summaryrefslogtreecommitdiffstats
path: root/source4/torture/ldap/basic.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/torture/ldap/basic.c
parentInitial commit. (diff)
downloadsamba-upstream.tar.xz
samba-upstream.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source4/torture/ldap/basic.c1004
1 files changed, 1004 insertions, 0 deletions
diff --git a/source4/torture/ldap/basic.c b/source4/torture/ldap/basic.c
new file mode 100644
index 0000000..ff9207e
--- /dev/null
+++ b/source4/torture/ldap/basic.c
@@ -0,0 +1,1004 @@
+/*
+ Unix SMB/CIFS Implementation.
+ LDAP protocol helper functions for SAMBA
+
+ Copyright (C) Stefan Metzmacher 2004
+ Copyright (C) Simo Sorce 2004
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include "includes.h"
+#include "ldb_wrap.h"
+#include "libcli/ldap/ldap_client.h"
+#include "lib/cmdline/cmdline.h"
+
+#include "torture/torture.h"
+#include "torture/ldap/proto.h"
+
+#undef strcasecmp
+
+static bool test_bind_sasl(struct torture_context *tctx,
+ struct ldap_connection *conn, struct cli_credentials *creds)
+{
+ NTSTATUS status;
+ bool ret = true;
+
+ printf("Testing sasl bind as user\n");
+
+ status = torture_ldap_bind_sasl(conn, creds, tctx->lp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = false;
+ }
+
+ return ret;
+}
+
+static bool test_multibind(struct ldap_connection *conn, const char *userdn, const char *password)
+{
+ NTSTATUS status, expected;
+ bool ok;
+
+ printf("Testing multiple binds on a single connection as anonymous and user\n");
+
+ status = torture_ldap_bind(conn, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("1st bind as anonymous failed with %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ expected = NT_STATUS_LDAP(LDAP_STRONG_AUTH_REQUIRED);
+ status = torture_ldap_bind(conn, userdn, password);
+
+ ok = NT_STATUS_EQUAL(status, expected);
+ if (!ok) {
+ printf("2nd bind as authenticated user should have "
+ "failed with: %s, got %s\n",
+ nt_errstr(expected),
+ nt_errstr(status));
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_search_rootDSE(struct ldap_connection *conn, const char **basedn,
+ const char ***partitions)
+{
+ bool ret = true;
+ struct ldap_message *msg, *result;
+ struct ldap_request *req;
+ int i;
+ struct ldap_SearchResEntry *r;
+ NTSTATUS status;
+
+ printf("Testing RootDSE Search\n");
+
+ *basedn = NULL;
+
+ if (partitions != NULL) {
+ *partitions = const_str_list(str_list_make_empty(conn));
+ }
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ msg->type = LDAP_TAG_SearchRequest;
+ msg->r.SearchRequest.basedn = "";
+ msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
+ msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
+ msg->r.SearchRequest.timelimit = 0;
+ msg->r.SearchRequest.sizelimit = 0;
+ msg->r.SearchRequest.attributesonly = false;
+ msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
+ msg->r.SearchRequest.num_attributes = 0;
+ msg->r.SearchRequest.attributes = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (req == NULL) {
+ printf("Could not setup ldap search\n");
+ return false;
+ }
+
+ status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("search failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ printf("received %d replies\n", req->num_replies);
+
+ r = &result->r.SearchResultEntry;
+
+ DEBUG(1,("\tdn: %s\n", r->dn));
+ for (i=0; i<r->num_attributes; i++) {
+ unsigned int j;
+ for (j=0; j<r->attributes[i].num_values; j++) {
+ DEBUG(1,("\t%s: %d %.*s\n", r->attributes[i].name,
+ (int)r->attributes[i].values[j].length,
+ (int)r->attributes[i].values[j].length,
+ (char *)r->attributes[i].values[j].data));
+ if (!(*basedn) &&
+ strcasecmp("defaultNamingContext",r->attributes[i].name)==0) {
+ *basedn = talloc_asprintf(conn, "%.*s",
+ (int)r->attributes[i].values[j].length,
+ (char *)r->attributes[i].values[j].data);
+ }
+ if ((partitions != NULL) &&
+ (strcasecmp("namingContexts", r->attributes[i].name) == 0)) {
+ char *entry = talloc_asprintf(conn, "%.*s",
+ (int)r->attributes[i].values[j].length,
+ (char *)r->attributes[i].values[j].data);
+ *partitions = str_list_add(*partitions, entry);
+ }
+ }
+ }
+
+ return ret;
+}
+
+static bool test_search_rootDSE_empty_substring(struct ldap_connection *conn)
+{
+ bool ret = true;
+ struct ldap_message *msg, *result;
+ struct ldap_request *req;
+ NTSTATUS status;
+
+ printf("Testing RootDSE Search with objectclass= substring filter\n");
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ msg->type = LDAP_TAG_SearchRequest;
+ msg->r.SearchRequest.basedn = "";
+ msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
+ msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
+ msg->r.SearchRequest.timelimit = 0;
+ msg->r.SearchRequest.sizelimit = 0;
+ msg->r.SearchRequest.attributesonly = false;
+ msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
+ msg->r.SearchRequest.tree->operation = LDB_OP_SUBSTRING;
+ msg->r.SearchRequest.tree->u.substring.attr = "objectclass";
+ msg->r.SearchRequest.tree->u.substring.start_with_wildcard = 1;
+ msg->r.SearchRequest.tree->u.substring.end_with_wildcard = 1;
+ msg->r.SearchRequest.tree->u.substring.chunks = NULL;
+ msg->r.SearchRequest.num_attributes = 0;
+ msg->r.SearchRequest.attributes = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (req == NULL) {
+ printf("Could not setup ldap search\n");
+ return false;
+ }
+
+ status = ldap_result_one(req, &result, LDAP_TAG_SearchResultEntry);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("looking for search result reply failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ printf("received %d replies\n", req->num_replies);
+
+ return ret;
+}
+
+static bool test_search_auth_empty_substring(struct ldap_connection *conn, const char *basedn)
+{
+ bool ret = true;
+ struct ldap_message *msg, *result;
+ struct ldap_request *req;
+ NTSTATUS status;
+ struct ldap_Result *r;
+
+ printf("Testing authenticated base Search with objectclass= substring filter\n");
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ msg->type = LDAP_TAG_SearchRequest;
+ msg->r.SearchRequest.basedn = basedn;
+ msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_BASE;
+ msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
+ msg->r.SearchRequest.timelimit = 0;
+ msg->r.SearchRequest.sizelimit = 0;
+ msg->r.SearchRequest.attributesonly = false;
+ msg->r.SearchRequest.tree = ldb_parse_tree(msg, "(objectclass=*)");
+ msg->r.SearchRequest.tree->operation = LDB_OP_SUBSTRING;
+ msg->r.SearchRequest.tree->u.substring.attr = "objectclass";
+ msg->r.SearchRequest.tree->u.substring.start_with_wildcard = 1;
+ msg->r.SearchRequest.tree->u.substring.end_with_wildcard = 1;
+ msg->r.SearchRequest.tree->u.substring.chunks = NULL;
+ msg->r.SearchRequest.num_attributes = 0;
+ msg->r.SearchRequest.attributes = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (req == NULL) {
+ printf("Could not setup ldap search\n");
+ return false;
+ }
+
+ status = ldap_result_one(req, &result, LDAP_TAG_SearchResultDone);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("looking for search result done failed - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ printf("received %d replies\n", req->num_replies);
+
+ r = &result->r.SearchResultDone;
+
+ if (r->resultcode != LDAP_SUCCESS) {
+ printf("search result done gave error - %s\n", ldb_strerror(r->resultcode));
+ return false;
+ }
+
+ return ret;
+}
+
+static bool test_compare_sasl(struct ldap_connection *conn, const char *basedn)
+{
+ struct ldap_message *msg, *rep;
+ struct ldap_request *req;
+ const char *val;
+ NTSTATUS status;
+
+ printf("Testing SASL Compare: %s\n", basedn);
+
+ if (!basedn) {
+ return false;
+ }
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ msg->type = LDAP_TAG_CompareRequest;
+ msg->r.CompareRequest.dn = basedn;
+ msg->r.CompareRequest.attribute = talloc_strdup(msg, "objectClass");
+ val = "domain";
+ msg->r.CompareRequest.value = data_blob_talloc(msg, val, strlen(val));
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_CompareResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap compare request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ DEBUG(5,("Code: %d DN: [%s] ERROR:[%s] REFERRAL:[%s]\n",
+ rep->r.CompareResponse.resultcode,
+ rep->r.CompareResponse.dn,
+ rep->r.CompareResponse.errormessage,
+ rep->r.CompareResponse.referral));
+
+ return true;
+}
+
+/*
+ * This takes an AD error message and splits it into the WERROR code
+ * (WERR_DS_GENERIC if none found) and the reason (remaining string).
+ */
+static WERROR ad_error(const char *err_msg, char **reason)
+{
+ WERROR err = W_ERROR(strtol(err_msg, reason, 16));
+
+ if ((reason != NULL) && (*reason[0] != ':')) {
+ return WERR_DS_GENERIC_ERROR; /* not an AD std error message */
+ }
+
+ if (reason != NULL) {
+ *reason += 2; /* skip ": " */
+ }
+ return err;
+}
+
+/* This has to be done using the LDAP API since the LDB API does only transmit
+ * the error code and not the error message. */
+static bool test_error_codes(struct torture_context *tctx,
+ struct ldap_connection *conn, const char *basedn)
+{
+ struct ldap_message *msg, *rep;
+ struct ldap_request *req;
+ const char *err_code_str;
+ char *endptr;
+ WERROR err;
+ NTSTATUS status;
+
+ printf("Testing the most important error code -> error message conversions!\n");
+
+ if (!basedn) {
+ return false;
+ }
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ printf(" Try a wrong addition\n");
+
+ msg->type = LDAP_TAG_AddRequest;
+ msg->r.AddRequest.dn = basedn;
+ msg->r.AddRequest.num_attributes = 0;
+ msg->r.AddRequest.attributes = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap add request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.AddResponse.resultcode == 0)
+ || (rep->r.AddResponse.errormessage == NULL)
+ || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.AddResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_REFERRAL))
+ || (rep->r.AddResponse.resultcode != LDAP_REFERRAL)) {
+ return false;
+ }
+ if ((rep->r.AddResponse.referral == NULL)
+ || (strstr(rep->r.AddResponse.referral, basedn) == NULL)) {
+ return false;
+ }
+
+ printf(" Try another wrong addition\n");
+
+ msg->type = LDAP_TAG_AddRequest;
+ msg->r.AddRequest.dn = "";
+ msg->r.AddRequest.num_attributes = 0;
+ msg->r.AddRequest.attributes = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_AddResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap add request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.AddResponse.resultcode == 0)
+ || (rep->r.AddResponse.errormessage == NULL)
+ || (strtol(rep->r.AddResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.AddResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_ROOT_MUST_BE_NC) &&
+ !W_ERROR_EQUAL(err, WERR_DS_NAMING_VIOLATION))
+ || (rep->r.AddResponse.resultcode != LDAP_NAMING_VIOLATION)) {
+ return false;
+ }
+
+ printf(" Try a wrong modification\n");
+
+ msg->type = LDAP_TAG_ModifyRequest;
+ msg->r.ModifyRequest.dn = basedn;
+ msg->r.ModifyRequest.num_mods = 0;
+ msg->r.ModifyRequest.mods = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap modifification request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyResponse.resultcode == 0)
+ || (rep->r.ModifyResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) &&
+ !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM))
+ || (rep->r.ModifyResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) {
+ return false;
+ }
+
+ printf(" Try another wrong modification\n");
+
+ msg->type = LDAP_TAG_ModifyRequest;
+ msg->r.ModifyRequest.dn = "";
+ msg->r.ModifyRequest.num_mods = 0;
+ msg->r.ModifyRequest.mods = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap modifification request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyResponse.resultcode == 0)
+ || (rep->r.ModifyResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) &&
+ !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM))
+ || (rep->r.ModifyResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) {
+ return false;
+ }
+
+ printf(" Try a wrong removal\n");
+
+ msg->type = LDAP_TAG_DelRequest;
+ msg->r.DelRequest.dn = basedn;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap removal request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.DelResponse.resultcode == 0)
+ || (rep->r.DelResponse.errormessage == NULL)
+ || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.DelResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_CANT_DELETE) &&
+ !W_ERROR_EQUAL(err, WERR_DS_UNWILLING_TO_PERFORM))
+ || (rep->r.DelResponse.resultcode != LDAP_UNWILLING_TO_PERFORM)) {
+ return false;
+ }
+
+ printf(" Try another wrong removal\n");
+
+ msg->type = LDAP_TAG_DelRequest;
+ msg->r.DelRequest.dn = "";
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_DelResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap removal request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.DelResponse.resultcode == 0)
+ || (rep->r.DelResponse.errormessage == NULL)
+ || (strtol(rep->r.DelResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.DelResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND) &&
+ !W_ERROR_EQUAL(err, WERR_DS_NO_SUCH_OBJECT))
+ || (rep->r.DelResponse.resultcode != LDAP_NO_SUCH_OBJECT)) {
+ return false;
+ }
+
+ printf(" Try a wrong rename\n");
+
+ msg->type = LDAP_TAG_ModifyDNRequest;
+ msg->r.ModifyDNRequest.dn = basedn;
+ msg->r.ModifyDNRequest.newrdn = "dc=test";
+ msg->r.ModifyDNRequest.deleteolddn = true;
+ msg->r.ModifyDNRequest.newsuperior = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap rename request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyDNResponse.resultcode == 0)
+ || (rep->r.ModifyDNResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_NO_PARENT_OBJECT) &&
+ !W_ERROR_EQUAL(err, WERR_DS_GENERIC_ERROR))
+ || (rep->r.ModifyDNResponse.resultcode != LDAP_OTHER)) {
+ return false;
+ }
+
+ printf(" Try another wrong rename\n");
+
+ msg->type = LDAP_TAG_ModifyDNRequest;
+ msg->r.ModifyDNRequest.dn = basedn;
+ msg->r.ModifyDNRequest.newrdn = basedn;
+ msg->r.ModifyDNRequest.deleteolddn = true;
+ msg->r.ModifyDNRequest.newsuperior = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap rename request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyDNResponse.resultcode == 0)
+ || (rep->r.ModifyDNResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) &&
+ !W_ERROR_EQUAL(err, WERR_DS_NAMING_VIOLATION))
+ || (rep->r.ModifyDNResponse.resultcode != LDAP_NAMING_VIOLATION)) {
+ return false;
+ }
+
+ printf(" Try another wrong rename\n");
+
+ msg->type = LDAP_TAG_ModifyDNRequest;
+ msg->r.ModifyDNRequest.dn = basedn;
+ msg->r.ModifyDNRequest.newrdn = "";
+ msg->r.ModifyDNRequest.deleteolddn = true;
+ msg->r.ModifyDNRequest.newsuperior = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap rename request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyDNResponse.resultcode == 0)
+ || (rep->r.ModifyDNResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_INVALID_PARAMETER) &&
+ !W_ERROR_EQUAL(err, WERR_DS_PROTOCOL_ERROR))
+ || (rep->r.ModifyDNResponse.resultcode != LDAP_PROTOCOL_ERROR)) {
+ return false;
+ }
+
+ printf(" Try another wrong rename\n");
+
+ msg->type = LDAP_TAG_ModifyDNRequest;
+ msg->r.ModifyDNRequest.dn = "";
+ msg->r.ModifyDNRequest.newrdn = "cn=temp";
+ msg->r.ModifyDNRequest.deleteolddn = true;
+ msg->r.ModifyDNRequest.newsuperior = NULL;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_result_one(req, &rep, LDAP_TAG_ModifyDNResponse);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap rename request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ if ((rep->r.ModifyDNResponse.resultcode == 0)
+ || (rep->r.ModifyDNResponse.errormessage == NULL)
+ || (strtol(rep->r.ModifyDNResponse.errormessage, &endptr,16) <= 0)
+ || (*endptr != ':')) {
+ printf("Invalid error message!\n");
+ return false;
+ }
+
+ err = ad_error(rep->r.ModifyDNResponse.errormessage, &endptr);
+ err_code_str = win_errstr(err);
+ printf(" - Errorcode: %s; Reason: %s\n", err_code_str, endptr);
+ if ((!W_ERROR_EQUAL(err, WERR_DS_OBJ_NOT_FOUND) &&
+ !W_ERROR_EQUAL(err, WERR_DS_NO_SUCH_OBJECT))
+ || (rep->r.ModifyDNResponse.resultcode != LDAP_NO_SUCH_OBJECT)) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_referrals(struct torture_context *tctx, TALLOC_CTX *mem_ctx,
+ const char *url, const char *basedn, const char **partitions)
+{
+ struct ldb_context *ldb;
+ struct ldb_result *res;
+ const char * const *attrs = { NULL };
+ struct ldb_dn *dn1, *dn2;
+ int ret;
+ int i, j, k;
+ char *tempstr;
+ bool found, l_found;
+
+ printf("Testing referrals\n");
+
+ if (partitions[0] == NULL) {
+ printf("Partitions list empty!\n");
+ return false;
+ }
+
+ if (strcmp(partitions[0], basedn) != 0) {
+ printf("The first (root) partition DN should be the base DN!\n");
+ return false;
+ }
+
+ ldb = ldb_wrap_connect(mem_ctx, tctx->ev, tctx->lp_ctx, url,
+ NULL, samba_cmdline_get_creds(), 0);
+
+ /* "partitions[i]" are the partitions for which we search the parents */
+ for (i = 1; partitions[i] != NULL; i++) {
+ dn1 = ldb_dn_new(mem_ctx, ldb, partitions[i]);
+ if (dn1 == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ /* search using base scope */
+ /* "partitions[j]" are the parent candidates */
+ for (j = str_list_length(partitions) - 1; j >= 0; --j) {
+ dn2 = ldb_dn_new(mem_ctx, ldb, partitions[j]);
+ if (dn2 == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ ret = ldb_search(ldb, mem_ctx, &res, dn2,
+ LDB_SCOPE_BASE, attrs,
+ "(foo=bar)");
+ if (ret != LDB_SUCCESS) {
+ printf("%s", ldb_errstring(ldb));
+ talloc_free(ldb);
+ return false;
+ }
+
+ if (res->refs != NULL) {
+ printf("There shouldn't be generated any referrals in the base scope!\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ talloc_free(res);
+ talloc_free(dn2);
+ }
+
+ /* search using onelevel scope */
+ found = false;
+ /* "partitions[j]" are the parent candidates */
+ for (j = str_list_length(partitions) - 1; j >= 0; --j) {
+ dn2 = ldb_dn_new(mem_ctx, ldb, partitions[j]);
+ if (dn2 == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ ret = ldb_search(ldb, mem_ctx, &res, dn2,
+ LDB_SCOPE_ONELEVEL, attrs,
+ "(foo=bar)");
+ if (ret != LDB_SUCCESS) {
+ printf("%s", ldb_errstring(ldb));
+ talloc_free(ldb);
+ return false;
+ }
+
+ tempstr = talloc_asprintf(mem_ctx, "/%s??base",
+ partitions[i]);
+ if (tempstr == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ /* Try to find or find not a matching referral */
+ l_found = false;
+ for (k = 0; (!l_found) && (res->refs != NULL)
+ && (res->refs[k] != NULL); k++) {
+ if (strstr(res->refs[k], tempstr) != NULL) {
+ l_found = true;
+ }
+ }
+
+ talloc_free(tempstr);
+
+ if ((!found) && (ldb_dn_compare_base(dn2, dn1) == 0)
+ && (ldb_dn_compare(dn2, dn1) != 0)) {
+ /* This is a referral candidate */
+ if (!l_found) {
+ printf("A required referral hasn't been found on onelevel scope (%s -> %s)!\n", partitions[j], partitions[i]);
+ talloc_free(ldb);
+ return false;
+ }
+ found = true;
+ } else {
+ /* This isn't a referral candidate */
+ if (l_found) {
+ printf("A unrequired referral has been found on onelevel scope (%s -> %s)!\n", partitions[j], partitions[i]);
+ talloc_free(ldb);
+ return false;
+ }
+ }
+
+ talloc_free(res);
+ talloc_free(dn2);
+ }
+
+ /* search using subtree scope */
+ found = false;
+ /* "partitions[j]" are the parent candidates */
+ for (j = str_list_length(partitions) - 1; j >= 0; --j) {
+ dn2 = ldb_dn_new(mem_ctx, ldb, partitions[j]);
+ if (dn2 == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ ret = ldb_search(ldb, mem_ctx, &res, dn2,
+ LDB_SCOPE_SUBTREE, attrs,
+ "(foo=bar)");
+ if (ret != LDB_SUCCESS) {
+ printf("%s", ldb_errstring(ldb));
+ talloc_free(ldb);
+ return false;
+ }
+
+ tempstr = talloc_asprintf(mem_ctx, "/%s",
+ partitions[i]);
+ if (tempstr == NULL) {
+ printf("Out of memory\n");
+ talloc_free(ldb);
+ return false;
+ }
+
+ /* Try to find or find not a matching referral */
+ l_found = false;
+ for (k = 0; (!l_found) && (res->refs != NULL)
+ && (res->refs[k] != NULL); k++) {
+ if (strstr(res->refs[k], tempstr) != NULL) {
+ l_found = true;
+ }
+ }
+
+ talloc_free(tempstr);
+
+ if ((!found) && (ldb_dn_compare_base(dn2, dn1) == 0)
+ && (ldb_dn_compare(dn2, dn1) != 0)) {
+ /* This is a referral candidate */
+ if (!l_found) {
+ printf("A required referral hasn't been found on subtree scope (%s -> %s)!\n", partitions[j], partitions[i]);
+ talloc_free(ldb);
+ return false;
+ }
+ found = true;
+ } else {
+ /* This isn't a referral candidate */
+ if (l_found) {
+ printf("A unrequired referral has been found on subtree scope (%s -> %s)!\n", partitions[j], partitions[i]);
+ talloc_free(ldb);
+ return false;
+ }
+ }
+
+ talloc_free(res);
+ talloc_free(dn2);
+ }
+
+ talloc_free(dn1);
+ }
+
+ talloc_free(ldb);
+
+ return true;
+}
+
+static bool test_abandon_request(struct torture_context *tctx,
+ struct ldap_connection *conn, const char *basedn)
+{
+ struct ldap_message *msg;
+ struct ldap_request *req;
+ NTSTATUS status;
+
+ printf("Testing the AbandonRequest with an old message id!\n");
+
+ if (!basedn) {
+ return false;
+ }
+
+ msg = new_ldap_message(conn);
+ if (!msg) {
+ return false;
+ }
+
+ printf(" Try a AbandonRequest for an old message id\n");
+
+ msg->type = LDAP_TAG_AbandonRequest;
+ msg->r.AbandonRequest.messageid = 1;
+
+ req = ldap_request_send(conn, msg);
+ if (!req) {
+ return false;
+ }
+
+ status = ldap_request_wait(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("error in ldap abandon request - %s\n", nt_errstr(status));
+ return false;
+ }
+
+ return true;
+}
+
+
+bool torture_ldap_basic(struct torture_context *torture)
+{
+ NTSTATUS status;
+ struct ldap_connection *conn;
+ TALLOC_CTX *mem_ctx;
+ bool ret = true;
+ const char *host = torture_setting_string(torture, "host", NULL);
+ const char *userdn = torture_setting_string(torture, "ldap_userdn", NULL);
+ const char *secret = torture_setting_string(torture, "ldap_secret", NULL);
+ const char *url;
+ const char *basedn;
+ const char **partitions;
+
+ mem_ctx = talloc_init("torture_ldap_basic");
+
+ url = talloc_asprintf(mem_ctx, "ldap://%s/", host);
+
+ status = torture_ldap_connection(torture, &conn, url);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ if (!test_search_rootDSE(conn, &basedn, &partitions)) {
+ ret = false;
+ }
+
+ if (!test_search_rootDSE_empty_substring(conn)) {
+ ret = false;
+ }
+
+ /* other bind tests here */
+
+ if (!test_multibind(conn, userdn, secret)) {
+ ret = false;
+ }
+
+ if (!test_bind_sasl(torture, conn, samba_cmdline_get_creds())) {
+ ret = false;
+ }
+
+ if (!test_search_auth_empty_substring(conn, basedn)) {
+ ret = false;
+ }
+
+ if (!test_compare_sasl(conn, basedn)) {
+ ret = false;
+ }
+
+ /* error codes test here */
+
+ if (!test_error_codes(torture, conn, basedn)) {
+ ret = false;
+ }
+
+ /* referrals test here */
+
+ if (!test_referrals(torture, mem_ctx, url, basedn, partitions)) {
+ ret = false;
+ }
+
+ if (!test_abandon_request(torture, conn, basedn)) {
+ ret = false;
+ }
+
+ /* if there are no more tests we are closing */
+ torture_ldap_close(conn);
+ talloc_free(mem_ctx);
+
+ torture_assert(torture, ret, "torture_ldap_basic failed");
+
+ return ret;
+}
+