git.ipfire.org Git - thirdparty/samba.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Wed, 7 Oct 2020 11:21:06 +0000 (13:21 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 26 Oct 2020 12:17:33 +0000 (12:17 +0000)
commit	1da871f7f24a0b285ef16ebfad9eae35b60649a4
tree	03410eb21c7c1250c17ab067796948f0939381cb	tree
parent	62f7642b073839f38fbbb4e97f6d15f672090444	commit \| diff

s4:dsdb:tests: add AclVisibiltyTests

This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:

- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns

This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.

It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 06d134406739e76b97273db3023855150dbaebbc)

selftest/knownfail.d/ldap-acl-visibility	[new file with mode: 0644]	blob
source4/dsdb/tests/python/acl.py		diff \| blob \| blame \| history
source4/selftest/tests.py		diff \| blob \| blame \| history