd_utils.dacl_add_ace(ou3_dn, mod)
self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1)
# Rename 'User object' having SD and CC to AU
self.ldb_user.rename(user_dn, rename_user_dn)
@@ -1202,11 +1161,11 @@ class AclRenameTests(AclTests):
# Create OU structure
self.ldb_admin.create_ou(ou1_dn)
self.ldb_admin.create_ou(ou2_dn)
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+ sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
try:
self.ldb_user.rename(ou2_dn, ou3_dn)
except LdbError, (num, _):
@@ -1214,9 +1173,9 @@ class AclRenameTests(AclTests):
else:
# This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self.fail()
- sid = self.get_object_sid(self.get_user_dn(self.regular_user))
+ sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid)
- self.dacl_add_ace(ou2_dn, mod)
+ self.sd_utils.dacl_add_ace(ou2_dn, mod)
self.ldb_user.rename(ou2_dn, ou3_dn)
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn)
self.assertEqual(res, [])
@@ -1243,11 +1202,11 @@ class AclCARTests(AclTests):
def test_change_password1(self):
"""Try a password change operation without any CARs given"""
#users have change password by default - remove for negative testing
- desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ desc = self.sd_utils.read_sd_on_dn(self.get_user_dn(self.user_with_wp))
sddl = desc.as_sddl(self.domain_sid)
sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "")
sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "")
- self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+ self.sd_utils.modify_sd_on_dn(self.get_user_dn(self.user_with_wp), sddl)
try:
self.ldb_user.modify_ldif("""
dn: """ + self.get_user_dn(self.user_with_wp) + """
@@ -1265,14 +1224,14 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le'))
def test_change_password2(self):
"""Make sure WP has no influence"""
- desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ desc = self.sd_utils.read_sd_on_dn(self.get_user_dn(self.user_with_wp))
sddl = desc.as_sddl(self.domain_sid)
sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "")
sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "")
- self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+ self.sd_utils.modify_sd_on_dn(self.get_user_dn(self.user_with_wp), sddl)
mod = "(A;;WP;;;PS)"
--
Samba Shared Repository
More information about the samba-cvs
mailing list