Author: abartlet Date: 2007-11-07 05:35:16 +0000 (Wed, 07 Nov 2007) New Revision: 25891
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25891 Log: Test that we get the correct return value when we attempt to reference invalid entries with a linked attribute. Make Samba4 pass that test, by fixing a silly bug in the linked_attributes module. (By passing down the 'original' request structure, tdb would override our handle, and therefore we would never be called for the 'wait', which collects the errors). Fix up the provision templates to handle the newly required referential integrity. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/linked_attributes.c branches/SAMBA_4_0/source/setup/provision_users.ldif branches/SAMBA_4_0/testprogs/ejs/ldap.js Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/linked_attributes.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/linked_attributes.c 2007-11-07 02:45:17 UTC (rev 25890) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/linked_attributes.c 2007-11-07 05:35:16 UTC (rev 25891) @@ -243,7 +243,7 @@ ac->num_requests++; /* Run the original request */ - ret = ldb_next_request(module, req); + ret = ldb_next_request(module, ac->down_req[0]); if (ret != LDB_SUCCESS) { return ret; } @@ -323,7 +323,7 @@ ac->num_requests++; /* Run the original request */ - ret = ldb_next_request(module, req); + ret = ldb_next_request(module, ac->down_req[0]); if (ret != LDB_SUCCESS) { return ret; } Modified: branches/SAMBA_4_0/source/setup/provision_users.ldif =================================================================== --- branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-11-07 02:45:17 UTC (rev 25890) +++ branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-11-07 05:35:16 UTC (rev 25891) @@ -20,6 +20,127 @@ sAMAccountName: Guest isCriticalSystemObject: TRUE +dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Enterprise Admins +description: Designated administrators of the enterprise +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-519 +adminCount: 1 +sAMAccountName: Enterprise Admins +isCriticalSystemObject: TRUE + +dn: CN=krbtgt,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: krbtgt +description: Key Distribution Center Service Account +showInAdvancedViewOnly: TRUE +userAccountControl: 514 +objectSid: ${DOMAINSID}-502 +adminCount: 1 +accountExpires: 9223372036854775807 +sAMAccountName: krbtgt +sAMAccountType: 805306368 +servicePrincipalName: kadmin/changepw +isCriticalSystemObject: TRUE +sambaPassword:: ${KRBTGTPASS_B64} + +dn: CN=Domain Computers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Domain Computers +description: All workstations and servers joined to the domain +objectSid: ${DOMAINSID}-515 +sAMAccountName: Domain Computers +isCriticalSystemObject: TRUE + +dn: CN=Domain Controllers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Domain Controllers +description: All domain controllers in the domain +objectSid: ${DOMAINSID}-516 +adminCount: 1 +sAMAccountName: Domain Controllers +isCriticalSystemObject: TRUE + +dn: CN=Schema Admins,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Schema Admins +description: Designated administrators of the schema +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-518 +adminCount: 1 +sAMAccountName: Schema Admins +isCriticalSystemObject: TRUE + +dn: CN=Cert Publishers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Cert Publishers +description: Members of this group are permitted to publish certificates to the Active Directory +groupType: 2147483652 +sAMAccountType: 536870912 +objectSid: ${DOMAINSID}-517 +sAMAccountName: Cert Publishers +isCriticalSystemObject: TRUE + +dn: CN=Domain Admins,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Domain Admins +description: Designated administrators of the domain +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-512 +adminCount: 1 +sAMAccountName: Domain Admins +isCriticalSystemObject: TRUE + +dn: CN=Domain Users,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Domain Users +description: All domain users +objectSid: ${DOMAINSID}-513 +sAMAccountName: Domain Users +isCriticalSystemObject: TRUE + +dn: CN=Domain Guests,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Domain Guests +description: All domain guests +objectSid: ${DOMAINSID}-514 +sAMAccountName: Domain Guests +isCriticalSystemObject: TRUE + +dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: Group Policy Creator Owners +description: Members in this group can modify group policy for the domain +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-520 +sAMAccountName: Group Policy Creator Owners +isCriticalSystemObject: TRUE + +dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +cn: RAS and IAS Servers +description: Servers in this group can access remote access properties of users +instanceType: 4 +objectSid: ${DOMAINSID}-553 +sAMAccountName: RAS and IAS Servers +sAMAccountType: 536870912 +groupType: 2147483652 +isCriticalSystemObject: TRUE + dn: CN=Administrators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -181,127 +302,6 @@ groupType: 2147483653 isCriticalSystemObject: TRUE -dn: CN=krbtgt,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -cn: krbtgt -description: Key Distribution Center Service Account -showInAdvancedViewOnly: TRUE -userAccountControl: 514 -objectSid: ${DOMAINSID}-502 -adminCount: 1 -accountExpires: 9223372036854775807 -sAMAccountName: krbtgt -sAMAccountType: 805306368 -servicePrincipalName: kadmin/changepw -isCriticalSystemObject: TRUE -sambaPassword:: ${KRBTGTPASS_B64} - -dn: CN=Domain Computers,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Domain Computers -description: All workstations and servers joined to the domain -objectSid: ${DOMAINSID}-515 -sAMAccountName: Domain Computers -isCriticalSystemObject: TRUE - -dn: CN=Domain Controllers,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Domain Controllers -description: All domain controllers in the domain -objectSid: ${DOMAINSID}-516 -adminCount: 1 -sAMAccountName: Domain Controllers -isCriticalSystemObject: TRUE - -dn: CN=Schema Admins,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Schema Admins -description: Designated administrators of the schema -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-518 -adminCount: 1 -sAMAccountName: Schema Admins -isCriticalSystemObject: TRUE - -dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Enterprise Admins -description: Designated administrators of the enterprise -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-519 -adminCount: 1 -sAMAccountName: Enterprise Admins -isCriticalSystemObject: TRUE - -dn: CN=Cert Publishers,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Cert Publishers -description: Members of this group are permitted to publish certificates to the Active Directory -groupType: 2147483652 -sAMAccountType: 536870912 -objectSid: ${DOMAINSID}-517 -sAMAccountName: Cert Publishers -isCriticalSystemObject: TRUE - -dn: CN=Domain Admins,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Domain Admins -description: Designated administrators of the domain -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-512 -adminCount: 1 -sAMAccountName: Domain Admins -isCriticalSystemObject: TRUE - -dn: CN=Domain Users,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Domain Users -description: All domain users -objectSid: ${DOMAINSID}-513 -sAMAccountName: Domain Users -isCriticalSystemObject: TRUE - -dn: CN=Domain Guests,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Domain Guests -description: All domain guests -objectSid: ${DOMAINSID}-514 -sAMAccountName: Domain Guests -isCriticalSystemObject: TRUE - -dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: Group Policy Creator Owners -description: Members in this group can modify group policy for the domain -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-520 -sAMAccountName: Group Policy Creator Owners -isCriticalSystemObject: TRUE - -dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: RAS and IAS Servers -description: Servers in this group can access remote access properties of users -instanceType: 4 -objectSid: ${DOMAINSID}-553 -sAMAccountName: RAS and IAS Servers -sAMAccountType: 536870912 -groupType: 2147483652 -isCriticalSystemObject: TRUE - dn: CN=Server Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group Modified: branches/SAMBA_4_0/testprogs/ejs/ldap.js =================================================================== --- branches/SAMBA_4_0/testprogs/ejs/ldap.js 2007-11-07 02:45:17 UTC (rev 25890) +++ branches/SAMBA_4_0/testprogs/ejs/ldap.js 2007-11-07 05:35:16 UTC (rev 25891) @@ -31,7 +31,21 @@ ldb.del("cn=ldaptestuser,cn=users," + base_dn); + ldb.del("cn=ldaptestgroup,cn=users," + base_dn); + + println("Testing group add with invalid member"); var ok = ldb.add(" +dn: cn=ldaptestgroup,cn=uSers," + base_dn + " +objectclass: group +member: cn=ldaptestuser,cn=useRs," + base_dn + " +"); + + if (ok.error != 32) { /* LDAP_NO_SUCH_OBJECT */ + println(ok.errstr); + assert(ok.error == 32); + } + + var ok = ldb.add(" dn: cn=ldaptestuser,cn=uSers," + base_dn + " objectclass: user objectclass: person @@ -55,28 +69,14 @@ } } - ldb.del("cn=ldaptestgroup,cn=users," + base_dn); - var ok = ldb.add(" dn: cn=ldaptestgroup,cn=uSers," + base_dn + " objectclass: group member: cn=ldaptestuser,cn=useRs," + base_dn + " "); if (ok.error != 0) { - ok = ldb.del("cn=ldaptestgroup,cn=users," + base_dn); - if (ok.error != 0) { - println(ok.errstr); - assert(ok.error == 0); - } - ok = ldb.add(" -dn: cn=ldaptestgroup,cn=uSers," + base_dn + " -objectclass: group -member: cn=ldaptestuser,cn=useRs," + base_dn + " -"); - if (ok.error != 0) { - println(ok.errstr); - assert(ok.error == 0); - } + println(ok.errstr); + assert(ok.error == 0); } var ok = ldb.add(" @@ -185,6 +185,18 @@ ok = ldb.del("cn=ldaptestuser3,cn=users," + base_dn); + println("Testing adding non-existent user to a group"); + ok = ldb.modify(" +dn: cn=ldaptestgroup,cn=users," + base_dn + " +changetype: modify +add: member +member: cn=ldaptestuser3,cn=users," + base_dn + " +"); + if (ok.error != 32) { /* LDAP_NO_SUCH_OBJECT */ + println(ok.errstr); + assert(ok.error == 32); + } + println("Testing Renames"); ok = ldb.rename("cn=ldaptestuser2,cn=users," + base_dn, "cn=ldaptestuser3,cn=users," + base_dn); @@ -895,7 +907,7 @@ var configuration_dn = find_configurationdn(ldb); var schema_dn = find_schemadn(ldb); -printf("baseDN: %s\n", base_dn); +println("baseDN: %s\n", base_dn); var ok = gc_ldb.connect("ldap://" + host + ":3268"); if (!ok) {