From 7663b5c37fa3413f7c67c018107322494e4a6fd9 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 29 Apr 2021 20:58:11 +1200
Subject: [PATCH] python: Add LDAP credentials cache test

Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 python/samba/tests/krb5/test_ldap.py | 94 ++++++++++++++++++++++++++++
 python/samba/tests/usage.py          |  1 +
 source4/selftest/tests.py            |  1 +
 3 files changed, 96 insertions(+)
 create mode 100755 python/samba/tests/krb5/test_ldap.py

diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py
new file mode 100755
index 00000000000..6a4bf52d77f
--- /dev/null
+++ b/python/samba/tests/krb5/test_ldap.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2021 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+from ldb import SCOPE_BASE, SCOPE_SUBTREE
+from samba.dcerpc import security
+from samba.ndr import ndr_unpack
+from samba.samdb import SamDB
+
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class LdapTests(KDCBaseTest):
+    """Test for LDAP authentication using Kerberos credentials stored in a
+       credentials cache file.
+    """
+
+    def test_ldap(self):
+        # Create a user account and a machine account, along with a Kerberos
+        # credentials cache file where the service ticket authenticating the
+        # user are stored.
+
+        user_name = "ldapusr"
+        mach_name = self.dns_host_name
+        service = "ldap"
+
+        # Create the user account.
+        (user_credentials, _) = self.create_account(user_name)
+
+        # Talk to the KDC to obtain the service ticket, which gets placed into
+        # the cache. The machine account name has to match the name in the
+        # ticket, to ensure that the krbtgt ticket doesn't also need to be
+        # stored.
+        (creds, cachefile) = self.create_ccache_with_user(user_credentials,
+                                                          mach_name,
+                                                          service)
+
+        # Authenticate in-process to the machine account using the user's
+        # cached credentials.
+
+        # Retrieve the user account's SID.
+        ldb_res = self.ldb.search(scope=SCOPE_SUBTREE,
+                                  expression="(sAMAccountName=%s)" % user_name,
+                                  attrs=["objectSid"])
+        self.assertEqual(1, len(ldb_res))
+        sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
+
+        # Connect to the machine account and retrieve the user SID.
+        ldb_as_user = SamDB(url="ldap://%s" % mach_name,
+                            credentials=creds,
+                            lp=self.lp)
+        ldb_res = ldb_as_user.search('',
+                                     scope=SCOPE_BASE,
+                                     attrs=["tokenGroups"])
+        self.assertEqual(1, len(ldb_res))
+
+        token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0])
+
+        # Ensure that they match.
+        self.assertEqual(sid, token_sid)
+
+        # Remove the cached credentials file.
+        os.remove(cachefile.name)
+
+
+if __name__ == "__main__":
+    global_asn1_print = True
+    global_hexdump = True
+    import unittest
+    unittest.main()
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index de38acfb2ae..d9bddedd823 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -97,6 +97,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/kdc_base_test.py',
     'python/samba/tests/krb5/kdc_tgs_tests.py',
     'python/samba/tests/krb5/test_ccache.py',
+    'python/samba/tests/krb5/test_ldap.py',
     'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py',
 }
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 23f17304c6b..f1a3e9247b2 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -836,6 +836,7 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.dsdb_dns")
 planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests")
 
 planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache")
+planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap")
 
 for env in ["ad_dc", smbv1_disabled_testenv]:
     planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'])
-- 
2.47.3