ldap tests: test scheme for referrals

Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)

3 files changed, 101 insertions, 0 deletions

diff --git a/python/samba/tests/ldap_referrals.py b/python/samba/tests/ldap_referrals.py
new file mode 100644
index 00000000000..86a39d4e602
--- /dev/null
+++ b/python/samba/tests/ldap_referrals.py
@@ -0,0 +1,91 @@
+# Test that ldap referral entiries are created and formatted correctly
+#
+# Copyright (C) Andrew Bartlett 2019
+#
+# Based on Unit tests for the notification control
+# Copyright (C) Stefan Metzmacher 2016
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import print_function
+import optparse
+import os
+import sys
+
+import samba
+from samba.auth import system_session
+import samba.getopt as options
+from samba import ldb
+from samba.samdb import SamDB
+import samba.tests
+from samba.tests.subunitrun import SubunitOptions
+
+sys.path.insert(0, "bin/python")
+parser = optparse.OptionParser("ldap_referrals.py [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+
+class LdapReferralTest(samba.tests.TestCase):
+
+    def setUp(self):
+        super(LdapReferralTest, self).setUp()
+
+    # The referral entries for an ldap request should have the ldap scheme
+    # i.e. then should all start with "ldap://"
+    def test_ldap_search(self):
+        server = os.environ["SERVER"]
+        url = "ldap://{0}".format(server)
+        db = SamDB(
+            url, credentials=creds, session_info=system_session(lp), lp=lp)
+        res = db.search(
+            base=db.domain_dn(),
+            expression="(objectClass=nonexistent)",
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["objectGUID", "samAccountName"])
+
+        referals = res.referals
+        for referal in referals:
+            self.assertTrue(
+                referal.startswith("ldap://"),
+                "{0} does not start with ldap://".format(referal))
+
+    # The referral entries for an ldaps request should have the ldaps scheme
+    # i.e. then should all start with "ldaps://"
+    def test_ldaps_search(self):
+        server = os.environ["SERVER"]
+        url = "ldaps://{0}".format(server)
+        db = SamDB(
+            url, credentials=creds, session_info=system_session(lp), lp=lp)
+        res = db.search(
+            base=db.domain_dn(),
+            expression="(objectClass=nonexistent)",
+            scope=ldb.SCOPE_SUBTREE,
+            attrs=["objectGUID", "samAccountName"])
+
+        referals = res.referals
+        for referal in referals:
+            self.assertTrue(
+                referal.startswith("ldaps://"),
+                "{0} does not start with ldaps://".format(referal))
diff --git a/selftest/knownfail.d/ldap_referrals b/selftest/knownfail.d/ldap_referrals
new file mode 100644
index 00000000000..403f0d3bd6d
--- /dev/null
+++ b/selftest/knownfail.d/ldap_referrals
@@ -0,0 +1 @@
+^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index d6fb388dc33..2797babf0fd 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -829,6 +829,15 @@ plantestsuite_loadlist("samba4.ldap.sort.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [p
 plantestsuite_loadlist("samba4.ldap.vlv.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/vlv.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 plantestsuite_loadlist("samba4.ldap.linked_attributes.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/linked_attributes.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 
+planoldpythontestsuite(
+    "ad_dc_ntvfs",
+    "samba.tests.ldap_referrals",
+    environ={
+        'SERVER': '$SERVER',
+    },
+    name="samba.ldap.referrals",
+    extra_args=['-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
+
 # These should be the first tests run against testenvs created by backup/restore
 for env in ['restoredc', 'renamedc', 'labdc']:
     # check that a restored DC matches the original DC (backupfromdc)