From 06876946f77436f71013392becb0fb9d9e4111f6 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Jul 27 2016 19:12:53 +0000
Subject: Bug 1347760 - Additional CI test case


Description: Information disclosure via repeated use of LDAP ADD operation, etc.
Case 1. When an account is inactivated, if a bind is successful (e.g.,
        a correct password is given), it returns UNWILLING_TO_PERFORM.
Case 2. When an account is inactivated, if a bind is not successful,
        it returns INVALID_CREDENTIALS.

---

diff --git a/dirsrvtests/tests/tickets/ticket1347760_test.py b/dirsrvtests/tests/tickets/ticket1347760_test.py
index bf03563..a54aea1 100644
--- a/dirsrvtests/tests/tickets/ticket1347760_test.py
+++ b/dirsrvtests/tests/tickets/ticket1347760_test.py
@@ -12,6 +12,8 @@ import time
 import ldap
 import logging
 import pytest
+
+from subprocess import Popen
 from lib389 import DirSrv, Entry, tools, tasks
 from lib389.tools import DirSrvTools
 from lib389._constants import *
@@ -434,6 +436,27 @@ def test_ticket1347760(topology):
     log.info('Delete case. the deleting entry does not exist, it should fail with %s' % rc.__name__)
     check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc)
 
+    log.info('Inactivate %s' % BINDDN)
+    nsinactivate = '%s/sbin/ns-inactivate.pl' % topology.standalone.prefix
+    p = Popen([nsinactivate, '-Z', 'standalone', '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN])
+    assert(p.wait() == 0)
+
+    log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, BUID, ldap.UNWILLING_TO_PERFORM.__name__))
+    try:
+        topology.standalone.simple_bind_s(BINDDN, BUID)
+    except ldap.LDAPError as e:
+        log.info("Exception (expected): %s" % type(e).__name__)
+        log.info('Desc ' + e.message['desc'])
+        assert isinstance(e, ldap.UNWILLING_TO_PERFORM)
+
+    log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, 'bogus', ldap.INVALID_CREDENTIALS.__name__))
+    try:
+        topology.standalone.simple_bind_s(BINDDN, 'bogus')
+    except ldap.LDAPError as e:
+        log.info("Exception (expected): %s" % type(e).__name__)
+        log.info('Desc ' + e.message['desc'])
+        assert isinstance(e, ldap.INVALID_CREDENTIALS)
+
     log.info('SUCCESS')