diff options
author | Garming Sam <garming@catalyst.net.nz> | 2019-04-01 15:46:48 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-16 14:27:11 +0000 |
commit | c331fc104e75d303e42ef88097bf88851941f4d2 (patch) | |
tree | 4e6f9aa4743236282cbca965a82808f9b96ac205 | |
parent | 1a0d92a9bef54a725266caec944f7882101a5a89 (diff) | |
download | samba-c331fc104e75d303e42ef88097bf88851941f4d2.tar.gz |
rodc: Add tests for simple BIND alongside NTLMSSP binds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62fb6c1dc8527db6cf0f08d4d06e8813707f767a)
-rw-r--r-- | selftest/knownfail.d/rodc_rwdc | 1 | ||||
-rw-r--r-- | source4/dsdb/tests/python/rodc_rwdc.py | 59 |
2 files changed, 38 insertions, 22 deletions
diff --git a/selftest/knownfail.d/rodc_rwdc b/selftest/knownfail.d/rodc_rwdc new file mode 100644 index 00000000000..c148d035f5e --- /dev/null +++ b/selftest/knownfail.d/rodc_rwdc @@ -0,0 +1 @@ +^samba4.ldap.rodc_rwdc.*test_ldap_change_password_simple_bind diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index 1495a3d7f2a..21b7c05fcbe 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -44,7 +44,7 @@ class RodcRwdcTestException(Exception): pass -def make_creds(username, password, kerberos_state=None): +def make_creds(username, password, kerberos_state=None, simple_dn=None): # use the global CREDS as a template c = Credentials() c.set_username(username) @@ -53,6 +53,9 @@ def make_creds(username, password, kerberos_state=None): c.set_realm(CREDS.get_realm()) c.set_workstation(CREDS.get_workstation()) + if simple_dn is not None: + c.set_bind_dn(simple_dn) + if kerberos_state is None: kerberos_state = CREDS.get_kerberos_state() c.set_kerberos_state(kerberos_state) @@ -1024,10 +1027,14 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): "add: userPassword\n" "userPassword: %s\n" % (user_dn, old_password, new_password)) - def try_ldap_logon(self, server, creds, errno=None): + def try_ldap_logon(self, server, creds, errno=None, simple=False): try: - tmpdb = SamDB('ldap://%s' % server, credentials=creds, - session_info=system_session(LP), lp=LP) + if simple: + tmpdb = SamDB('ldaps://%s' % server, credentials=creds, + session_info=system_session(LP), lp=LP) + else: + tmpdb = SamDB('ldap://%s' % server, credentials=creds, + session_info=system_session(LP), lp=LP) if errno is not None: self.fail("logon failed to fail with ldb error %s" % errno) except ldb.LdbError as e10: @@ -1046,19 +1053,23 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): if min_pwd_age != 0: self.rwdc_db.set_minPwdAge('0') - def _test_ldap_change_password(self, errno=None): + def _test_ldap_change_password(self, errno=None, simple=False): self.zero_min_password_age() dn, username, password = self._new_user() - creds1 = make_creds(username, password) + + simple_dn = dn if simple else None + + creds1 = make_creds(username, password, simple_dn=simple_dn) # With NTLM, this should fail on RODC before replication, # because the user isn't known. - self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS) + self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS, + simple=simple) self.force_replication() # Now the user is replicated to RODC, so logon should work - self.try_ldap_logon(RODC, creds1) + self.try_ldap_logon(RODC, creds1, simple=simple) passwords = ['password#%s' % i for i in range(1, 6)] for prev, password in zip(passwords[:-1], passwords[1:]): @@ -1067,40 +1078,40 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): # The password has changed enough times to make the old # password invalid (though with kerberos that doesn't matter). # For NTLM, the old creds should always fail - self.try_ldap_logon(RODC, creds1, errno) - self.try_ldap_logon(RWDC, creds1, errno) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) + self.try_ldap_logon(RWDC, creds1, errno, simple=simple) - creds2 = make_creds(username, password) + creds2 = make_creds(username, password, simple_dn=simple_dn) # new creds work straight away with NTLM, because although it # doesn't have the password, it knows the user and forwards # the query. - self.try_ldap_logon(RODC, creds2) - self.try_ldap_logon(RWDC, creds2) + self.try_ldap_logon(RODC, creds2, simple=simple) + self.try_ldap_logon(RWDC, creds2, simple=simple) self.force_replication() # After another replication check RODC still works and fails, # as appropriate to various creds - self.try_ldap_logon(RODC, creds2) - self.try_ldap_logon(RODC, creds1, errno) + self.try_ldap_logon(RODC, creds2, simple=simple) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) prev = password password = 'password#6' self._change_password(dn, prev, password) - creds3 = make_creds(username, password) + creds3 = make_creds(username, password, simple_dn=simple_dn) # previous password should still work. - self.try_ldap_logon(RWDC, creds2) - self.try_ldap_logon(RODC, creds2) + self.try_ldap_logon(RWDC, creds2, simple=simple) + self.try_ldap_logon(RODC, creds2, simple=simple) # new password should still work. - self.try_ldap_logon(RWDC, creds3) - self.try_ldap_logon(RODC, creds3) + self.try_ldap_logon(RWDC, creds3, simple=simple) + self.try_ldap_logon(RODC, creds3, simple=simple) # old password should still fail (but not on kerberos). - self.try_ldap_logon(RWDC, creds1, errno) - self.try_ldap_logon(RODC, creds1, errno) + self.try_ldap_logon(RWDC, creds1, errno, simple=simple) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) def test_ldap_change_password_kerberos(self): CREDS.set_kerberos_state(MUST_USE_KERBEROS) @@ -1110,6 +1121,10 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): CREDS.set_kerberos_state(DONT_USE_KERBEROS) self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS) + def test_ldap_change_password_simple_bind(self): + CREDS.set_kerberos_state(DONT_USE_KERBEROS) + self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS, simple=True) + def _test_ldap_change_password_reveal_on_demand(self, errno=None): self.zero_min_password_age() |