From f0aa84921e1cc93b068e10d52e9f7b3a0541395b Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Mon, 1 Apr 2019 15:46:48 +1300 Subject: [PATCH] rodc: Add tests for simple BIND alongside NTLMSSP binds Signed-off-by: Garming Sam --- source4/dsdb/tests/python/rodc_rwdc.py | 59 ++++++++++++++++---------- 1 file changed, 37 insertions(+), 22 deletions(-) diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index c2c41634b8c..debc73d09fb 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -44,7 +44,7 @@ class RodcRwdcTestException(Exception): pass -def make_creds(username, password, kerberos_state=None): +def make_creds(username, password, kerberos_state=None, simple_dn=None): # use the global CREDS as a template c = Credentials() c.set_username(username) @@ -53,6 +53,9 @@ def make_creds(username, password, kerberos_state=None): c.set_realm(CREDS.get_realm()) c.set_workstation(CREDS.get_workstation()) + if simple_dn is not None: + c.set_bind_dn(simple_dn) + if kerberos_state is None: kerberos_state = CREDS.get_kerberos_state() c.set_kerberos_state(kerberos_state) @@ -1016,10 +1019,14 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): "add: userPassword\n" "userPassword: %s\n" % (user_dn, old_password, new_password)) - def try_ldap_logon(self, server, creds, errno=None): + def try_ldap_logon(self, server, creds, errno=None, simple=False): try: - tmpdb = SamDB('ldap://%s' % server, credentials=creds, - session_info=system_session(LP), lp=LP) + if simple: + tmpdb = SamDB('ldaps://%s' % server, credentials=creds, + session_info=system_session(LP), lp=LP) + else: + tmpdb = SamDB('ldap://%s' % server, credentials=creds, + session_info=system_session(LP), lp=LP) if errno is not None: self.fail("logon failed to fail with ldb error %s" % errno) except ldb.LdbError as e10: @@ -1038,19 +1045,23 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): if min_pwd_age != 0: self.rwdc_db.set_minPwdAge('0') - def _test_ldap_change_password(self, errno=None): + def _test_ldap_change_password(self, errno=None, simple=False): self.zero_min_password_age() dn, username, password = self._new_user() - creds1 = make_creds(username, password) + + simple_dn = dn if simple else None + + creds1 = make_creds(username, password, simple_dn=simple_dn) # With NTLM, this should fail on RODC before replication, # because the user isn't known. - self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS) + self.try_ldap_logon(RODC, creds1, ldb.ERR_INVALID_CREDENTIALS, + simple=simple) self.force_replication() # Now the user is replicated to RODC, so logon should work - self.try_ldap_logon(RODC, creds1) + self.try_ldap_logon(RODC, creds1, simple=simple) passwords = ['password#%s' % i for i in range(1, 6)] for prev, password in zip(passwords[:-1], passwords[1:]): @@ -1059,40 +1070,40 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): # The password has changed enough times to make the old # password invalid (though with kerberos that doesn't matter). # For NTLM, the old creds should always fail - self.try_ldap_logon(RODC, creds1, errno) - self.try_ldap_logon(RWDC, creds1, errno) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) + self.try_ldap_logon(RWDC, creds1, errno, simple=simple) - creds2 = make_creds(username, password) + creds2 = make_creds(username, password, simple_dn=simple_dn) # new creds work straight away with NTLM, because although it # doesn't have the password, it knows the user and forwards # the query. - self.try_ldap_logon(RODC, creds2) - self.try_ldap_logon(RWDC, creds2) + self.try_ldap_logon(RODC, creds2, simple=simple) + self.try_ldap_logon(RWDC, creds2, simple=simple) self.force_replication() # After another replication check RODC still works and fails, # as appropriate to various creds - self.try_ldap_logon(RODC, creds2) - self.try_ldap_logon(RODC, creds1, errno) + self.try_ldap_logon(RODC, creds2, simple=simple) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) prev = password password = 'password#6' self._change_password(dn, prev, password) - creds3 = make_creds(username, password) + creds3 = make_creds(username, password, simple_dn=simple_dn) # previous password should still work. - self.try_ldap_logon(RWDC, creds2) - self.try_ldap_logon(RODC, creds2) + self.try_ldap_logon(RWDC, creds2, simple=simple) + self.try_ldap_logon(RODC, creds2, simple=simple) # new password should still work. - self.try_ldap_logon(RWDC, creds3) - self.try_ldap_logon(RODC, creds3) + self.try_ldap_logon(RWDC, creds3, simple=simple) + self.try_ldap_logon(RODC, creds3, simple=simple) # old password should still fail (but not on kerberos). - self.try_ldap_logon(RWDC, creds1, errno) - self.try_ldap_logon(RODC, creds1, errno) + self.try_ldap_logon(RWDC, creds1, errno, simple=simple) + self.try_ldap_logon(RODC, creds1, errno, simple=simple) def test_ldap_change_password_kerberos(self): CREDS.set_kerberos_state(MUST_USE_KERBEROS) @@ -1102,6 +1113,10 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): CREDS.set_kerberos_state(DONT_USE_KERBEROS) self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS) + def test_ldap_change_password_simple_bind(self): + CREDS.set_kerberos_state(DONT_USE_KERBEROS) + self._test_ldap_change_password(ldb.ERR_INVALID_CREDENTIALS) + def _test_ldap_change_password_reveal_on_demand(self, errno=None): self.zero_min_password_age() -- 2.17.1