From 773304ec8b52d718bd3ca9e1b2543a50d7f4843e Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sat, 21 Apr 2012 18:16:43 +0200 Subject: s4:samldb LDB module - implement "fSMORoleOwner" attribute protection This is a very essential attribute since it references to various domain master roles (PDC emulator, schema...) depending on which entry it has been set. Incautious modifications can cause severe problems. Autobuild-User: Andrew Bartlett Autobuild-Date: Mon Apr 30 02:04:24 CEST 2012 on sn-devel-104 --- source4/dsdb/tests/python/sam.py | 77 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) (limited to 'source4/dsdb/tests/python') diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py index 7f5b74dd18..8417b26cb7 100755 --- a/source4/dsdb/tests/python/sam.py +++ b/source4/dsdb/tests/python/sam.py @@ -2607,6 +2607,83 @@ class SamTests(samba.tests.TestCase): delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + def test_fSMORoleOwner_attribute(self): + """Test fSMORoleOwner attribute""" + print "Test fSMORoleOwner attribute""" + + ds_service_name = self.ldb.get_dsServiceName() + + # The "fSMORoleOwner" attribute can only be set to "nTDSDSA" entries, + # invalid DNs return ERR_UNWILLING_TO_PERFORM + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "fSMORoleOwner": self.base_dn}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + try: + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "fSMORoleOwner": [] }) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + + # We are able to set it to a valid "nTDSDSA" entry if the server is + # capable of handling the role + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "fSMORoleOwner": ds_service_name }) + + delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + self.ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group" }) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m.add(MessageElement(self.base_dn, FLAG_MOD_REPLACE, "fSMORoleOwner")) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m.add(MessageElement([], FLAG_MOD_REPLACE, "fSMORoleOwner")) + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNWILLING_TO_PERFORM) + + # We are able to set it to a valid "nTDSDSA" entry if the server is + # capable of handling the role + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m.add(MessageElement(ds_service_name, FLAG_MOD_REPLACE, "fSMORoleOwner")) + ldb.modify(m) + + # A clean-out works on plain entries, not master (schema, PDC...) DNs + + m = Message() + m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + m.add(MessageElement([], FLAG_MOD_DELETE, "fSMORoleOwner")) + ldb.modify(m) + + delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + + if not "://" in host: if os.path.isfile(host): host = "tdb://%s" % host -- cgit