diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-03-04 21:53:06 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-16 13:41:14 +0000 |
commit | d92b46a4c04f2e2b30e60069404d0f4d31c2491e (patch) | |
tree | bc070f73995b9269e4c07952225b86eb11e76e05 | |
parent | 54bb3569e5d66bc5a8d62174c811bd21221cb364 (diff) | |
download | samba-d92b46a4c04f2e2b30e60069404d0f4d31c2491e.tar.gz |
dsdb/tests: add test_login_basics_simple()
This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3625d1381592f7af8ec14715c6c2dfa4d9f02676)
-rw-r--r-- | selftest/knownfail.d/samba4.ldap.login_basics | 1 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/login_basics.py | 26 |
2 files changed, 20 insertions, 7 deletions
diff --git a/selftest/knownfail.d/samba4.ldap.login_basics b/selftest/knownfail.d/samba4.ldap.login_basics new file mode 100644 index 00000000000..9854b5ce76f --- /dev/null +++ b/selftest/knownfail.d/samba4.ldap.login_basics @@ -0,0 +1 @@ +^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple diff --git a/source4/dsdb/tests/python/login_basics.py b/source4/dsdb/tests/python/login_basics.py index bf2e484dd9a..b186e723f39 100755 --- a/source4/dsdb/tests/python/login_basics.py +++ b/source4/dsdb/tests/python/login_basics.py @@ -55,17 +55,24 @@ class BasicUserAuthTests(BasePasswordTestCase): session_info=system_session(self.lp), lp=self.lp) super(BasicUserAuthTests, self).setUp() - def _test_login_basics(self, creds): + def _test_login_basics(self, creds, simple=False): username = creds.get_username() userpass = creds.get_password() userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) if creds.get_kerberos_state() == MUST_USE_KERBEROS: logoncount_relation = 'greater' lastlogon_relation = 'greater' + ldap_url = self.host_url print("Performs a lockout attempt against LDAP using Kerberos") + elif simple: + logoncount_relation = 'equal' + lastlogon_relation = 'equal' + ldap_url = self.host_url_ldaps + print("Performs a lockout attempt against LDAP using Simple") else: logoncount_relation = 'equal' lastlogon_relation = 'equal' + ldap_url = self.host_url print("Performs a lockout attempt against LDAP using NTLM") # get the intial logon values for this user @@ -87,7 +94,7 @@ class BasicUserAuthTests(BasePasswordTestCase): # check logging in with the wrong password fails test_creds.set_password("thatsAcomplPASS1xBAD") - self.assertLoginFailure(self.host_url, test_creds, self.lp) + self.assertLoginFailure(ldap_url, test_creds, self.lp) res = self._check_account(userdn, badPwdCount=1, badPasswordTime=("greater", badPasswordTime), @@ -101,7 +108,7 @@ class BasicUserAuthTests(BasePasswordTestCase): # check logging in with the correct password succeeds test_creds.set_password(userpass) - user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) + user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp) res = self._check_account(userdn, badPwdCount=0, badPasswordTime=badPasswordTime, @@ -132,7 +139,7 @@ userPassword: %s # for Kerberos, logging in with the old password fails if creds.get_kerberos_state() == MUST_USE_KERBEROS: - self.assertLoginFailure(self.host_url, test_creds, self.lp) + self.assertLoginFailure(ldap_url, test_creds, self.lp) info_msg = 'Test Kerberos login with old password fails' expectBadPwdTime = ("greater", badPasswordTime) res = self._check_account(userdn, @@ -147,8 +154,11 @@ userPassword: %s badPasswordTime = int(res[0]["badPasswordTime"][0]) else: # for NTLM, logging in with the old password succeeds - user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) - info_msg = 'Test NTLM login with old password succeeds' + user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp) + if simple: + info_msg = 'Test simple-bind login with old password succeeds' + else: + info_msg = 'Test NTLM login with old password succeeds' res = self._check_account(userdn, badPwdCount=0, badPasswordTime=badPasswordTime, @@ -161,7 +171,7 @@ userPassword: %s # check logging in with the new password succeeds test_creds.set_password(new_password) - user_ldb = self.assertLoginSuccess(self.host_url, test_creds, self.lp) + user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp) res = self._check_account(userdn, badPwdCount=0, badPasswordTime=badPasswordTime, @@ -178,5 +188,7 @@ userPassword: %s def test_login_basics_ntlm(self): self._test_login_basics(self.lockout1ntlm_creds) + def test_login_basics_simple(self): + self._test_login_basics(self.lockout1simple_creds, simple=True) TestProgram(module=__name__, opts=subunitopts) |