[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Thu Mar 4 06:24:25 MST 2010
The branch, master has been updated
via 8cb416a... Refactored ACL python tests
from 22d3169... s3:configure: add --enable-as-needed
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8cb416a0b569017e1928a7a1cead723ce64ca314
Author: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
Date: Thu Mar 4 15:22:30 2010 +0200
Refactored ACL python tests
Made each type into a separate class to be easily run individually,
removed code duplication
-----------------------------------------------------------------------
Summary of changes:
source4/lib/ldb/tests/python/acl.py | 697 +++++++++++++----------------------
1 files changed, 256 insertions(+), 441 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py
index 05c3510..083c7ae 100755
--- a/source4/lib/ldb/tests/python/acl.py
+++ b/source4/lib/ldb/tests/python/acl.py
@@ -1,6 +1,6 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
-# This is unit with PPD tests
+# This is unit with tests for LDAP access checks
import getopt
import optparse
@@ -13,12 +13,10 @@ sys.path.append("bin/python")
import samba.getopt as options
-# Some error messages that are being tested
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
-# For running the test unit
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
@@ -72,6 +70,7 @@ class AclTests(unittest.TestCase):
self.ldb_admin = ldb
self.base_dn = self.find_basedn(self.ldb_admin)
self.domain_sid = self.find_domain_sid(self.ldb_admin)
+ self.user_pass = "samba123@"
print "baseDN: %s" % self.base_dn
self.SAMBA = False; self.WIN = False
res = self.ldb_admin.search(base="",expression="", scope=SCOPE_BASE,
@@ -80,54 +79,6 @@ class AclTests(unittest.TestCase):
self.SAMBA = True
else:
self.WIN = True
- if self.WIN:
- # Modify acluser1 & acluser2 to be excluded from 'Doamin Admin' group
- try:
- ldif = """
-dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
-changetype: modify
-delete: member
-member: """ + self.get_user_dn("acluser1")
- self.ldb_admin.modify_ldif(ldif)
- ldif = """
-dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
-changetype: modify
-delete: member
-member: """ + self.get_user_dn("acluser2")
- self.ldb_admin.modify_ldif(ldif)
- except LdbError, (num, _):
- self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) # LDAP_ENTRY_ALREADY_EXISTS
-
- def tearDown(self):
- # Add
- self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
- # Modify
- self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- # Search
- self.delete_force(self.ldb_admin, "CN=test_search_user1,OU=test_search_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn)
- # Delete
- self.delete_force(self.ldb_admin, self.get_user_dn("test_delete_user1"))
- # Rename OU3
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou3,OU=test_rename_ou2," + self.base_dn)
- # Rename OU2
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou2," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou2," + self.base_dn)
- # Rename OU1
- self.delete_force(self.ldb_admin, "CN=test_rename_user1,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user2,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "CN=test_rename_user5,OU=test_rename_ou1," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=test_rename_ou1," + self.base_dn)
def get_user_dn(self, name):
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
@@ -188,7 +139,7 @@ member: """ + member_dn
"dn" : user_dn,
"sAMAccountName" : user_dn.split(",")[0][3:],
"objectClass" : "user",
- "userPassword" : "samba123@",
+ "userPassword" : self.user_pass,
"url" : "www.bbc.co.uk",
}
if desc:
@@ -241,10 +192,10 @@ userAccountControl: %s""" % userAccountControl
mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
self.ldb_admin.modify_ldif(mod)
- def get_ldb_connection(self, target_username, target_password):
+ def get_ldb_connection(self, target_username):
username_save = creds.get_username(); password_save = creds.get_password()
creds.set_username(target_username)
- creds.set_password(target_password)
+ creds.set_password(self.user_pass)
ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
creds.set_username(username_save); creds.set_password(password_save)
return ldb_target
@@ -269,61 +220,80 @@ userAccountControl: %s""" % userAccountControl
"""
desc = self.read_desc(object_dn)
return desc.as_sddl(self.domain_sid)
+
+ # Test if we have any additional groups for users than default ones
+ def assert_user_no_group_member(self, username):
+ res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
+ % self.get_user_dn(username) )
+ try:
+ self.assertEqual( res[0]["memberOf"][0], "" )
+ except KeyError:
+ pass
+ else:
+ self.fail()
- # Testing section
+ def create_enable_user(self, username):
+ self.create_user(self.ldb_admin, self.get_user_dn(username))
+ self.enable_account(self.get_user_dn(username))
- def test_add_domainadmin_notowner(self):
- """ 1 Testing OU with the rights of Doman Admin not creator of the OU """
- # Creating simple user
+#tests on ldap add operations
+class AclAddTests(AclTests):
+ def setUp(self):
+ AclTests.setUp(self)
+ # Domain admin that will be creator of OU parent-child structure
+ self.usr_admin_owner = "acl_add_user1"
+ # Second domain admin that will not be creator of OU parent-child structure
+ self.usr_admin_not_owner = "acl_add_user2"
+ # Regular user
+ self.regular_user = "acl_add_user3"
if self.SAMBA:
- # Create domain admin that will be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
- self.enable_account(self.get_user_dn("acluser1"))
- # Create second domain admin that will not be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
- self.enable_account(self.get_user_dn("acluser2"))
- # Test if we have any additional groups for users than default ones
+ self.create_enable_user(self.usr_admin_owner)
+ self.create_enable_user(self.usr_admin_not_owner)
+ self.create_enable_user(self.regular_user)
+
if self.WIN:
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser1") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser2") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- # Modify acluser1 & acluser2 to be 'Doamin Admin' group member
+ self.assert_user_no_group_member(self.usr_admin_owner)
+ self.assert_user_no_group_member(self.usr_admin_not_owner)
+ self.assert_user_no_group_member(self.regular_user)
+
+ # add admins to the Domain Admins group
self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn("acluser1"))
+ self.get_user_dn(self.usr_admin_owner))
self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn("acluser2"))
- # Create LDAP connection with OUs crator domain admin credentials
- ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
- # Create LDAP connection with second domain admin credentials that is not creator of the OUs
- ldb_notowner = self.get_ldb_connection("acluser2", "samba123@")
- # Make sure top OU is deleted (and so everything under it)
+ self.get_user_dn(self.usr_admin_not_owner))
+
+ self.ldb_owner = self.get_ldb_connection(self.usr_admin_owner)
+ self.ldb_notowner = self.get_ldb_connection(self.usr_admin_not_owner)
+ self.ldb_user = self.get_ldb_connection(self.regular_user)
+
+ def tearDown(self):
+ self.delete_force(self.ldb_admin, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_add_ou1," + self.base_dn)
+ if self.SAMBA:
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_owner))
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.usr_admin_not_owner))
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.regular_user))
+
+ # Make sure top OU is deleted (and so everything under it)
+ def assert_top_ou_deleted(self):
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
% ("OU=test_add_ou1", self.base_dn) )
self.assertEqual( res, [] )
+
+ def test_add_u1(self):
+ """Testing OU with the rights of Doman Admin not creator of the OU """
+ self.assert_top_ou_deleted()
# Change descriptor for top level OU
- self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
+ self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
+ self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner))
mod = "(D;CI;WPCC;;;%s)" % str(user_sid)
self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
# Test user and group creation with another domain admin's credentials
- self.create_user(ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_user(self.ldb_notowner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_group(self.ldb_notowner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
# Make sure we HAVE created the two objects -- user and group
# !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
# !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
@@ -334,54 +304,16 @@ userAccountControl: %s""" % userAccountControl
% ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
self.assertTrue( len(res) > 0 )
- def test_add_regular_user(self):
- """ 2 Testing OU with the regular user that has no rights granted over the OU """
- # Creating simple user
- if self.SAMBA:
- # Create domain admin that will be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
- self.enable_account(self.get_user_dn("acluser1"))
- # Create regular user that will not be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
- self.enable_account(self.get_user_dn("acluser2"))
- # Test if we have any additional groups for users than default ones
- if self.WIN:
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser1") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser2") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- # Modify acluser1 to be 'Doamin Admin' group member
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn("acluser1"))
- # Create LDAP connection with OUs crator domain admin credentials
- ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
- # Create LDAP connection with a regular user that has the right 'Crate child User objects'
- ldb_user = self.get_ldb_connection("acluser2", "samba123@")
- # Make sure top OU is deleted (and so everything under it)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
- % ("OU=test_add_ou1", self.base_dn) )
- self.assertEqual( res, [] )
+ def test_add_u2(self):
+ """Testing OU with the regular user that has no rights granted over the OU """
+ self.assert_top_ou_deleted()
# Create a parent-child OU structure with domain admin credentials
- self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
+ self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
# Test user and group creation with regular user credentials
try:
- self.create_user(ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
except LdbError, (num, _):
self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
else:
@@ -394,57 +326,19 @@ userAccountControl: %s""" % userAccountControl
% ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
self.assertEqual( res, [])
- def test_add_granted_user(self):
- """ 3 Testing OU with the rights of regular user granted the right 'Create User child objects' """
- # Creating simple user
- if self.SAMBA:
- # Create domain admin that will be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
- self.enable_account(self.get_user_dn("acluser1"))
- # Create second domain admin that will not be creator of OU parent-child structure
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser2"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser2"))
- self.enable_account(self.get_user_dn("acluser2"))
- # Test if we have any additional groups for users than default ones
- if self.WIN:
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser1") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser2") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- # Modify acluser1 to be 'Doamin Admin' group member
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn("acluser1"))
- # Create LDAP connection with OUs crator domain admin credentials
- ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
- # Create LDAP connection with a regular user that has the right 'Crate child User objects'
- ldb_guser = self.get_ldb_connection("acluser2", "samba123@")
- # Make sure top OU is deleted (and so everything under it)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
- % ("OU=test_add_ou1", self.base_dn) )
- self.assertEqual( res, [] )
+ def test_add_u3(self):
+ """Testing OU with the rights of regular user granted the right 'Create User child objects' """
+ self.assert_top_ou_deleted()
# Change descriptor for top level OU
- self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
- user_sid = self.get_object_sid(self.get_user_dn("acluser2"))
+ self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
+ user_sid = self.get_object_sid(self.get_user_dn(self.regular_user))
mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
- self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
# Test user and group creation with granted user only to one of the objects
- self.create_user(ldb_guser, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_user(self.ldb_user, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
try:
- self.create_group(ldb_guser, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_group(self.ldb_user, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
except LdbError, (num, _):
self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
else:
@@ -457,36 +351,13 @@ userAccountControl: %s""" % userAccountControl
% ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
self.assertEqual( res, [])
- def test_add_domainadmin_owner(self):
+ def test_add_u4(self):
""" 4 Testing OU with the rights of Doman Admin creator of the OU"""
- # Creating acluser1
- if self.SAMBA:
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
- self.enable_account(self.get_user_dn("acluser1"))
- # Test if we have any additional groups for user than default
- if self.WIN:
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser1") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- # Modify acluser1 to be 'Doamin Admin' group member
- self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, \
- self.get_user_dn("acluser1"))
- # Create LDAP connection with OUs crator domain admin credentials
- ldb_owner = self.get_ldb_connection("acluser1", "samba123@")
- # Make sure top OU is deleted (and so everything under it)
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
- % ("OU=test_add_ou1", self.base_dn) )
- self.assertEqual( res, [] )
- self.create_ou(ldb_owner, "OU=test_add_ou1," + self.base_dn)
- self.create_ou(ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_user(ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
- self.create_group(ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.assert_top_ou_deleted()
+ self.create_ou(self.ldb_owner, "OU=test_add_ou1," + self.base_dn)
+ self.create_ou(self.ldb_owner, "OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_user(self.ldb_owner, "CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
+ self.create_group(self.ldb_owner, "CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
# Make sure we have successfully created the two objects -- user and group
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
% ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
@@ -495,100 +366,82 @@ userAccountControl: %s""" % userAccountControl
% ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
self.assertTrue( len(res) > 0 )
- def test_modify_u1(self):
- """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
- # Creating acluser1
- if self.SAMBA:
- self.delete_force(self.ldb_admin, self.get_user_dn("acluser1"))
- self.create_user(self.ldb_admin, self.get_user_dn("acluser1"))
- self.enable_account(self.get_user_dn("acluser1"))
+#tests on ldap modify operations
+class AclModifyTests(AclTests):
+
+ def setUp(self):
+ AclTests.setUp(self)
+ self.user_with_wp = "acl_mod_user1"
- # Test if we have any additional groups for user than default
+ if self.SAMBA:
+ # Create regular user
+ self.create_enable_user(self.user_with_wp)
if self.WIN:
- res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
- % self.get_user_dn("acluser1") )
- try:
- self.assertEqual( res[0]["memberOf"][0], "" )
- except KeyError:
- pass
- else:
- self.fail()
- # Create user connectiona that we will test with
- ldb_user = self.get_ldb_connection("acluser1", "samba123@")
+ self.assert_user_no_group_member(self.user_with_wp)
+
+ self.ldb_user = self.get_ldb_connection(self.user_with_wp)
+ self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp))
+
+ def tearDown(self):
+ self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
+ self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
+ if self.SAMBA:
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp))
+
+ def test_modify_u1(self):
+ """5 Modify one attribute if you have DS_WRITE_PROPERTY for it"""
+ mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid)
# First test object -- User
print "Testing modify on User object"
- self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
+ #self.delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1"))
self.create_user(self.ldb_admin, self.get_user_dn("test_modify_user1"))
- user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
- mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod)
ldif = """
dn: """ + self.get_user_dn("test_modify_user1") + """
changetype: modify
replace: displayName
displayName: test_changed"""
- ldb_user.modify_ldif(ldif)
+ self.ldb_user.modify_ldif(ldif)
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
% self.get_user_dn("test_modify_user1") )
self.assertEqual(res[0]["displayName"][0], "test_changed")
# Second test object -- Group
print "Testing modify on Group object"
- self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
+ #self.delete_force(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
self.create_group(self.ldb_admin, "CN=test_modify_group1,CN=Users," + self.base_dn)
- user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
- mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod)
ldif = """
dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
changetype: modify
replace: displayName
displayName: test_changed"""
- ldb_user.modify_ldif(ldif)
+ self.ldb_user.modify_ldif(ldif)
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
% str("CN=test_modify_group1,CN=Users," + self.base_dn) )
self.assertEqual(res[0]["displayName"][0], "test_changed")
- # Second test object -- Organizational Unit
+ # Third test object -- Organizational Unit
print "Testing modify on OU object"
- self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
+ #self.delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
self.create_ou(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn)
- user_sid = self.get_object_sid( self.get_user_dn("acluser1") )
- mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod)
ldif = """
dn: OU=test_modify_ou1,""" + self.base_dn + """
changetype: modify
--
Samba Shared Repository
More information about the samba-cvs
mailing list