andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0012-Bug-1347760-CI-test-test-case-for-bug-1347760.patch

7c7f29
From 845915e82846c3e84a9c7585ff584da32c1c5f38 Mon Sep 17 00:00:00 2001
7c7f29
From: Noriko Hosoi <nhosoi@redhat.com>
7c7f29
Date: Tue, 12 Jul 2016 14:33:17 -0700
7c7f29
Subject: [PATCH 12/15] Bug 1347760 - CI test: test case for bug 1347760
7c7f29
7c7f29
Description: Information disclosure via repeated use of LDAP ADD operation, etc.
7c7f29
(cherry picked from commit 27b8987108d875e3e9ee0d844548f8d94db350d1)
7c7f29
---
7c7f29
 dirsrvtests/tests/tickets/ticket1347760_test.py | 440 ++++++++++++++++++++++++
7c7f29
 1 file changed, 440 insertions(+)
7c7f29
 create mode 100644 dirsrvtests/tests/tickets/ticket1347760_test.py
7c7f29
7c7f29
diff --git a/dirsrvtests/tests/tickets/ticket1347760_test.py b/dirsrvtests/tests/tickets/ticket1347760_test.py
7c7f29
new file mode 100644
7c7f29
index 0000000..d2e9e37
7c7f29
--- /dev/null
7c7f29
+++ b/dirsrvtests/tests/tickets/ticket1347760_test.py
7c7f29
@@ -0,0 +1,440 @@
7c7f29
+# --- BEGIN COPYRIGHT BLOCK ---
7c7f29
+# Copyright (C) 2016 Red Hat, Inc.
7c7f29
+# All rights reserved.
7c7f29
+#
7c7f29
+# License: GPL (version 3 or any later version).
7c7f29
+# See LICENSE for details.
7c7f29
+# --- END COPYRIGHT BLOCK ---
7c7f29
+#
7c7f29
+import os
7c7f29
+import sys
7c7f29
+import time
7c7f29
+import ldap
7c7f29
+import logging
7c7f29
+import pytest
7c7f29
+from lib389 import DirSrv, Entry, tools, tasks
7c7f29
+from lib389.tools import DirSrvTools
7c7f29
+from lib389._constants import *
7c7f29
+from lib389.properties import *
7c7f29
+from lib389.tasks import *
7c7f29
+from lib389.utils import *
7c7f29
+
7c7f29
+logging.getLogger(__name__).setLevel(logging.DEBUG)
7c7f29
+log = logging.getLogger(__name__)
7c7f29
+
7c7f29
+installation1_prefix = None
7c7f29
+
7c7f29
+CONFIG_DN = 'cn=config'
7c7f29
+BOU = 'BOU'
7c7f29
+BINDOU = 'ou=%s,%s' % (BOU, DEFAULT_SUFFIX)
7c7f29
+BUID = 'buser123'
7c7f29
+TUID = 'tuser0'
7c7f29
+BINDDN = 'uid=%s,%s' % (BUID, BINDOU)
7c7f29
+BINDPW = BUID
7c7f29
+TESTDN = 'uid=%s,ou=people,%s' % (TUID, DEFAULT_SUFFIX)
7c7f29
+TESTPW = TUID
7c7f29
+BOGUSDN = 'uid=bogus,%s' % DEFAULT_SUFFIX
7c7f29
+BOGUSDN2 = 'uid=bogus,ou=people,%s' % DEFAULT_SUFFIX
7c7f29
+BOGUSSUFFIX = 'uid=bogus,ou=people,dc=bogus'
7c7f29
+GROUPOU = 'ou=groups,%s' % DEFAULT_SUFFIX
7c7f29
+BOGUSOU = 'ou=OU,%s' % DEFAULT_SUFFIX
7c7f29
+
7c7f29
+logging.getLogger(__name__).setLevel(logging.DEBUG)
7c7f29
+log = logging.getLogger(__name__)
7c7f29
+
7c7f29
+installation1_prefix = None
7c7f29
+
7c7f29
+class TopologyStandalone(object):
7c7f29
+    def __init__(self, standalone):
7c7f29
+        standalone.open()
7c7f29
+        self.standalone = standalone
7c7f29
+
7c7f29
+
7c7f29
+@pytest.fixture(scope="module")
7c7f29
+def topology(request):
7c7f29
+    global installation1_prefix
7c7f29
+    if installation1_prefix:
7c7f29
+        args_instance[SER_DEPLOYED_DIR] = installation1_prefix
7c7f29
+
7c7f29
+    # Creating standalone instance ...
7c7f29
+    standalone = DirSrv(verbose=False)
7c7f29
+    args_instance[SER_HOST] = HOST_STANDALONE
7c7f29
+    args_instance[SER_PORT] = PORT_STANDALONE
7c7f29
+    args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
7c7f29
+    args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
7c7f29
+    args_standalone = args_instance.copy()
7c7f29
+    standalone.allocate(args_standalone)
7c7f29
+    instance_standalone = standalone.exists()
7c7f29
+    if instance_standalone:
7c7f29
+        standalone.delete()
7c7f29
+    standalone.create()
7c7f29
+    standalone.open()
7c7f29
+
7c7f29
+    # Delete each instance in the end
7c7f29
+#    def fin():
7c7f29
+#        standalone.delete()
7c7f29
+#    request.addfinalizer(fin)
7c7f29
+
7c7f29
+    # Clear out the tmp dir
7c7f29
+    standalone.clearTmpDir(__file__)
7c7f29
+
7c7f29
+    return TopologyStandalone(standalone)
7c7f29
+
7c7f29
+def pattern_accesslog(file, log_pattern):
7c7f29
+    try:
7c7f29
+        pattern_accesslog.last_pos += 1
7c7f29
+    except AttributeError:
7c7f29
+        pattern_accesslog.last_pos = 0
7c7f29
+
7c7f29
+    found = None
7c7f29
+    file.seek(pattern_accesslog.last_pos)
7c7f29
+
7c7f29
+    # Use a while true iteration because 'for line in file: hit a
7c7f29
+    # python bug that break file.tell()
7c7f29
+    while True:
7c7f29
+        line = file.readline()
7c7f29
+        found = log_pattern.search(line)
7c7f29
+        if ((line == '') or (found)):
7c7f29
+            break
7c7f29
+
7c7f29
+    pattern_accesslog.last_pos = file.tell()
7c7f29
+    if found:
7c7f29
+        return line
7c7f29
+    else:
7c7f29
+        return None
7c7f29
+
7c7f29
+def check_op_result(server, op, dn, superior, exists, rc):
7c7f29
+    targetdn = dn
7c7f29
+    if op == 'search':
7c7f29
+        if exists:
7c7f29
+            opstr = 'Searching existing entry'
7c7f29
+        else:
7c7f29
+            opstr = 'Searching non-existing entry'
7c7f29
+    elif op == 'add':
7c7f29
+        if exists:
7c7f29
+            opstr = 'Adding existing entry'
7c7f29
+        else:
7c7f29
+            opstr = 'Adding non-existing entry'
7c7f29
+    elif op == 'modify':
7c7f29
+        if exists:
7c7f29
+            opstr = 'Modifying existing entry'
7c7f29
+        else:
7c7f29
+            opstr = 'Modifying non-existing entry'
7c7f29
+    elif op == 'modrdn':
7c7f29
+        if superior != None:
7c7f29
+            targetdn = superior
7c7f29
+            if exists:
7c7f29
+                opstr = 'Moving to existing superior'
7c7f29
+            else:
7c7f29
+                opstr = 'Moving to non-existing superior'
7c7f29
+        else:
7c7f29
+            if exists:
7c7f29
+                opstr = 'Renaming existing entry'
7c7f29
+            else:
7c7f29
+                opstr = 'Renaming non-existing entry'
7c7f29
+    elif op == 'delete':
7c7f29
+        if exists:
7c7f29
+            opstr = 'Deleting existing entry'
7c7f29
+        else:
7c7f29
+            opstr = 'Deleting non-existing entry'
7c7f29
+
7c7f29
+    if ldap.SUCCESS == rc:
7c7f29
+        expstr = 'be ok'
7c7f29
+    else:
7c7f29
+        expstr = 'fail with %s' % rc.__name__
7c7f29
+
7c7f29
+    log.info('%s %s, which should %s.' % (opstr, targetdn, expstr))
7c7f29
+    hit = 0
7c7f29
+    try:
7c7f29
+        if op == 'search':
7c7f29
+            centry = server.search_s(dn, ldap.SCOPE_BASE, 'objectclass=*')
7c7f29
+        elif op == 'add':
7c7f29
+            server.add_s(Entry((dn, {'objectclass': 'top extensibleObject'.split(),
7c7f29
+                                     'cn': 'test entry'})))
7c7f29
+        elif op == 'modify':
7c7f29
+            server.modify_s(dn, [(ldap.MOD_REPLACE, 'description', 'test')])
7c7f29
+        elif op == 'modrdn':
7c7f29
+            if superior != None:
7c7f29
+                server.rename_s(dn, 'uid=new', newsuperior=superior, delold=1)
7c7f29
+            else:
7c7f29
+                server.rename_s(dn, 'uid=new', delold=1)
7c7f29
+        elif op == 'delete':
7c7f29
+            server.delete_s(dn)
7c7f29
+        else:
7c7f29
+            log.fatal('Unknown operation %s' % op)
7c7f29
+            assert False
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        hit = 1
7c7f29
+        log.info("Exception (expected): %s" % type(e).__name__)
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert isinstance(e, rc)
7c7f29
+        if e.message.has_key('matched'):
7c7f29
+            log.info('Matched is returned: ' + e.message['matched'])
7c7f29
+            if rc != ldap.NO_SUCH_OBJECT:
7c7f29
+                assert False
7c7f29
+
7c7f29
+    if ldap.SUCCESS == rc:
7c7f29
+        if op == 'search':
7c7f29
+            log.info('Search should return none')
7c7f29
+            assert len(centry) == 0
7c7f29
+    else:
7c7f29
+        if 0 == hit:
7c7f29
+            log.info('Expected to fail with %s, but passed' % rc.__name__)
7c7f29
+            assert False
7c7f29
+
7c7f29
+    log.info('PASSED\n')
7c7f29
+
7c7f29
+def test_ticket1347760(topology):
7c7f29
+    """
7c7f29
+    Prevent revealing the entry info to whom has no access rights.
7c7f29
+    """
7c7f29
+    log.info('Testing Bug 1347760 - Information disclosure via repeated use of LDAP ADD operation, etc.')
7c7f29
+
7c7f29
+    log.info('Disabling accesslog logbuffering')
7c7f29
+    topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-accesslog-logbuffering', 'off')])
7c7f29
+
7c7f29
+    log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD))
7c7f29
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
7c7f29
+
7c7f29
+    log.info('Adding ou=%s a bind user belongs to.' % BOU)
7c7f29
+    topology.standalone.add_s(Entry((BINDOU, {
7c7f29
+                              'objectclass': 'top organizationalunit'.split(),
7c7f29
+                              'ou': BOU})))
7c7f29
+
7c7f29
+    log.info('Adding a bind user.')
7c7f29
+    topology.standalone.add_s(Entry((BINDDN,
7c7f29
+                                     {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
7c7f29
+                                      'cn': 'bind user',
7c7f29
+                                      'sn': 'user',
7c7f29
+                                      'userPassword': BINDPW})))
7c7f29
+
7c7f29
+    log.info('Adding a test user.')
7c7f29
+    topology.standalone.add_s(Entry((TESTDN,
7c7f29
+                                     {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
7c7f29
+                                      'cn': 'test user',
7c7f29
+                                      'sn': 'user',
7c7f29
+                                      'userPassword': TESTPW})))
7c7f29
+
7c7f29
+    log.info('Deleting aci in %s.' % DEFAULT_SUFFIX)
7c7f29
+    topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_DELETE, 'aci', None)])
7c7f29
+
7c7f29
+    log.info('Bind case 1. the bind user has no rights to read the entry itself, bind should be successful.')
7c7f29
+    log.info('Bind as {%s,%s} who has no access rights.' % (BINDDN, BINDPW))
7c7f29
+    try:
7c7f29
+        topology.standalone.simple_bind_s(BINDDN, BINDPW)
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert False
7c7f29
+
7c7f29
+    file_path = os.path.join(topology.standalone.prefix, 'var/log/dirsrv/slapd-%s/access' % topology.standalone.serverid)
7c7f29
+    file_obj = open(file_path, "r")
7c7f29
+    log.info('Access log path: %s' % file_path)
7c7f29
+
7c7f29
+    log.info('Bind case 2-1. the bind user does not exist, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__)
7c7f29
+    log.info('Bind as {%s,%s} who does not exist.' % (BOGUSDN, 'bogus'))
7c7f29
+    try:
7c7f29
+        topology.standalone.simple_bind_s(BOGUSDN, 'bogus')
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        log.info("Exception (expected): %s" % type(e).__name__)
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert isinstance(e, ldap.INVALID_CREDENTIALS)
7c7f29
+        regex = re.compile('No such entry')
7c7f29
+        cause = pattern_accesslog(file_obj, regex)
7c7f29
+        if cause == None:
7c7f29
+            log.fatal('Cause not found - %s' % cause)
7c7f29
+            assert False
7c7f29
+        else:
7c7f29
+            log.info('Cause found - %s' % cause)
7c7f29
+
7c7f29
+    log.info('Bind case 2-2. the bind user\'s suffix does not exist, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__)
7c7f29
+    log.info('Bind as {%s,%s} who does not exist.' % (BOGUSSUFFIX, 'bogus'))
7c7f29
+    try:
7c7f29
+        topology.standalone.simple_bind_s(BOGUSSUFFIX, 'bogus')
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        log.info("Exception (expected): %s" % type(e).__name__)
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert isinstance(e, ldap.INVALID_CREDENTIALS)
7c7f29
+        regex = re.compile('No such suffix')
7c7f29
+        cause = pattern_accesslog(file_obj, regex)
7c7f29
+        if cause == None:
7c7f29
+            log.fatal('Cause not found - %s' % cause)
7c7f29
+            assert False
7c7f29
+        else:
7c7f29
+            log.info('Cause found - %s' % cause)
7c7f29
+
7c7f29
+    log.info('Bind case 2-3. the bind user\'s password is wrong, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__)
7c7f29
+    log.info('Bind as {%s,%s} who does not exist.' % (BINDDN, 'bogus'))
7c7f29
+    try:
7c7f29
+        topology.standalone.simple_bind_s(BINDDN, 'bogus')
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        log.info("Exception (expected): %s" % type(e).__name__)
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert isinstance(e, ldap.INVALID_CREDENTIALS)
7c7f29
+        regex = re.compile('Invalid credentials')
7c7f29
+        cause = pattern_accesslog(file_obj, regex)
7c7f29
+        if cause == None:
7c7f29
+            log.fatal('Cause not found - %s' % cause)
7c7f29
+            assert False
7c7f29
+        else:
7c7f29
+            log.info('Cause found - %s' % cause)
7c7f29
+
7c7f29
+    log.info('Adding aci for %s to %s.' % (BINDDN, BINDOU))
7c7f29
+    acival = '(targetattr="*")(version 3.0; acl "%s"; allow(all) userdn = "ldap:///%s";)' % (BUID, BINDDN)
7c7f29
+    log.info('aci: %s' % acival)
7c7f29
+    log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD))
7c7f29
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
7c7f29
+    topology.standalone.modify_s(BINDOU, [(ldap.MOD_ADD, 'aci', acival)])
7c7f29
+
7c7f29
+    log.info('Bind case 3. the bind user has the right to read the entry itself, bind should be successful.')
7c7f29
+    log.info('Bind as {%s,%s} which should be ok.\n' % (BINDDN, BINDPW))
7c7f29
+    topology.standalone.simple_bind_s(BINDDN, BINDPW)
7c7f29
+
7c7f29
+    log.info('The following operations are against the subtree the bind user %s has no rights.' % BINDDN)
7c7f29
+    # Search
7c7f29
+    exists = True
7c7f29
+    rc = ldap.SUCCESS
7c7f29
+    log.info('Search case 1. the bind user has no rights to read the search entry, it should return no search results with %s' % rc)
7c7f29
+    check_op_result(topology.standalone, 'search', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.SUCCESS
7c7f29
+    log.info('Search case 2-1. the search entry does not exist, the search should return no search results with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'search', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.SUCCESS
7c7f29
+    log.info('Search case 2-2. the search entry does not exist, the search should return no search results with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'search', BOGUSDN2, None, exists, rc)
7c7f29
+
7c7f29
+    # Add
7c7f29
+    exists = True
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Add case 1. the bind user has no rights AND the adding entry exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'add', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Add case 2-1. the bind user has no rights AND the adding entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'add', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Add case 2-2. the bind user has no rights AND the adding entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'add', BOGUSDN2, None, exists, rc)
7c7f29
+
7c7f29
+    # Modify
7c7f29
+    exists = True
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modify case 1. the bind user has no rights AND the modifying entry exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modify', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modify case 2-1. the bind user has no rights AND the modifying entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modify', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modify case 2-2. the bind user has no rights AND the modifying entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modify', BOGUSDN2, None, exists, rc)
7c7f29
+
7c7f29
+    # Modrdn
7c7f29
+    exists = True
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 1. the bind user has no rights AND the renaming entry exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 2-1. the bind user has no rights AND the renaming entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 2-2. the bind user has no rights AND the renaming entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', BOGUSDN2, None, exists, rc)
7c7f29
+
7c7f29
+    exists = True
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 3. the bind user has no rights AND the node moving an entry to exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', TESTDN, GROUPOU, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 4-1. the bind user has no rights AND the node moving an entry to does not, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Modrdn case 4-2. the bind user has no rights AND the node moving an entry to does not, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc)
7c7f29
+
7c7f29
+    # Delete
7c7f29
+    exists = True
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Delete case 1. the bind user has no rights AND the deleting entry exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'delete', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Delete case 2-1. the bind user has no rights AND the deleting entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.INSUFFICIENT_ACCESS
7c7f29
+    log.info('Delete case 2-2. the bind user has no rights AND the deleting entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'delete', BOGUSDN2, None, exists, rc)
7c7f29
+
7c7f29
+    log.info('EXTRA: Check no regressions')
7c7f29
+    log.info('Adding aci for %s to %s.' % (BINDDN, DEFAULT_SUFFIX))
7c7f29
+    acival = '(targetattr="*")(version 3.0; acl "%s-all"; allow(all) userdn = "ldap:///%s";)' % (BUID, BINDDN)
7c7f29
+    log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD))
7c7f29
+    topology.standalone.simple_bind_s(DN_DM, PASSWORD)
7c7f29
+    topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_ADD, 'aci', acival)])
7c7f29
+
7c7f29
+    log.info('Bind as {%s,%s}.' % (BINDDN, BINDPW))
7c7f29
+    try:
7c7f29
+        topology.standalone.simple_bind_s(BINDDN, BINDPW)
7c7f29
+    except ldap.LDAPError as e:
7c7f29
+        log.info('Desc ' + e.message['desc'])
7c7f29
+        assert False
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.NO_SUCH_OBJECT
7c7f29
+    log.info('Search case. the search entry does not exist, the search should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'search', BOGUSDN2, None, exists, rc)
7c7f29
+    file_obj.close()
7c7f29
+
7c7f29
+    exists = True
7c7f29
+    rc = ldap.ALREADY_EXISTS
7c7f29
+    log.info('Add case. the adding entry already exists, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'add', TESTDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.NO_SUCH_OBJECT
7c7f29
+    log.info('Modify case. the modifying entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modify', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.NO_SUCH_OBJECT
7c7f29
+    log.info('Modrdn case 1. the renaming entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.NO_SUCH_OBJECT
7c7f29
+    log.info('Modrdn case 2. the node moving an entry to does not, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc)
7c7f29
+
7c7f29
+    exists = False
7c7f29
+    rc = ldap.NO_SUCH_OBJECT
7c7f29
+    log.info('Delete case. the deleting entry does not exist, it should fail with %s' % rc.__name__)
7c7f29
+    check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc)
7c7f29
+
7c7f29
+    log.info('SUCCESS')
7c7f29
+
7c7f29
+if __name__ == '__main__':
7c7f29
+    # Run isolated
7c7f29
+    # -s for DEBUG mode
7c7f29
+
7c7f29
+    CURRENT_FILE = os.path.realpath(__file__)
7c7f29
+    pytest.main("-s %s" % CURRENT_FILE)
7c7f29
-- 
7c7f29
2.4.11
7c7f29