From b755b81d66a2b63e2e0a1fe9406d8f24b91d983e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 7 Mar 2023 17:21:56 +0100
Subject: test: Add a test for "deny ous"

Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 nsswitch/tests/test_idmap_ad.sh | 34 ++++++++++++++++++++++++++++++++++
 selftest/target/Samba3.pm       |  1 +
 2 files changed, 35 insertions(+)

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 9becbb63d32..7ae112ada71 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -80,6 +80,20 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
 changetype: modify
 add: gidNumber
 gidNumber: 2000002
+
+dn: ou=sub,$BASE_DN
+changetype: add
+objectClass: organizationalUnit
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: forbidden
+uidNumber: 2000003
+gidNumber: 2000001
+unixHomeDirectory: /home/forbidden
+loginShell: /bin/tcsh
+gecos: User in forbidden OU
 EOF
 
 #
@@ -143,6 +157,20 @@ test "$out" = "$DOMAIN_SID-512"
 ret=$?
 testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
 
+#
+# Test 5: Make sure deny_ou is really denied
+# This depends on the "deny ous" setting in Samba3.pm
+#
+
+sid="$($wbinfo -n $DOMAIN/forbidden | awk '{print $1}')"
+testit "Could create forbidden" test -n "$sid" || failed=$(expr $failed + 1)
+if [ -n "$sid" ]
+then
+    uid="$($wbinfo --sid-to-uid $sid)"
+    testit "Can not resolve forbidden user" test -z "$uid" ||
+	failed=$(($failed + 1))
+fi
+
 #
 # Trusted domain test 1: Test uid of Administrator, should be 2500000
 #
@@ -209,6 +237,12 @@ dn: CN=Domain Admins,CN=Users,$BASE_DN
 changetype: modify
 delete: gidNumber
 gidNumber: 2000002
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: delete
+
+dn: ou=sub,$BASE_DN
+changetype: delete
 EOF
 
 #
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 15b13f2920f..b4fa99c7388 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1390,6 +1390,7 @@ sub setup_ad_member_idmap_ad
 	idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
 	idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
 	idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
+	idmap config $dcvars->{DOMAIN} : deny ous = \"ou=sub,DC=samba2008r2,DC=example,DC=com\"
 	idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
 	idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
 	gensec_gssapi:requested_life_time = 5
-- 
cgit v1.2.1