in TestSuites/ADFamily/src/Adapter/MS-ADTS-LDAP/AD_LDAPModelAdapter.cs [5947:9091]
public void SearchOpReq(
string baseObjectDN,
string filter,
Microsoft.Protocols.TestSuites.ActiveDirectory.Common.SearchScope scope,
IList<string> attributesToBeReturned,
string control,
ADImplementations service)
{
#region Variables
//Search scope of actual implementation.
System.DirectoryServices.Protocols.SearchScope ScopeImpSearch;
string[] attrsToReturn = new string[attributesToBeReturned.Count];
ICollection<AdtsSearchResultEntryPacket> searchResponse = null;
string[] searchAttrVals = null;
/////////////////////////////////////////
string netLogon = string.Empty;
int forestFunctionalLevel = 0;
SecurityIdentifier sidOftheOldObject = null;
int i = 0;
string dnsRoot = string.Empty;
#endregion
#region Connect and Bind
if (isConnected == false)
{
SetConnectAndBind(service, PDCNetbiosName);
}
#endregion
#region RootDSE Modify schemaUpdateNow
// [MS-ADTS] section 3.1.1.3.3.13 schemaUpdateNow
// After the completion of this operation, the subschema exposed by the server reflects the current state
// of the schema as defined by the attributeSchema and classSchema objects in the schema NC.
DirectoryAttributeModification schemaRefresh = new DirectoryAttributeModification();
schemaRefresh.Name = "schemaUpdateNow";
schemaRefresh.Add("1");
schemaRefresh.Operation = DirectoryAttributeOperation.Add;
List<DirectoryAttributeModification> refreshAttributes = new List<DirectoryAttributeModification>();
refreshAttributes.Add(schemaRefresh);
try
{
result = adLdapClient.ModifyObject(null, refreshAttributes, null, isWindows);
Site.Assert.IsTrue(result.ToLower().Contains("success"),
string.Format("RootDSE Modify operation on schemaUpdateNow should be successful, actual result: {0}", result));
}
catch (Exception ex)
{
result = string.Empty;
Site.Log.Add(LogEntryKind.Warning, ex.Message);
}
#endregion
#region Attributes
foreach (string attr in attributesToBeReturned)
{
attrsToReturn[i] = attr;
i++;
}
#endregion
#region Search Scope
switch (scope)
{
case Microsoft.Protocols.TestSuites.ActiveDirectory.Common.SearchScope.baseObject:
ScopeImpSearch = System.DirectoryServices.Protocols.SearchScope.Base;
break;
case Microsoft.Protocols.TestSuites.ActiveDirectory.Common.SearchScope.SingleLevel:
ScopeImpSearch = System.DirectoryServices.Protocols.SearchScope.OneLevel;
break;
case Microsoft.Protocols.TestSuites.ActiveDirectory.Common.SearchScope.Subtree:
default:
ScopeImpSearch = System.DirectoryServices.Protocols.SearchScope.Subtree;
break;
}
#endregion
#region Search Base DN
#region RootDSE base DN == null
if (baseObjectDN.Equals("null"))
{
baseObjectDN = null;
}
#endregion
if (!string.IsNullOrEmpty(baseObjectDN))
{
switch (service)
{
case ADImplementations.AD_LDS:
baseObjectDN = baseObjectDN.Replace("CN={368E6FB2-DBCB-41A1-B65B-18FAC4B5516E}", configurationNC.Split(',')[1]);
break;
case ADImplementations.AD_DS:
default:
baseObjectDN = baseObjectDN.Replace("DC=adts88", rootDomainNC);
baseObjectDN = baseObjectDN.Replace("ADTS88", PrimaryDomainNetBiosName.ToUpper());
break;
}
baseObjectDN = baseObjectDN.Replace("adts_user1", testUserName);
testUserGuid = Utilities.GetUserGuid(
PDCNetbiosName,
PrimaryDomainDnsName,
ADDSPortNum,
testUserName,
testUserPwd,
testUserName);
baseObjectDN = baseObjectDN.Replace("a5127683905336458dc57f180a0adf16", testUserGuid);
testUserSid = Utilities.GetUserSid(
PDCNetbiosName,
PrimaryDomainDnsName,
testUserName,
testUserPwd,
testUserName);
baseObjectDN = baseObjectDN.Replace("S-1-5-21-126476475-3050469762-4276591986-1104", testUserSid);
}
#endregion
#region Filter
if (!string.IsNullOrEmpty(filter))
{
filter = filter.Replace("DC=adts88", rootDomainNC);
filter = filter.Replace("adts88", PrimaryDomainDnsName);
if (filter.Contains(":")
&& !filter.Contains(":="))
{
filter = string.Format("({0}={1})", filter.Split(':')[0].TrimStart('('), filter.Split(':')[1].TrimEnd(')'));
}
if (!filter.Contains("(") || !filter.Contains(")"))
{
filter = string.Format("({0})", filter);
}
}
#endregion
#region Search Operations
byte[] hexFormatValue = null;
string distName = string.Empty;
DirectoryControl[] controls;
switch (control)
{
case ExtendedControl.LDAP_PAGED_RESULT_OID_STRING:
#region LDAP_PAGED_RESULT_OID_STRING Search Operation
result = adLdapClient.PageRequestControl(
2,
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
out searchResponse,
isWindows);
#endregion
break;
case ExtendedControl.LDAP_SERVER_DIRSYNC_OID:
break;
case ExtendedControl.LDAP_SERVER_DOMAIN_SCOPE_OID: //nothing new
#region LDAP_SERVER_DOMAIN_SCOPE_OID
controls = new DirectoryControl[] {
new DirectoryControl(control, null, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
#endregion
break;
case ExtendedControl.LDAP_SERVER_EXTENDED_DN_OID:
#region LDAP_SERVER_EXTENDED_DN_OID
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
// Test flag with different control values: 0 and 1
for (int flag = 0; flag < 2; flag++)
{
hexFormatValue = BerConverter.Encode("{i}", flag);
controls = new DirectoryControl[] {
new DirectoryControl(ExtendedControl.LDAP_SERVER_EXTENDED_DN_OID, hexFormatValue, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
Site.CaptureRequirement(
1254,
@"When sending LDAP_SERVER_EXTENDED_DN_OID control to a Windows Server 2003 or later DC, the flag field of controlValue structure
must be set to 0 or 1.");
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(LogEntryKind.Debug, responselist.IndexOf(entrypacket) + 1 + "," + distinguishedName);
distName = distinguishedName.Split(';')[0].Split('=')[1].Substring(
0,
distinguishedName.Split(';')[0].Split('=')[1].Length - 1);
if (flag == 0)
{
bool isHexString = true;
char[] distCharArray = distName.ToCharArray();
foreach (char ch in distCharArray)
{
char[] hexChars =
new char[] { 'a', 'b', 'c', 'd', 'e', 'f', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' };
string hexString = new string(hexChars);
if (!(hexString.Contains(ch.ToString())))
{
isHexString = false;
break;
}
}
Site.CaptureRequirementIfIsTrue(isHexString, 1255, "When sending LDAP_SERVER_EXTENDED_DN_OID control to a Windows Server 2003 or later DC, if the value of flag field of controlValue structure is 0, it is equivalent to omitting the controlValue field which causes the DC to return the values of the objectGUID and objectSid attributes as a hexadecimal representation of their binary format.");
}
else if (flag == 1)
{
//DN is in the format <GUID=07d41eeb-3c59-49df-b745-11f59f695b35>;<SID=S-1-5-21-126476475-3050469762-4276591986-500>;CN=Administrator,CN=Users,DC=adts88. Checking for'-' in this DN verifies the dashed format of this GUID.
Site.CaptureRequirementIfIsTrue(distName.Contains("-"), 1256, "When sending LDAP_SERVER_EXTENDED_DN_OID control to a Windows Server 2003 or later DC, if the value of flag field of controlValue structure is 1, DC returns the GUID in dashed-string format ([RFC4122] section 3) and the SID in SDDL SID string format ([MS-DTYP] section 2.5.1).");
}
}
}
Site.CaptureRequirement(1208, "The LDAP extended control LDAP_SERVER_EXTENDED_DN_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_GET_STATS_OID:
#region LDAP_SERVER_GET_STATS_OID
Site.CaptureRequirement(1209, "The LDAP extended control LDAP_SERVER_GET_STATS_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
#endregion
break;
case ExtendedControl.LDAP_SERVER_RANGE_OPTION_OID:
#region LDAP_SERVER_RANGE_OPTION_OID Search Operation
if (attributesToBeReturned.Contains("member;range=10-0"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
// Here make sure that Administrators contain 3 values as part of member attribute.
// So we have given 3-*
// Suppose if your administrators group contains more than 5 values say for example 6
// Give 6-*. Always ensure that ((total number of entries + 1) - *)
result = adLdapClient.RangeOptionControl(
baseObjectDN,
ScopeImpSearch,
filter,
new string[] { "member;range=100-*" },
out searchResponse,
isWindows);
Site.Log.Add(LogEntryKind.Debug, "Search Object with RangeOptionControl returns: {0}", result);
Site.CaptureRequirementIfIsTrue(
result.Contains(Enum.GetName(typeof(ResultCode), ResultCode.OperationsError)),
433,
"When LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID control is not specified, if range retrieval is being performed on an attribute whose values are forward link values or back link values, and the value of low is greater than or equal to the number of values in the attribute, the DC will return the error operationsError.");
Site.CaptureRequirement(1213, "The LDAP extended control LDAP_SERVER_RANGE_OPTION_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_SD_FLAGS_OID:
#region LDAP_SERVER_SD_FLAGS_OID Search Operation
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
result = adLdapClient.SecurityDescriptorFlagsControl(
System.DirectoryServices.Protocols.SecurityMasks.None,
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
out searchResponse,
isWindows);
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
byte[] attrivalues = adLdapClient.GetAttributeValuesInBytes(entrypacket, "ntSecurityDescriptor")[0];
ActiveDirectorySecurity securityDescriptor = new ActiveDirectorySecurity();
securityDescriptor.SetSecurityDescriptorBinaryForm(attrivalues);
//GetsSecurityDescriptorOwner method will return the owner part of Secuirty Descriptor
string owner = Utilities.GetSecurityDescriptorOwner(securityDescriptor);
Site.CaptureRequirementIfAreEqual<string>(rootDomainAdminsGroup.ToLower(CultureInfo.InvariantCulture), owner.ToLower(CultureInfo.InvariantCulture), 396, "During the LDAP Search request, if the bit flag OWNER_SECURITY_INFORMATION (OSI) is specified for LDAP_SERVER_SD_FLAGS_OID control, then the portion of security descriptor to retrieve/update is the Owner identifier of the object.");
//GetsSecurityDescriptorGroup method will return the group part of Secuirty Descriptor
string group = Utilities.GetSecurityDescriptorGroup(securityDescriptor);
Site.CaptureRequirementIfAreEqual<string>(rootDomainAdminsGroup.ToLower(CultureInfo.InvariantCulture), group.ToLower(CultureInfo.InvariantCulture), 397, "During the LDAP Search request, if the bit flag GROUP_SECURITY_INFORMATION (GSI) is specified for LDAP_SERVER_SD_FLAGS_OID control, then the portion of security descriptor to retrieve/update is the Primary group identifier.");
//GetsSecurityDescriptorDaclSacl method will return the ACEs of all DACL And SACL
AuthorizationRuleCollection dacl = Utilities.GetDaclSacl(securityDescriptor);
// DACL contains So many ACEs(Access Control Entries).
// Aces in turn contains AceType,objectType,inheritedType etc.
// So here we are only verifying the count of dacl.
Site.CaptureRequirementIfIsTrue((dacl.Count > 0), 398, "During the LDAP Search request, if the bit flag DACL_SECURITY_INFORMATION (DSI) is specified for LDAP_SERVER_SD_FLAGS_OID control, then the portion of security descriptor to retrieve/update is the Discretionary access control list (DACL) of the object.");
AuthorizationRuleCollection sacl = Utilities.GetDaclSacl(securityDescriptor);
// Sacl contains So many ACEs(Access Control Entries).
// Aces in turn contains AceType,objectType,inheritedType etc.
// So here we are only verifying the count of Sacl.
Site.CaptureRequirementIfIsTrue((sacl.Count > 0), 399, "During the LDAP Search request, if the bit flag SACL_SECURITY_INFORMATION (SSI) is specified for LDAP_SERVER_SD_FLAGS_OID control, then the portion of security descriptor to retrieve/update is the System access control list (SACL) of the object.");
Site.CaptureRequirement(1215, "The LDAP extended control LDAP_SERVER_SD_FLAGS_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_SEARCH_OPTIONS_OID:
#region LDAP_SERVER_SEARCH_OPTIONS_OID Search operation
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
byte[] searchOptionVal = null;
for (int k = 1; k <= 2; k++)
{
searchOptionVal = BerConverter.Encode("{i}", k);
hexFormatValue = BerConverter.Encode("{i}", k);
controls = new DirectoryControl[] {
new DirectoryControl(ExtendedControl.LDAP_SERVER_SEARCH_OPTIONS_OID, searchOptionVal, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
#region DomainScope
if ((searchResponse != null) && (k == 1))
{
// DomainScope means ParentDomain objects
Site.Log.Add(LogEntryKind.Debug, "DomainScopeOption");
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguishedName);
}
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 401, "When LDAP_SERVER_SEARCH_OPTIONS_OID is used with an LDAP Search request, if the flag field of controlValue structure is set to SERVER_SEARCH_FLAG_DOMAIN_SCOPE (SSFDS) that is 1, the control prevents continuation references from being generated when the search results are returned.");
}
#endregion
#region PhantomRoot
if ((searchResponse != null) && (k == 2))
{
// Phantom root option indicates the objects in the child domain will also be retained.
// Phantomroot means childdomain Objects
Site.Log.Add(LogEntryKind.Debug, "Phantom Root");
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguishedName);
}
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 402, "When LDAP_SERVER_SEARCH_OPTIONS_OID is used with an LDAP Search request, if the flag field of controlValue structure is set to SERVER_SEARCH_FLAG_PHANTOM_ROOT (SSFPR) that is 2, the control instructs the server to search all NC replicas that are subordinate to the search base, even if the search base is not instantiated on the server. This will cause the search to be executed over all NC replicas held on the DC that are subordinate to the search base. This enables search bases such as the empty string, which would cause the server to search all of the NC replicas that it holds.");
}
#endregion
}
Site.CaptureRequirement(1216, "The LDAP extended control LDAP_SERVER_SEARCH_OPTIONS_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_VERIFY_NAME_OID:
#region LDAP_SERVER_VERIFY_NAME_OID
Site.CaptureRequirement(1220, "The LDAP extended control LDAP_SERVER_VERIFY_NAME_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
#endregion
break;
case ExtendedControl.LDAP_CONTROL_VLVREQUEST:
case ExtendedControl.LDAP_SERVER_SORT_OID:
#region LDAP_CONTROL_VLVREQUEST,LDAP_CONTROL_VLVRESPONSE,LDAP_SERVER_SORT_OID,LDAP_SERVER_RESP_SORT_OID
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
#region SucessCase(Return SearchResponse instead of string)
// Here Before count is 0. After count is 7(which is nothing but maximum number of entries)
result = adLdapClient.VirtualListViewControl(
"cn",
false,
0,
7,
"a*",
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
out searchResponse,
isWindows);
Site.Log.Add(LogEntryKind.Debug, searchResponse.Count.ToString(CultureInfo.InvariantCulture));
// Display the entries
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug, responselist.IndexOf(entrypacket) + " " + distinguishedName);
}
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 417, "The LDAP_CONTROL_VLVREQUEST control is used with an LDAP search operation to retrieve a subset of the objects that satisfy the search request.");
// Here while calling itself we provided BeforeCount as 0(Always Starts with 0) and After count as 7.
// So the matching results count Should not be >= 7
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 1334, "This control (LDAP_CONTROL_VLVREQUEST) permits the client to request that the server return a specified number of objects before and after the target object, in addition to the target object itself.\"Before\" and \"after\" the target object are relative to the sort order of the search result set");
// This is partial verification only.
// Before performing Search Operation Sort Request needs to be attached to VLV Request.
// In this requirement we are only verifying the following
// The operation is an LDAP search request. The LDAP_CONTROL_VLVREQUEST control is attached to the search.The scope of the search request is whole Subtree.The base object of the search request specifies the DN
// Cast the second directory control as a VlvResponseControl object
// When LDAP_SERVER_RESP_SORT_OID is used, this requirement is captured
Site.CaptureRequirement(1214, "The LDAP extended control LDAP_SERVER_RESP_SORT_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
// When LDAP_SERVER_RESP_SORT_OID is used, this requirement is captured
Site.CaptureRequirement(1217, "The LDAP extended control LDAP_SERVER_SORT_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
// When LDAP_SERVER_RESP_SORT_OID is used, this requirement is captured
Site.CaptureRequirement(1221, "The LDAP extended control LDAP_CONTROL_VLVREQUEST is supported in Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
// When LDAP_SERVER_RESP_SORT_OID is used, this requirement is captured
Site.CaptureRequirement(1222, "The LDAP extended control LDAP_CONTROL_VLVRESPONSE is supported in Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
#endregion
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_SHOW_DELETED_OID:
#region LDAP_SERVER_SHOW_DELETED_OID Search operation
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.Log.Add(LogEntryKind.Debug, "Deleted Objects");
string dnOfDeletedObject = string.Empty;
controls = new DirectoryControl[] {
new DirectoryControl(ExtendedControl.LDAP_SERVER_SHOW_DELETED_OID, null, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguishedName);
dnOfDeletedObject = distinguishedName;
Site.CaptureRequirementIfIsTrue(dnOfDeletedObject.ToLower(CultureInfo.InvariantCulture).Contains("deleted objects".ToLower(CultureInfo.InvariantCulture)), 408, "The LDAP_SERVER_SHOW_DELETED_OID control is used with an LDAP search operation to specify that tombstones and deleted-objects should be visible to the operation.");
//Presence of "deleted objects" in the distinguished name indicates that the object resides in tombstone.
string scopeDN = forestScopePartialDN + ',' + configurationNC;
string featureDN = recycleBinPartialDN + ',' + configurationNC;
if (Utilities.IsOptionalFeatureEnabled(scopeDN, featureDN))
{
Site.CaptureRequirementIfIsTrue(dnOfDeletedObject.ToLower(CultureInfo.InvariantCulture).Contains("deleted objects".ToLower(CultureInfo.InvariantCulture)), 46, "[When the Recycle Bin optional feature is not enabled] A tombstone is not returned by a normal LDAP Search request, but only by a Search request with extended control LDAP_SERVER_SHOW_DELETED_OID or LDAP_SERVER_SHOW_RECYCLED_OID.");
Site.CaptureRequirementIfIsTrue(dnOfDeletedObject.ToLower(CultureInfo.InvariantCulture).Contains("deleted objects".ToLower(CultureInfo.InvariantCulture)), 4643, "[When the Recycle Bin optional feature is not enabled] A tombstone is returned by a LDAP Search request with extended control LDAP_SERVER_SHOW_DELETED_OID.");
break;
}
}
Site.CaptureRequirement(1218, "The LDAP extended control LDAP_SERVER_SHOW_DELETED_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_ASQ_OID:
#region LDAP_SERVER_ASQ_OID
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
result = adLdapClient.ASQQuery(
"member",
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
out searchResponse,
isWindows);
Site.CaptureRequirementIfIsTrue(result.ToLower().Contains("success"), 418, "The LDAP_SERVER_ASQ_OID control is used with an LDAP search operation. Only searches of base object scope can be used with the LDAP_SERVER_ASQ_OID control.");
// This is done in implemenation Adapter : AsqResponseControl asqResponse = (AsqResponseControl)searchResponse.Controls[0];
// Comments are provided in the ASQQuery method of implementation adapter
Site.CaptureRequirementIfIsTrue(result.ToLower().Contains("success"), result, 419, "When the server receives a search request with the LDAP_SERVER_ASQ_OID control attached to it, it includes a response control in the search response.");
Site.CaptureRequirementIfIsTrue(result.ToLower().Contains("success"), result, 420, "The controlType field of the returned Control structure is set to the OID of the LDAP_SERVER_ASQ_OID control.");
Site.CaptureRequirement(1223, "The LDAP extended control LDAP_SERVER_ASQ_OID is supported in Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_QUOTA_CONTROL_OID:
#region LDAP_SERVER_QUOTA_CONTROL_OID Search Operation
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
#region ObjectSidOfTheUser
Utilities.SetAccessRights(
"CN=NTDS Quotas," + rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ActiveDirectoryRights.ReadProperty,
AccessControlType.Allow);
Utilities.SetAccessRights(
"CN=NTDS Quotas," + configurationNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ActiveDirectoryRights.ReadProperty,
AccessControlType.Allow);
Utilities.SetControlAcessRights(
"CN=NTDS Quotas," + rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.DS_Query_Self_Quota,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow);
Utilities.SetControlAcessRights(
"CN=NTDS Quotas," + configurationNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.DS_Query_Self_Quota,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow);
result = adLdapClient.SearchObject(
"CN=" + testUserName + ",CN=Users," + rootDomainNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(ObjectClass=user)",
new string[] { "objectSid" },
null,
out searchResponse,
isWindows);
if (searchResponse != null)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
if (attributeString.Equals("objectSid", StringComparison.OrdinalIgnoreCase))
{
byte[] byteVal = attributeVal.ByteArrayValue;
sidOftheOldObject = new SecurityIdentifier(byteVal, 0);
}
}
}
}
}
#endregion
#region SearchFor msDS-QuotaContainer
byte[] sidInBytes = new byte[sidOftheOldObject.BinaryLength];
sidOftheOldObject.GetBinaryForm(sidInBytes, 0);
sidInBytes = BerConverter.Encode("{o}", sidInBytes);
controls = new DirectoryControl[]{
new DirectoryControl(ExtendedControl.LDAP_SERVER_QUOTA_CONTROL_OID, sidInBytes, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
if (searchResponse != null)
{
Site.Log.Add(LogEntryKind.Debug, "QuotaControl");
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = null;
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "ntSecurityDescriptor".ToLower(CultureInfo.InvariantCulture))
{
attrbutevalue = attributeVal.ByteArrayValue.ToString();
}
else
{
attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
}
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "msDS-QuotaEffective".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirement(1365, "When LDAP_SERVER_QUOTA_CONTROL_OID is used with LDAP search operation that queries the constructed attributes msDS-QuotaEffective and msDS-QuotaUsed on the msDS-QuotaContainer object, the server will return the quota of the user who is specified by the control.");
}
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "msDS-QuotaUsed".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirement(1365, "When LDAP_SERVER_QUOTA_CONTROL_OID is used with LDAP search operation that queries the constructed attributes msDS-QuotaEffective and msDS-QuotaUsed on the msDS-QuotaContainer object, the server will return the quota of the user who is specified by the control.");
}
Site.Log.Add(LogEntryKind.Debug, attributeString + ":" + attrbutevalue);
}
}
}
}
#endregion
Site.CaptureRequirement(1224, "The LDAP extended control LDAP_SERVER_QUOTA_CONTROL_OID is supported in Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_SHUTDOWN_NOTIFY_OID:
#region LDAP_SERVER_SHUTDOWN_NOTIFY_OID
Site.CaptureRequirement(1225, "The LDAP extended control LDAP_SERVER_SHUTDOWN_NOTIFY_OID is supported in Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
#endregion
break;
case ExtendedControl.LDAP_SERVER_FORCE_UPDATE_OID:
#region LDAP_SERVER_FORCE_UPDATE_OID
Site.CaptureRequirement(1226, "The LDAP extended control LDAP_SERVER_FORCE_UPDATE_OID is supported in Windows Server 2008, Windows Server 2008 R2.");
#endregion
break;
case ExtendedControl.LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID:
#region LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID
if (attributesToBeReturned.Contains("member;range=1-0"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
// Ensure that low > high i.e member;range=1-0
controls = new DirectoryControl[]{
new DirectoryControl(control, null, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
Site.CaptureRequirementIfIsTrue(result.ToLower().Contains("success"), 1378, "If this control (LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID) is specified, no error is returned (and no values are returned), if range retrieval is being performed on an attribute whose values are forward link values or back link values, and the value of low is equal the number of values in the attribute.");
Site.CaptureRequirementIfIsTrue(result.ToLower().Contains("success"), 1379, "If this control (LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID) is specified, no error is returned (and no values are returned), if range retrieval is being performed on an attribute whose values are forward link values or back link values, and the value of low is greater than to the number of values in the attribute.");
Site.Log.Add(LogEntryKind.Debug, "RangeRetrievalNoErrorControl");
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = null;
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "ntSecurityDescriptor".ToLower(CultureInfo.InvariantCulture))
{
attrbutevalue = attributeVal.Value.ToString();
}
else
{
attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
}
Site.Log.Add(LogEntryKind.Debug, attrbutevalue);
}
}
}
Site.CaptureRequirement(1227, "The LDAP extended control LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID is supported in Windows Server 2008, Windows Server 2008 R2.");
}
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_DN_INPUT_OID:
#region LDAP_SERVER_DN_INPUT_OID
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
string distinguishedName = testUserName;
byte[] valueForInputDnControl = BerConverter.Encode("{s}", new object[] { distinguishedName });
Utilities.SetControlAcessRights(
rootDomainNC,
testUserName,
currentWorkingDC.Domain.NetbiosName,
ControlAccessRight.Read_Only_Replication_Secret_Synchronization,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow);
controls = new DirectoryControl[]{
new DirectoryControl(ExtendedControl.LDAP_SERVER_DN_INPUT_OID, valueForInputDnControl, true, true)
};
result = adLdapClient.SearchObject(
rootDomainNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(objectClass=computer)",
new string[] { "msDS-IsUserCachableAtRodc", "cn" },
controls,
out searchResponse,
isWindows);
if (searchResponse != null)
{
Site.Log.Add(LogEntryKind.Debug, "InputDnControl");
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
Site.Log.Add(LogEntryKind.Debug, attributeString + ":" + attrbutevalue);
}
}
}
}
Site.CaptureRequirement(1229, "The LDAP extended control LDAP_SERVER_INPUT_DN_OID is supported in Windows Server 2008, Windows Server 2008 R2.");
}
#endregion
break;
case ExtendedControl.LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID:
#region LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID
controls = new DirectoryControl[] {
new DirectoryControl(control, null, false, true)};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
controls = new DirectoryControl[] {
new DirectoryControl(ExtendedControl.LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID, new byte[1] { 1 }, false, true)};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
#endregion
break;
case ExtendedControl.LDAP_SERVER_SHOW_RECYCLED_OID:
#region LDAP_SERVER_SHOW_RECYCLED_OID Search operation
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.Log.Add(LogEntryKind.Debug, "Deleted Objects");
string dnOfDeletedObject = string.Empty;
controls = new DirectoryControl[] {
new DirectoryControl(ExtendedControl.LDAP_SERVER_SHOW_RECYCLED_OID, null, true, true)
};
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
controls,
out searchResponse,
isWindows);
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguishedName);
dnOfDeletedObject = distinguishedName;
//Presence of "deleted objects" in the distinguished name indicates that the object resides in tombstone.
string scopeDN = forestScopePartialDN + ',' + configurationNC;
string featureDN = recycleBinPartialDN + ',' + configurationNC;
if (Utilities.IsOptionalFeatureEnabled(scopeDN, featureDN))
{
Site.CaptureRequirementIfIsTrue(dnOfDeletedObject.ToLower(CultureInfo.InvariantCulture).Contains("deleted objects".ToLower(CultureInfo.InvariantCulture)), 4644, "[When the Recycle Bin optional feature is not enabled] A tombstone is returned by a LDAP Search request with extended control LDAP_SERVER_SHOW_RECYCLED_OID.");
break;
}
}
}
#endregion
break;
case null:
default:
#region No Extended Control or Normal Search operation
result = adLdapClient.SearchObject(
baseObjectDN,
ScopeImpSearch,
filter,
attrsToReturn,
null,
out searchResponse,
isWindows);
#endregion
break;
}
#endregion
if (searchResponse != null)
{
bool isEnabled = true;
string ncName = string.Empty;
if (baseObjectDN != null)
{
//Validation for all the requirements which do not involve Extended Controls.
if (null == control)
{
if (service == ADImplementations.AD_DS)
{
#region objectSid
#region Objects in Domain NC
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Users".ToLower(CultureInfo.InvariantCulture)))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "objectSid".ToLower(CultureInfo.InvariantCulture))
{
byte[] byteVal = attributeVal.ByteArrayValue;
sidOftheOldObject = new SecurityIdentifier(byteVal, 0);
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 625, "In AD/DS, if the object is a security principal (according to its objectClass values), then for originating updates the objectSid value is generated and set on the object.");
}
}
}
}
}
#endregion
#region Computer objects
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Computers".ToLower(CultureInfo.InvariantCulture)))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "objectSid".ToLower(CultureInfo.InvariantCulture))
{
byte[] byteVal = attributeVal.ByteArrayValue;
sidOftheOldObject = new SecurityIdentifier(byteVal, 0);
}
}
}
}
}
#endregion
#endregion
}
#region objectCategory
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Users".ToLower(CultureInfo.InvariantCulture)))
{
if (distinguishedName.ToLower(CultureInfo.InvariantCulture) == ("CN=krbtgt,CN=Users," + rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "sAMAccountName".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 189, "When an LDAP search filter F contains a clause C of the form \"(objectCategory=V)\", if V is not a DN but there exists an object O such that O!objectClass = classSchema and O!lDAPDisplayName = V, then the server treats the search filter as if clause C was replaced in F with the clause \"(objectCategory=V')\", where V' is O!defaultObjectCategory.");
}
}
}
}
}
}
#endregion
if (service == ADImplementations.AD_DS)
{
#region CheckGcPort
isConnected = Utilities.CheckPorts("GC", currentWorkingDC.FQDN, "3268");
Site.CaptureRequirementIfIsTrue(isConnected, 206, "If the AD/DS DC is a GC server, it accepts LDAP connections for GC access on port 3268.");
isConnected = Utilities.CheckPorts(
"LDAP",
currentWorkingDC.FQDN,
"389");
Site.CaptureRequirementIfIsTrue(isConnected, 205, "An AD/DS DC accepts LDAP connections on the standard LDAP port: 389.");
#endregion
}
#region MatchingRules
#region And matching rule
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Users".ToLower(CultureInfo.InvariantCulture)))
{
if (distinguishedName.ToLower(CultureInfo.InvariantCulture) == ($"CN={DomainAdministratorName},CN=Users,{rootDomainNC}").ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "sAMAccountName".ToLower(CultureInfo.InvariantCulture))
{
//The And Matching Rule is sent as part of filter from Cord which includes user as objectClass.
//Expected is whether the AND Matching Rule is giving correct results.
//Output: Enabled users in Active Directory for which we are checking for the existence of SamAccountName.
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 457, "Microsoft Windows 2000 operating system and Windows Server 2003 operating system support the LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR matching rules.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 462, "Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system support LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR and the LDAP_MATCHING_RULE_TRANSITIVE_EVAL rule, in AD/LDS.");
}
}
}
}
}
}
}
#endregion
#region OR matching rule
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture) == ("CN=Allowed-Attributes,CN=Schema,CN=Configuration," + rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "lDAPDisplayName".ToLower(CultureInfo.InvariantCulture))
{
//The OR Matching Rule is sent as part of filter from Cord which expects only the Constructed Attributes.
//Expected is whether the OR Matching Rule is giving correct results.
//Check on Allowed-Attributes(Constructed Attributes) will validate the requirement.
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 457, "Microsoft Windows 2000 operating system and Windows Server 2003 operating system support the LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR matching rules.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 462, "Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system support LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR and the LDAP_MATCHING_RULE_TRANSITIVE_EVAL rule, in AD/LDS.");
}
}
}
}
}
}
#endregion
#region TransitiveRule
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Users".ToLower(CultureInfo.InvariantCulture)))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "sAMAccountName".ToLower(CultureInfo.InvariantCulture))
{
if (service == ADImplementations.AD_DS)
{
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 461, "Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system support LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR and the LDAP_MATCHING_RULE_TRANSITIVE_EVAL rule, in AD/DS.");
}
if (service == ADImplementations.AD_LDS)
{
Site.CaptureRequirementIfAreNotEqual<string>(string.Empty, attrbutevalue, 462, "Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and Windows Server 2012 R2 operating system support LDAP_MATCHING_RULE_BIT_AND and LDAP_MATCHING_RULE_BIT_OR and the LDAP_MATCHING_RULE_TRANSITIVE_EVAL rule, in AD/LDS.");
}
}
}
}
}
}
#endregion
#endregion
if (service == ADImplementations.AD_DS)
{
#region ModifyOperationRelated
#region dnsHostName
bool isSamAccountFilled = false, isDnsHostNameFilled = false;
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Computers".ToLower(CultureInfo.InvariantCulture)))
{
PartialAttributeList attributeNames = entry.attributes;
string samaccountName = null;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "sAMAccountName".ToLower(CultureInfo.InvariantCulture) &&
isSamAccountFilled == false)
{
isSamAccountFilled = true;
samaccountName = attrbutevalue;
}
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "dNSHostName".ToLower(CultureInfo.InvariantCulture) &&
isDnsHostNameFilled == false)
{
isDnsHostNameFilled = true;
if (!string.IsNullOrEmpty(samaccountName))
{
Site.CaptureRequirementIfAreEqual<string>((samaccountName.Replace("$", "") + '.' + PrimaryDomainDnsName).ToLower(CultureInfo.InvariantCulture), attrbutevalue.ToLower(CultureInfo.InvariantCulture), 664, "In AD/DS, the value of the dNSHostName attribute being written is in the following format: computerName.fullDomainDnsName, where computerName is the current sAMAccountName of the object (without the final \"$\" character), and the fullDomainDnsName is the DNS name of the domain NC or one of the values of msDS-AllowedDNSSuffixes on the domain NC (if any) where the object that is being modified is located. This addition check performed for validated writes is on objects of class computer or server (or a subclass of computer or server).");
samaccountName = null;
}
}
}
}
}
}
#endregion
#region msDSAdditionalDnsHostName
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture).Contains("Computers".ToLower(CultureInfo.InvariantCulture)))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "msDS-AdditionalDnsHostName".ToLower(CultureInfo.InvariantCulture))
{
string result = attrbutevalue;
if (!(String.IsNullOrEmpty(result)))
{
char firstChar = result[0];
bool isStartsWithChar = ((firstChar >= 65 && firstChar <= 90) ||
(firstChar >= 97 && firstChar <= 122) ||
(firstChar >= 48 && firstChar <= 57) ||
(firstChar == 45) ||
(firstChar == 95)) ? true : false;
Site.CaptureRequirementIfIsTrue(isStartsWithChar, 665, "In AD/DS, the value of the msDS-AdditionalDnsHostName attribute being written is in the following format: anyDnsLabel.suffix, where anyDnsLabel is a valid DNS name label, and suffix matches one of the values of msDS-AllowedDNSSuffixes on the domain NC root (if any). This addition check performed for validated writes is on objects of class computer or server (or a subclass of computer or server).");
}
}
}
}
}
}
#endregion
#endregion
}
#region CrossRef
#region EnabledIsTrue
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguishedName.ToLower(CultureInfo.InvariantCulture) ==
("CN=" + PrimaryDomainNetBiosName +
",CN=Partitions,CN=Configuration," +
rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.Equals("Enabled", StringComparison.OrdinalIgnoreCase))
{
isEnabled = Convert.ToBoolean(attrbutevalue.ToLower(CultureInfo.InvariantCulture), CultureInfo.InvariantCulture);
}
if (service == ADImplementations.AD_DS)
{
if (attributeString.Equals("dnsRoot", StringComparison.OrdinalIgnoreCase)
&& isEnabled == true)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), PrimaryDomainDnsName.ToLower(CultureInfo.InvariantCulture), 939, "If the Enable attribute of the Cross-Ref Objects is not false, in AD/DS the dnsRoot holds the fully qualified DNS name.");
}
}
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "nCName".ToLower(CultureInfo.InvariantCulture)
&& isEnabled == true)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), rootDomainNC.ToLower(CultureInfo.InvariantCulture), 941, "If the Enable attribute of the Cross-Ref Objects is not false, the nCName attribute contains a reference to the NC root corresponding to this crossRef.");
}
}
}
}
}
#endregion
#region EnabledIsFalse
//Custom crossref object
isEnabled = true;
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "Enabled".ToLower(CultureInfo.InvariantCulture))
{
isEnabled = Convert.ToBoolean(attrbutevalue.ToLower(CultureInfo.InvariantCulture), CultureInfo.InvariantCulture);
}
if (attributeString.Equals("nCName", StringComparison.OrdinalIgnoreCase))
{
ncName = attrbutevalue;
}
if (attributeString.Equals("dnsRoot", StringComparison.OrdinalIgnoreCase))
{
dnsRoot = attrbutevalue;
dnsRoot = dnsRoot.Replace("adts88", currentWorkingDC.Domain.NetbiosName);
}
}
}
}
if (service == ADImplementations.AD_DS)
{
#region 937
if (isEnabled == false)
{
//If the "Enable" attribute of the crossRef object is false this requirement is validated.
//Here "isEnabled" variable represents the presence of "Enable" attribute.
Site.CaptureRequirementIfIsTrue(dnsRoot.ToLower().Contains(currentWorkingDC.Domain.NetbiosName.ToLower()), 937, "If the Enable attribute of the Cross-Ref Objects is false, in AD/DS the dnsRoot holds the DNS name of the DC that will create the root of the NC.");
}
#endregion
}
if (isEnabled == false)
{
bool ncRootExists = Utilities.IsObjectExist(ncName, currentWorkingDC.FQDN, currentPort);
Site.CaptureRequirementIfIsFalse(ncRootExists, 936, "If the Enable attribute of the Cross-Ref Objects is false, the crossRef exists but the corresponding NC root does not yet exist.");
}
#endregion
#region dnsRoot
if (service == ADImplementations.AD_LDS)
{
isEnabled = true;
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.Equals("Enabled", StringComparison.OrdinalIgnoreCase))
{
isEnabled = Convert.ToBoolean(attrbutevalue.ToLower(CultureInfo.InvariantCulture), CultureInfo.InvariantCulture);
}
if (attributeString.Equals("dnsRoot", StringComparison.OrdinalIgnoreCase))
{
dnsRoot = attrbutevalue;
}
}
}
}
if (isEnabled)
{
Site.CaptureRequirementIfAreEqual<string>(string.Empty, dnsRoot, 940, "If the Enable attribute of the Cross-Ref Objects is not false, in AD/LDS the dnsRoot is absent.");
}
}
#endregion
#endregion
#region LDAPPolicies
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "lDAPAdminLimits".ToLower(CultureInfo.InvariantCulture))
{
#region Asserts For LdapPolicies
if (attrbutevalue.Contains("MaxValRange"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxValRange=1500".ToLower(CultureInfo.InvariantCulture), 486, "MaxValRange is the maximum number of values that can be retrieved from a multivalued attribute in a single search request. Default value is 1500.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1434, "The MaxValRange Policy is supported by Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxReceiveBuffer"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxReceiveBuffer=10485760".ToLower(CultureInfo.InvariantCulture), 478, "MaxReceiveBuffer is the maximum size, in bytes, of a request that the server will accept. Default value is 10,485,760 bytes.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1429, "The MaxReceiveBuffer Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxDatagramRecv"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxDatagramRecv=4096".ToLower(CultureInfo.InvariantCulture), 472, "MaxDatagramRecv is the maximum size, in bytes, of a UDP datagram request that a DC will process. Default value is 4096 bytes.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1426, "The MaxDatagramRecv Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxPoolThreads"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxPoolThreads=4".ToLower(CultureInfo.InvariantCulture), 477, "MaxPoolThreads is the maximum number of threads per processor that can work on LDAP requests at the same time. Default value is 4.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1428, "The MaxPoolThreads Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxResultSetSize"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxResultSetSize=262144".ToLower(CultureInfo.InvariantCulture), 484, "MaxResultSetSize is the maximum number of bytes that a DC stores to optimize the individual searches that make up a paged search. Default value is 262144 bytes.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1432, "The MaxResultSetSize Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxTempTableSize"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxTempTableSize=10000".ToLower(CultureInfo.InvariantCulture), 485, "MaxTempTableSize is the maximum number of rows that a DC will create in a temporary database table to hold intermediate results during query processing. Default value is 10,000 rows.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1433, "The MaxTempTableSize Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxQueryDuration"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxQueryDuration=120".ToLower(CultureInfo.InvariantCulture), 482, "MaxQueryDuration is the maximum time, in seconds, that a DC will spend on a single search. Default value is 120.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1431, "The MaxQueryDuration Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxPageSize"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxPageSize=1000".ToLower(CultureInfo.InvariantCulture), 480, "MaxPageSize is the maximum number of objects that are returned in a single search result. Default value is 1000.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1430, "The MaxPageSize Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxNotificationPerConn"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxNotificationPerConn=5".ToLower(CultureInfo.InvariantCulture), 474, "MaxNotificationPerConn is the maximum number of outstanding notification search requests (using the LDAP_SERVER_NOTIFICATION_OID control) that the DC permits on a single connection. Default value is 5.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1427, "The MaxNotificationPerConn Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxActiveQueries"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxActiveQueries=20".ToLower(CultureInfo.InvariantCulture), 464, "MaxActiveQueries is the maximum number of concurrent LDAP search operations that are permitted to run at the same time on a DC. Default value is 20.");
}
else if (attrbutevalue.Contains("MaxConnIdleTime"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxConnIdleTime=900".ToLower(CultureInfo.InvariantCulture), 470, "MaxConnIdleTime is the maximum time, in seconds, that the client can be idle before the DC closes the connection. Default value is 900.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1425, "The MaxConnIdleTime Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("InitRecvTimeout"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "InitRecvTimeout=120".ToLower(CultureInfo.InvariantCulture), 466, "InitRecvTimeout is the maximum time, in seconds, that a DC waits for the client to send the first request after the DC receives a new connection. Default value is 120.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1423, "The InitRecvTimeout Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxConnections"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxConnections=5000".ToLower(CultureInfo.InvariantCulture), 468, "MaxConnections is the maximum number of simultaneous LDAP connections that a DC will accept. Default value is 5000.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirement(1424, "The MaxConnections Policy is supported by Microsoft Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2008 operating system, and Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxResultSetsPerConn"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxResultSetsPerConn=10".ToLower(CultureInfo.InvariantCulture), 104272, "[MaxResultSetsPerConn is the maximum number of individual paged searches per LDAP connection for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.]Default value is 10.");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008R2)
{
Site.CaptureRequirement(4276, "The MaxResultSetsPerConn Policy is supported by Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MinResultSets"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MinResultSets=3".ToLower(CultureInfo.InvariantCulture), 104274, "[MinResultSets is the minimum number of individual paged searches for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.]Default value is 3");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008R2)
{
Site.CaptureRequirement(4277, "The MinResultSets Policy is supported by Windows Server 2008 R2 operating system.");
}
}
else if (attrbutevalue.Contains("MaxBatchReturnMessages"))
{
Site.Assert.AreEqual<string>(attrbutevalue.ToLower(CultureInfo.InvariantCulture), "MaxBatchReturnMessages=1100".ToLower(CultureInfo.InvariantCulture), "[MaxBatchReturnMessages is the maximum number of messages that can be returned when processing an LDAP_SERVER_BATCH_REQUEST_OID extended operation.]Default value is 1100");
if (currentWorkingDC.OSVersion >= ServerVersion.Win2012)
{
Site.Log.Add(LogEntryKind.Checkpoint, "The MaxBatchReturnMessages Policy is supported by Windows Server 2012 and Windows Server 2012 R2 operating system.");
}
}
#endregion
}
}
}
}
#endregion
#region ConfigurableSettings
if (service == ADImplementations.AD_DS)
{
#region DefaultValue Requirements AD/DS
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
#region Asserts
if (attributeString.Equals("msDS-Other-Settings", StringComparison.OrdinalIgnoreCase))
{
if (attrbutevalue.ToLower(CultureInfo.InvariantCulture).Contains("DisableVLVSupport".ToLower(CultureInfo.InvariantCulture)))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DisableVLVSupport=0", 1456, "If the DisableVLVSupport setting is not specified, it defaults to 0.");
}
if (attrbutevalue.ToLower(CultureInfo.InvariantCulture).Contains("DynamicObjectDefaultTTL".ToLower(CultureInfo.InvariantCulture)))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DynamicObjectDefaultTTL=86400", 1453, "The value of DynamicObjectDefaultTTL is in seconds and defaults to 86400.");
}
if (attrbutevalue.ToLower(CultureInfo.InvariantCulture).Contains("DynamicObjectMinTTL".ToLower(CultureInfo.InvariantCulture)))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DynamicObjectMinTTL=900", 1455, "The value of DynamicObjectMinTTL is in seconds and defaults to 900.");
}
}
#endregion
}
}
}
#endregion
}
if (service == ADImplementations.AD_LDS)
{
#region DefaultValue Requirements on AD/LDS
adLdapClient.SearchObject(
configurationNC,
System.DirectoryServices.Protocols.SearchScope.Subtree,
"(ObjectClass=*)",
new string[] { "msDS-Other-Settings" },
null,
out searchResponse);
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguishedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
#region Asserts
if (attributeString.Equals("msDS-Other-Settings", StringComparison.OrdinalIgnoreCase))
{
if (attrbutevalue.ToLower(CultureInfo.InvariantCulture).Contains("DisableVLVSupport".ToLower(CultureInfo.InvariantCulture)))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DisableVLVSupport=0", 1443, "The DisableVLVSupport LDAP Configurable Setting is supported by Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Server 2008 operating system AD DS, Windows Server 2008 AD LDS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("DynamicObjectDefaultTTL"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DynamicObjectDefaultTTL=86400", 1441, "The DynamicObjectDefaultTTL LDAP Configurable Setting is supported by Windows Server 2003 operating system, Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Server 2008 operating system AD DS, Windows Server 2008 AD LDS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("DynamicObjectMinTTL"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "DynamicObjectMinTTL=900", 1442, "The DynamicObjectMinTTL LDAP Configurable Setting is supported by Windows Server 2003 operating system, Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Server 2008 operating system AD DS, Windows Server 2008 AD LDS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("MaxReferrals"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "MaxReferrals=3", 505, "MaxReferrals specifies the maximum number of LDAP URLs that the DC will include in a referral or continuation reference. The default value is 3.");
Site.CaptureRequirement(1447, "The MaxReferrals LDAP Configurable Setting is supported by Windows Server 2008 AD LDS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("ReferralRefreshInterval"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ReferralRefreshInterval=5", 1448, "The ReferralRefreshInterval LDAP Configurable Setting is supported by Windows Server 2008 AD DS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("SelfReferralsOnly"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "SelfReferralsOnly=0", 1449, "The SelfReferralsOnly LDAP Configurable Setting is supported by Windows Server 2008 AD DS, Windows Server 2008 R2 operating system AD DS, and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("ADAMDisableLogonAuditing"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirement(1444, "The ADAMDisableLogonAuditing LDAP Configurable Setting is supported by Windows Server 2008 AD LDS and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("ReferralRefreshInterval"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ReferralRefreshInterval=5", 1460, "The default value of ReferralRefreshInterval is 5.");
}
if (attrbutevalue.Contains("ADAMDisableSPNRegistration"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirement(1446, "The ADAMDisableSPNRegistration LDAP Configurable Setting is supported by Windows Server 2008 AD LDS and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("ADAMDisablePasswordPolicies"))
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
Site.CaptureRequirement(1445, "The ADAMDisablePasswordPolicies LDAP Configurable Setting is supported by Windows Server 2008 AD LDS and Windows Server 2008 R2 AD LDS.");
}
}
if (attrbutevalue.Contains("ADAMDisableLogonAuditing"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ADAMDisableLogonAuditing=0", 1457, "If ADAMDisableLogonAuditing is not specified, it defaults to 0.");
}
if (attrbutevalue.Contains("ReferralRefreshInterval"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ReferralRefreshInterval=5", 1460, "The default value of ReferralRefreshInterval is 5.");
}
if (attrbutevalue.Contains("ADAMDisableSPNRegistration"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ADAMDisableSPNRegistration=0", 499, "If ADAMDisableSPNRegistration is not explicitly specified, it defaults to 0.");
}
if (attrbutevalue.Contains("ADAMDisablePasswordPolicies"))
{
Site.CaptureRequirementIfAreEqual<string>(attrbutevalue, "ADAMDisablePasswordPolicies=0", 496, "If ADAMDisablePasswordPolicies is not explicitly specified, it defaults to 0.");
}
}
#endregion
}
}
}
#endregion
}
#endregion
#region SearchOnMultiValued Attributes
// Performing range retrieval.
// The first case is validated in all our search requests because we did not provide any range option control for those requests. So here we validated the second part i.e with range option. So we provided range 0-2 which will return 0 to 2 records.
if (attributesToBeReturned.Contains("(member;range=0-2)"))
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 172, "If a SearchRequest does not contain a range option for a given attribute, but that attribute has too many values to be returned at one time, the server returns a SearchResultEntry containing (1) the attribute requested without the range option and with no values, and (2) the attribute requested with a range option attached and with the values corresponding to that range option.");
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
string attrbutevalue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
Site.Log.Add(LogEntryKind.Debug, attrbutevalue);
}
}
}
}
#endregion
#region SearchUsingDifferentDns
#region GuidDnForm
if (baseObjectDN.Contains("<GUID"))
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 1002, "The first alternative form of DN that can be used to specify baseObject in SearchRequest is <GUID=object_guid> where object_guid is a GUID that corresponds to the value of the objectGUID attribute of the object being specified.");
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 1004, "All DCs support object_guid expressed as the hexadecimal representation of the binary form of a GUID ([MS-DTYP] section 2.3.2).");
}
}
#endregion
#region GuidSidForm
if (baseObjectDN.Contains("<SID="))
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Site.CaptureRequirementIfIsTrue((searchResponse.Count > 0), 1007, "The second alternative form of DN that can be used to specify baseObject in SearchRequest is in the format <SID=sid> where sid is the security identifier (SID) that corresponds to the value of the objectSid attribute of the object being specified.");
}
}
#endregion
#region GuidWkguidForm
if (baseObjectDN.Contains("<WKGUID="))
{
bool isUserPresent = false;
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguisdedName.ToLower(CultureInfo.InvariantCulture) == ($"CN={DomainAdministratorName},CN=Users,{rootDomainNC}").ToLower(CultureInfo.InvariantCulture))
{
isUserPresent = true;
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "distinguishedName".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirementIfIsTrue(isUserPresent, 1011, "The third alternative form of DN that can be used to specify baseObject in SearchRequest is in the format <WKGUID=guid, object_DN> where guid is a GUID expressed as the hexadecimal representation of the binary form of the GUID.");
}
}
}
}
}
}
#endregion
#endregion
#region Defunct(objectClass:*)
// Forest functional level should be at least 2k3
if (forestFunctionalLevel >= 2)
{
bool isDefunctClass = false;
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguisdedName.ToLower(CultureInfo.InvariantCulture) == ("CN=DefunctClass3,CN=Schema,CN=Configuration," + rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
isDefunctClass = true;
Site.CaptureRequirementIfIsTrue(isDefunctClass, 514, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, instances of a defunct class can be read using the filter term (objectClass=*). ");
break;
}
}
}
#endregion
#region Defunct(GettingOidInsteadOfLdapDisplayName)
// Forest functional level should be at least 2k3
// When any attribute is part of mayContain of any ClassSchema object and we made the attribute and the
// Class schema object as defunct, After that if we query mayContain of Defunct Class schema object
// mayContain will contain Oids of corresponding attributes instead of ldapDisplayNames.
if (forestFunctionalLevel >= 2)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguisdedName.ToLower(CultureInfo.InvariantCulture) == ("CN=AdtsFirstClass,CN=Schema,CN=Configuration," + rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "mayContain".ToLower(CultureInfo.InvariantCulture))
{
// Partial verification only.
string oidFormValue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue);
Site.CaptureRequirementIfIsTrue(oidFormValue.Contains("."), 1471, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, when reading any OID-valued attribute that contains identifiers for schema objects, if the attribute identifies a defunct schema object, the read returns an OID (the attributeID if an attribute, the governsID if a class) not a name (the lDAPDisplayName of an attribute or class). This behavior applies to the mayContain attribute of schema objects.");
Site.CaptureRequirementIfIsTrue(oidFormValue.Contains("."), 1469, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, when reading any OID-valued attribute that contains identifiers for schema objects, if the attribute identifies a defunct schema object, the read returns an OID (the attributeID if an attribute, the governsID if a class) not a name (the lDAPDisplayName of an attribute or class). This behavior applies to the mustContain, systemMustContain, mayContain, systemMayContain, subClassOf, auxiliaryClass, and possSuperiors attributes of schema objects.");
Site.CaptureRequirementIfIsTrue(oidFormValue.Contains("."), 515, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, when reading any OID-valued attribute that contains identifiers for schema objects, if the attribute identifies a defunct schema object, the read returns an OID (the attributeID if an attribute, the governsID if a class) not a name (the lDAPDisplayName of an attribute or class). This behavior applies to the mustContain, systemMustContain, mayContain, systemMayContain, subClassOf, auxiliaryClass, and possSuperiors attributes of schema objects. This behavior also applies to the objectClass attribute of all other objects.");
}
}
}
}
}
}
#endregion
#region Defunct(GettingOidInsteadOfLdapDisplayNameForObjectClass)
// Forest functional level should be at least 2k3
if (forestFunctionalLevel >= 2)
{
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
if (distinguisdedName.ToLower(CultureInfo.InvariantCulture) == ("CN=TestClass1Obj,CN=Users," + rootDomainNC).ToLower(CultureInfo.InvariantCulture))
{
PartialAttributeList attributeNames = entry.attributes;
foreach (PartialAttributeList_element attribute in attributeNames.Elements)
{
string attributeString = Encoding.ASCII.GetString(attribute.type.ByteArrayValue);
AttributeValue[] attributeValList = attribute.vals.Elements;
foreach (AttributeValue attributeVal in attributeValList)
{
if (attributeString.ToLower(CultureInfo.InvariantCulture) == "objectClass".ToLower(CultureInfo.InvariantCulture))
{
//Partial verification only.
string oidFormValue = Encoding.ASCII.GetString(attributeVal.ByteArrayValue).ToLower(CultureInfo.InvariantCulture);
if (!(oidFormValue.ToLower(CultureInfo.InvariantCulture).Contains("user") ||
oidFormValue.ToLower(CultureInfo.InvariantCulture).Contains("person") ||
oidFormValue.ToLower(CultureInfo.InvariantCulture).Contains("organizationalperson") ||
oidFormValue.ToLower(CultureInfo.InvariantCulture).Contains("top")))
{
Site.CaptureRequirementIfIsTrue(oidFormValue.Contains("."), 1470, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, when reading any OID-valued attribute that contains identifiers for schema objects, if the attribute identifies a defunct schema object, the read returns an OID (the attributeID if an attribute, the governsID if a class) not a name (the lDAPDisplayName of an attribute or class). This behavior applies to the objectClass attribute of all objects other than schema objects.");
Site.CaptureRequirementIfIsTrue(oidFormValue.Contains("."), 515, "If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, when reading any OID-valued attribute that contains identifiers for schema objects, if the attribute identifies a defunct schema object, the read returns an OID (the attributeID if an attribute, the governsID if a class) not a name (the lDAPDisplayName of an attribute or class). This behavior applies to the mustContain, systemMustContain, mayContain, systemMayContain, subClassOf, auxiliaryClass, and possSuperiors attributes of schema objects. This behavior also applies to the objectClass attribute of all other objects.");
break;
}
}
}
}
}
}
}
#endregion
}
else
{
#region PageRequestControl
if (control == ExtendedControl.LDAP_PAGED_RESULT_OID_STRING)
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
// This is the place where we write our assert why bcz cout is nothing but our pagesize
Site.Log.Add(LogEntryKind.Debug, searchResponse.Count.ToString(CultureInfo.InvariantCulture));
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguisdedName);
}
//Expected value is set to 2 as the page size considered for this operation is 2.
Site.CaptureRequirementIfAreEqual<int>(2, searchResponse.Count, 361, "The use of the LDAP_PAGED_RESULT_OID_STRING control permits clients to perform searches that return more objects than MaxPageSize policy limit by splitting the search into multiple searches, each of which returns no more objects than the MaxPageSize policy limit.");
Site.CaptureRequirement(1204, "The LDAP extended control LDAP_PAGED_RESULT_OID_STRING is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
}
#endregion
#region DomainScopeControl
if (control == ExtendedControl.LDAP_SERVER_DOMAIN_SCOPE_OID)
{
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
Site.Log.Add(LogEntryKind.Debug, "DomainScope Control");
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguisdedName);
}
// Suppose we have 2 domains set up.If we choose Domain Scope option it will return
// Objects in one domain to which ldap bind is performed
// And not the objects from the other connected domain.
Site.CaptureRequirementIfIsTrue(searchResponse.Count > 0, 382, "The LDAP_SERVER_DOMAIN_SCOPE_OID control is used to instruct the DC not to generate any LDAP continuation references when performing an LDAP operation.");
Site.CaptureRequirement(1207, "The LDAP extended control LDAP_SERVER_DOMAIN_SCOPE_OID is supported in Windows 2000, Windows Server 2003, Windows Server 2003 SP1 and Windows Server 2008, Windows Server 2008 R2.");
}
}
#endregion
#region ExtendedDNControl
#region HexFormat
if (control == ExtendedControl.LDAP_SERVER_EXTENDED_DN_OID)
{
string dnFormat = string.Empty;
Site.Log.Add(LogEntryKind.Debug, "ExtendedDnControl: HexFormat");
List<AdtsSearchResultEntryPacket> responselist = (List<AdtsSearchResultEntryPacket>)searchResponse;
foreach (AdtsSearchResultEntryPacket entrypacket in responselist)
{
Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry entry =
(Microsoft.Protocols.TestTools.StackSdk.ActiveDirectory.Adts.Asn1CodecV3.SearchResultEntry)
entrypacket.GetInnerRequestOrResponse();
string distinguisdedName = Encoding.ASCII.GetString(entry.objectName.ByteArrayValue);
Site.Log.Add(
LogEntryKind.Debug,
responselist.IndexOf(entrypacket) + 1 + "," + distinguisdedName);
dnFormat = distinguisdedName;
break;
}
bool isContainsGuidSid =
dnFormat.ToLower(CultureInfo.InvariantCulture).Contains("GUID".ToLower(CultureInfo.InvariantCulture)) || dnFormat.ToLower(CultureInfo.InvariantCulture).Contains("SID".ToLower(CultureInfo.InvariantCulture));
Site.CaptureRequirementIfIsTrue(isContainsGuidSid, 384, "The extended form of an object's DN that is returned by LDAP_SERVER_EXTENDED_DN_OID control includes a string representation of the object's objectGUID attribute; for objects that have an objectSid attribute, the extended form also includes a string representation of that attribute. The extended DN format is <GUID=guid_value>;<SID=sid_value>;dn where guid_value is the value of the object's objectGUID attribute, sid_value is the value of the object's objectSid attribute, and dn is the object's RFC 2253 DN.");
Site.CaptureRequirementIfIsTrue(isContainsGuidSid, 1251, "The extended form of an object's DN that is returned by LDAP_SERVER_EXTENDED_DN_OID control includes a string representation of the object's objectGUID attribute; for objects that do not have an objectSid attribute, the extended form is <GUID=guid_value>;dn where guid_value is the value of the object's objectGUID attribute, and dn is the object's RFC 2253 DN.");
Site.CaptureRequirement(383, "The LDAP_SERVER_EXTENDED_DN_OID control is used with an LDAP search request to cause the DC to return extended DNs.");
}
#endregion
#endregion
}
}
else
{
#region QueryRootDSE Attributes
SearchRootDSE(service, PDCNetbiosName);
foreach (AdtsSearchResultEntryPacket entrypacket in searchResponse)
{
#region MS-AD_LDAP_R1132
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, "becomeDomainMaster");
Site.CaptureRequirementIfIsNull(
searchAttrVals,
1132,
@"An LDAP request to read rootDSE modifiable attributes will be treated as if the attribute does not exist.");
#endregion
#region MS-AD_LDAP_R210, 1019
string expectedValue = string.Empty;
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.configurationNamingContext, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.configurationNamingContext);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1019,
@"configurationNamingContext rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = Utilities.GetAttributeFromEntry(configurationNC, "distinguishedName", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd).ToString();
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
210,
@"An LDAP Request to configurationNamingContext rootDSE attribute returns the DN of the root
of the config NC on the DC.");
}
#endregion
#region MS-AD_LDAP_R211, 1020
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.currentTime, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.currentTime);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1020,
@"currentTime rootDSE attribute is supported by Windows 2000 and later");
#region DateTimeParsing
// The format of current time should be 20080209112360.0z
// Extracting year,month,date and hours
string currentDateTime = searchAttrVals[0].Substring(0, 10);
DateTime dateTime = DateTime.Now;
dateTime = Convert.ToDateTime(dateTime.ToUniversalTime());
string month = dateTime.Month.ToString(CultureInfo.InvariantCulture);
if (int.Parse(month, CultureInfo.InvariantCulture) < 10)
month = "0" + month;
string day = dateTime.Day.ToString(CultureInfo.InvariantCulture);
if (int.Parse(day, CultureInfo.InvariantCulture) < 10)
day = "0" + day;
string hour = dateTime.Hour.ToString(CultureInfo.InvariantCulture);
if (int.Parse(hour, CultureInfo.InvariantCulture) < 10)
hour = "0" + hour.ToString();
string currentTime = dateTime.Year.ToString(CultureInfo.InvariantCulture) + month + day + hour;
#endregion
Site.CaptureRequirementIfAreEqual<string>(
currentTime,
currentDateTime,
211,
@"An LDAP request to currentTime rootDSE attribute returns the current system time on the DC,
as expressed as a string in the Generalized Time format defined by ASN.1 (see [ISO-8601] and [ITUX680],
as well as the documentation for the LDAP String(Generalized-Time) syntax in 3.1.1.2.2.2).");
}
#endregion
#region MS-AD_LDAP_R212, 1021
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.defaultNamingContext, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.defaultNamingContext);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1021,
@"defaultNamingContext rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = Utilities.GetAttributeFromEntry(defaultNC, "distinguishedName", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd).ToString();
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
212,
@"An LDAP Request to defaultNamingContext rootDSE attribute returns the DN of the root of the default NC of the DC.");
}
#endregion
#region MS-AD_LDAP_R214, 1022
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dNSHostName, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dNSHostName);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1022,
@"dNSHostName rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
(currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.dNSHostName] : rootDSEAttributesForLds[RootDSEAttribute.dNSHostName])
.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
214,
@"An LDAP Request to dNSHostName rootDSE attribute returns the DNS address of the DC.");
}
#endregion
#region MS-AD_LDAP_R215, 1023
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dsSchemaAttrCount, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dsSchemaAttrCount);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1023,
@"dsSchemaAttrCount rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
(currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.dsSchemaAttrCount] : rootDSEAttributesForLds[RootDSEAttribute.dsSchemaAttrCount]),
searchAttrVals[0],
215,
@"An LDAP Request to dsSchemaAttrCount rootDSE attribute returns an integer specifying the total number
of attributes that are defined in the schema.");
}
#endregion
#region MS-AD_LDAP_R216, 1024
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dsSchemaClassCount, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dsSchemaClassCount);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1024,
@"dsSchemaClassCount rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
(currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.dsSchemaClassCount] : rootDSEAttributesForLds[RootDSEAttribute.dsSchemaClassCount]),
searchAttrVals[0],
216,
@"An LDAP Request to dsSchemaClassCount rootDSE attribute returns an integer specifying the total number
of classes that are defined in the schema.");
}
#endregion
#region MS-AD_LDAP_R217, 1025
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dsSchemaPrefixCount, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dsSchemaPrefixCount);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1025,
@"dsSchemaPrefixCount rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
(currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.dsSchemaPrefixCount] : rootDSEAttributesForLds[RootDSEAttribute.dsSchemaPrefixCount]),
searchAttrVals[0],
217,
@"An LDAP request to dsSchemaPrefixCount rootDSE attribute returns the number of entries in the DC's prefix table:
the field prefixTable of the variable dc specified in [MS-DRSR] section 5.18.");
}
#endregion
#region MS-AD_LDAP_R218, 1026
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dsServiceName, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dsServiceName);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1026,
@"dsServiceName rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = Utilities.GetEntryDistinguishedName(currentWorkingDC.FQDN, currentPort, configurationNC, "nTDSDSA", "*", testUserName, testUserPwd);
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
218,
@"An LDAP Request to dsServiceName rootDSE attribute returns the DN of the nTDSDSA object for the DC.");
}
#endregion
#region MS-AD_LDAP_R219, 1027
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.highestCommittedUSN, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.highestCommittedUSN);
Site.CaptureRequirement(
1027,
@"highestCommittedUSN rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
219,
@"An LDAP Request to highestCommittedUSN rootDSE attribute returns the USN of the DC.");
}
#endregion
#region MS-AD_LDAP_R220, 221, 1028
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.isGlobalCatalogReady, StringComparison.InvariantCultureIgnoreCase)))
{
if (currentService.Equals(ADImplementations.AD_DS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.isGlobalCatalogReady);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1028,
@"isGlobalCatalogReady rootDSE attribute is supported only by AD DS services for Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
rootDSEAttributesForDs[RootDSEAttribute.isGlobalCatalogReady].ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
220,
@"An LDAP Request to isGlobalCatalogReady rootDSE attribute returns a Boolean value indicating if this DC
is a global catalog that has completed at least one synchronization of its global catalog data with its
replication partners.");
Site.CaptureRequirementIfIsTrue(
Convert.ToBoolean(searchAttrVals[0], CultureInfo.InvariantCulture),
221,
@"An LDAP Request to isGlobalCatalogReady rootDSE attribute returns true, if the DC is a global catalog that
has completed at least one synchronization of its global catalog data with its replication partners.");
}
}
#endregion
#region MS-AD_LDAP_R223, 224, 1030
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.isSynchronized, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.isSynchronized);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1030,
@"isSynchronized rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
(currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.isSynchronized] : rootDSEAttributesForLds[RootDSEAttribute.isSynchronized])
.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
223,
@"An LDAP Request to isSynchronized rootDSE attribute returns a Boolean value indicating if the DC has completed
at least one synchronization with its replication partners.");
Site.CaptureRequirementIfIsTrue(
Convert.ToBoolean(searchAttrVals[0], CultureInfo.InvariantCulture),
224,
@"An LDAP Request to isSynchronized rootDSE attribute returns true, if the DC has completed at least one
synchronization with its replication partners.");
}
#endregion
#region MS-AD_LDAP_R226, 227, 1031
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.ldapServiceName, StringComparison.InvariantCultureIgnoreCase)))
{
if (currentService.Equals(ADImplementations.AD_DS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.ldapServiceName);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1031,
@"ldapServiceName rootDSE attribute is supported by Windows 2000 and later.");
Site.CaptureRequirementIfAreEqual<string>(
rootDSEAttributesForDs[RootDSEAttribute.ldapServiceName].ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
226,
@"An LDAP Request to ldapServiceName rootDSE attribute returns the LDAP service name for the LDAP server on the DC.");
// ldapServicename is generated by the System. So the format will be FullDomainName:DomainControllerName$@FullDomainName
Site.CaptureRequirementIfAreEqual<string>(
string.Format("{0}:{1}$@{2}", PrimaryDomainDnsName, currentWorkingDC.NetbiosName, currentWorkingDC.Domain.FQDN).ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
227,
@"The format of the ldapServiceName rootDSE attribute value is <DNS name of the forest root domain>:<Kerberos principal name>,
where Kerberos principal name is a string representation of the Kerberos principal name for the DC's computer object.");
}
}
#endregion
#region MS-AD_LDAP_R228, 1033
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.namingContexts, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.namingContexts);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1033,
@"namingContexts rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.namingContexts] : rootDSEAttributesForLds[RootDSEAttribute.namingContexts];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
228,
@"An LDAP Request to namingContexts rootDSE attribute returns a multi-valued set of DNs. For each NC-replica n hosted
on this DC, this attribute contains the DN of the root of n.");
}
#endregion
#region MS-AD_LDAP_R230, 1034
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.netlogon, StringComparison.InvariantCultureIgnoreCase)))
{
if (currentService.Equals(ADImplementations.AD_DS))
{
// netlogon: ldap rootDSE search for this attribute will not return searchResultEntries, resolved directly as LDAP ping
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.netlogon);
Site.CaptureRequirement(
1034,
@"netlogon rootDSE attribute is supported by AD DS services for Windows 2000 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
230,
@"LDAP searches that request the netlogon rootDSE attribute get resolved as LDAP ping operations, as specified in section 6.3.");
}
}
#endregion
// pendingPropagations can be variable, will not verify
#region MS-AD_LDAP_R232, 1037
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.rootDomainNamingContext, StringComparison.InvariantCultureIgnoreCase)))
{
if (currentService.Equals(ADImplementations.AD_DS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.rootDomainNamingContext);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1037,
@"rootDomainNamingContext rootDSE attribute is supported by AD DS services for Windows 2000 and later.");
expectedValue = Utilities.GetAttributeFromEntry(rootDomainNC, "distinguishedName", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd).ToString();
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
232,
@"An LDAP Request to rootDomainNamingContext rootDSE attribute returns the DN of the root domain NC for the DC's forest.");
}
}
#endregion
#region MS-AD_LDAP_R233, 1039
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.schemaNamingContext, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.schemaNamingContext);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1039,
@"schemaNamingContext rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = Utilities.GetAttributeFromEntry(schemaNC, "distinguishedName", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd).ToString();
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
233,
@"An LDAP Request to schemaNamingContext rootDSE attribute returns the DN of the schema NC on this DC");
}
#endregion
#region MS-AD_LDAP_R234, 1040
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.serverName, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.serverName);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1040,
@"serverName rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.serverName] : rootDSEAttributesForLds[RootDSEAttribute.serverName];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
234,
@"An LDAP Request to serverName rootDSE attribute returns the DN of the server object, contained in the config NC that represents the DC.");
}
#endregion
#region MS-AD_LDAP_R235, 1041
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.subschemaSubentry, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.subschemaSubentry);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1041,
@"subschemaSubentry rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = Utilities.GetEntryDistinguishedName(currentWorkingDC.FQDN, currentPort, schemaNC, "subSchema", "*", testUserName, testUserPwd);
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
235,
@"An LDAP Request to subschemaSubentry rootDSE attribute returns the DN for the location of the subSchema object
where the classes and attributes in the directory are defined.");
}
#endregion
#region MS-AD_LDAP_R236, 1042
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedCapabilities, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedCapabilities);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1042,
@"supportedCapabilities rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedCapabilities] : rootDSEAttributesForLds[RootDSEAttribute.supportedCapabilities];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
236,
@"An LDAP Request to serverName rootDSE attribute returns the DN of the server object, contained in the config NC that represents the DC.");
#region SupportedCapabilites
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2003,
1412,
@"The LDAP_CAP_ACTIVE_DIRECTORY_OID LDAP capability is supported by Microsoft Windows 2000 and later.");
Site.CaptureRequirementIfIsTrue(
service.Equals(ADImplementations.AD_DS),
450,
@"The presence of LDAP_CAP_ACTIVE_DIRECTORY_OID capability indicates that the LDAP server is running
Microsoft Active Directory and is running as AD DS or AD LDS.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2003,
1413,
@"The LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID LDAP capability is supported by Microsoft Windows Server 2000 Server and later.");
Site.CaptureRequirement(
451,
@"The presence of LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID capability indicates that the LDAP server on the DC is
capable of signing and sealing on an NTLM authenticated connection, and that the server is capable of performing
subsequent binds on a signed or sealed connection.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V51_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2003,
1414,
@"The LDAP_CAP_ACTIVE_DIRECTORY_V51_OID LDAP capability is supported by Windows Server 2003 and later.");
Site.CaptureRequirement(
452,
@"The presence of this capability indicates that the LDAP server is running at least the Windows Server 2003
operating system version of Active Directory and is running as AD DS or AD LDS.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2008,
1415,
@"The LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST LDAP capability is supported by Windows Server 2008 and later");
Site.CaptureRequirementIfIsTrue(
service.Equals(ADImplementations.AD_LDS),
453,
@"On a DC operating as AD/LDS, the presence of LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST capability indicates
that the DC accepts DIGEST-MD5 binds.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2008,
1416,
@"The LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID LDAP capability is supported by Windows Server 2008 and later.");
Site.CaptureRequirementIfIsTrue(
service.Equals(ADImplementations.AD_LDS),
454,
@"The presence of LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID capability indicates that the LDAP server is running
Microsoft Active Directory as AD/LDS.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2008,
1417,
@"The LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID LDAP capability is supported by Windows Server 2008 and later.");
Site.CaptureRequirementIfIsTrue(
service.Equals(ADImplementations.AD_DS),
455,
@"On an Active Directory DC operating as AD/DS, the presence of LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID
capability indicates that the DC is a RODC.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V60_OID)))
{
Site.CaptureRequirementIfIsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2008,
4268,
@"The LDAP_CAP_ACTIVE_DIRECTORY_V60_OID LDAP capability is supported by Windows Server 2008 and later.");
Site.CaptureRequirement(
4269,
@"The presence of this[LDAP_CAP_ACTIVE_DIRECTORY_V60_OID] capability indicates that the LDAP server is running
at least the Windows Server 2008 operating system version of Microsoft Active Directory and is running as AD DS or AD LDS.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID)))
{
Site.Assert.IsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2008R2,
@"The LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID LDAP capability is supported by Windows Server 2008 R2 and later.");
Site.CaptureRequirement(
4270,
@"The presence of this[LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID] capability indicates that the LDAP server is running
at least the Windows Server 2008 R2 operating system version of Active Directory and is running as AD DS or AD LDS.");
}
if (searchAttrVals.Any(x => x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_W8_OID)))
{
Site.Assert.IsTrue(
currentWorkingDC.OSVersion >= ServerVersion.Win2012,
@"The LDAP_CAP_ACTIVE_DIRECTORY_W8_OID LDAP capability is supported by Windows Server 2012 and later.");
Site.Log.Add(
LogEntryKind.Checkpoint,
@"The presence of this[LDAP_CAP_ACTIVE_DIRECTORY_W8_OID] capability indicates that the LDAP server is running
at least the Windows Server 2012 operating system version of Active Directory and is running as AD DS.");
}
// if there exists on ldap capability that is not listed in [MS-ADTS]
if (searchAttrVals.Any(x => !(x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V51_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_ADAM_DIGEST_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V60_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID)
|| x.Equals(LdapCapability.LDAP_CAP_ACTIVE_DIRECTORY_W8_OID))))
{
Site.Assert.Fail(string.Format("DC support Ldap Capability that is not listed in [MS-ADTS]."));
}
#endregion
}
#endregion
#region MS-AD_LDAP_R237,1043
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedControl, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedControl);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1043,
@"supportedControl rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedControl] : rootDSEAttributesForLds[RootDSEAttribute.supportedControl];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
237,
@"An LDAP Request to supportedControl rootDSE attribute returns a multivalued set of OIDs specifying the LDAP controls supported by the DC.");
}
#endregion
#region MS-AD_LDAP_R238, 1044
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedLDAPPolicies, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedLDAPPolicies);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1044,
@"supportedLDAPPolicies rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedLDAPPolicies] : rootDSEAttributesForLds[RootDSEAttribute.supportedLDAPPolicies];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
238,
@"An LDAP Request to supportedLDAPPolicies rootDSE attribute returns a multivalued set of strings specifying the
LDAP administrative query policies supported by the DC.");
}
#endregion
#region MS-AD_LDAP_R239, 1045, 1098
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedLDAPVersion, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedLDAPVersion);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1045,
@"supportedLDAPVersion rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedLDAPVersion] : rootDSEAttributesForLds[RootDSEAttribute.supportedLDAPVersion];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
239,
@"An LDAP Request to supportedLDAPVersion rootDSE attribute returns a set of integers specifying the versions of the
LDAP protocol supported by the DC.");
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
1098,
@"An LDAP Request to supportedLDAPVersion rootDSE attribute returns {2,3} as an LDAP multivalue as Active Directory
supports version 2 and version 3 of LDAP.");
}
#endregion
#region MS-AD_LDAP_R240, 1046
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedSASLMechanisms, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedSASLMechanisms);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1046,
@"supportedSASLMechanisms rootDSE attribute is supported by Windows 2000 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedSASLMechanisms] : rootDSEAttributesForLds[RootDSEAttribute.supportedSASLMechanisms];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
240,
@"An LDAP Request to supportedSASLMechanisms rootDSE attribute returns multivalued set of strings specifying the
security mechanisms supported for SASL negotiation.");
}
#endregion
if (currentWorkingDC.OSVersion >= ServerVersion.Win2003)
{
#region MS-AD_LDAP_R1047
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.domainControllerFunctionality, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.domainControllerFunctionality);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1047,
@"domainControllerFunctionality rootDSE attribute is supported by Windows 2003 and later.");
string nTDSDSAobject = Utilities.GetEntryDistinguishedName(currentWorkingDC.FQDN, currentPort, configurationNC, "nTDSDSA", "*", testUserName, testUserPwd);
int dcFunctionality = (int)Utilities.GetAttributeFromEntry(nTDSDSAobject, "msDS-Behavior-Version", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd);
Site.Assert.AreEqual<int>(
dcFunctionality,
int.Parse(searchAttrVals[0]),
@"An LDAP Request to domainControllerFunctionality rootDSE attribute returns an integer indicating the functional level
of the DC. This value is populated from the msDS-Behavior-Version attribute on the nTDSDSA object that represents
the DC (section 6.1.4.2).");
}
#endregion
#region MS-AD_LDAP_R1049
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.domainFunctionality, StringComparison.InvariantCultureIgnoreCase)))
{
if (service.Equals(ADImplementations.AD_DS))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.domainFunctionality);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1049,
@"domainControllerFunctionality rootDSE attribute is supported by AD DS services for Windows 2003 and later.");
int domainFunctionality = (int)Utilities.GetAttributeFromEntry(defaultNC, "msDS-Behavior-Version", currentWorkingDC.FQDN, currentPort);
Site.Assert.AreEqual<int>(
domainFunctionality,
int.Parse(searchAttrVals[0]),
@"An LDAP Request to domainFunctionality rootDSE attribute returns an integer indicating the functional level
of the domain. This value is populated from the msDS-Behavior-Version attribute on the domain NC root object
and the crossRef object that represents the domain (section 6.1.4.3).");
}
}
#endregion
#region MS-AD_LDAP_R1051
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.forestFunctionality, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.forestFunctionality);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1051,
@"forestFunctionality rootDSE attribute is supported by Windows 2003 and later.");
string crossRefContainerDN = Utilities.GetEntryDistinguishedName(currentWorkingDC.FQDN, currentPort, configurationNC, "crossRefContainer", "*", testUserName, testUserPwd);
int forestFunctionality = (int)Utilities.GetAttributeFromEntry(crossRefContainerDN, "msDS-Behavior-Version", currentWorkingDC.FQDN, currentPort, testUserName, testUserPwd);
Site.Assert.AreEqual<int>(
forestFunctionality,
int.Parse(searchAttrVals[0]),
@"An LDAP Request to forestFunctionality rootDSE attribute returns an integer indicating the functional level
of the forest. This value is populated from the msDS-Behavior-Version attribute on the crossRefContainer object (section 6.1.4.4).");
}
#endregion
#region MS-AD_LDAP_R243, 1053
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_ReplAllInboundNeighbors, StringComparison.InvariantCultureIgnoreCase)))
{
// requires 2 DCs setup
// Connection also need to be taken care here to which dc you need to connect
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_ReplAllInboundNeighbors);
if (searchAttrVals != null)
{
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1053,
@"msDS-ReplAllInboundNeighbors rootDSE attribute is supported by Windows 2003 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
243,
@"An LDAP request to msDS-ReplAllInboundNeighbors rootDSE attribute returns representations of each value of the repsFrom
abstract attribute for each NC-replica.");
}
else
{
Site.Log.Add(LogEntryKind.Warning, string.Format("rootDSE attribute {0} is not set", RootDSEAttribute.msDS_ReplAllInboundNeighbors));
}
}
#endregion
#region MS-AD_LDAP_R244, 1055
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_ReplAllOutboundNeighbors, StringComparison.InvariantCultureIgnoreCase)))
{
// requires 2 DCs setup
// Connection also need to be taken care here to which dc you need to connect
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_ReplAllOutboundNeighbors);
if (searchAttrVals != null)
{
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1055,
@"msDS-ReplAllOutboundNeighbors rootDSE attribute is supported by Windows 2003 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
244,
@"An LDAP request to msDS-ReplAllOutboundNeighbors rootDSE attribute returns representations of each value of the repsTo
abstract attribute for each NC-replica.");
}
else
{
Site.Log.Add(LogEntryKind.Warning, string.Format("rootDSE attribute {0} is not set", RootDSEAttribute.msDS_ReplAllOutboundNeighbors));
}
}
#endregion
#region MS-AD_LDAP_R245,1063
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_ReplQueueStatistics, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_ReplQueueStatistics);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1063,
@"msDS-ReplAllOutboundNeighbors rootDSE attribute is supported by Windows 2003 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
245,
@"An LDAP request to msDS-ReplQueueStatistics rootDSE attribute returns replication queue statistics.");
}
#endregion
#region MS-AD_LDAP_R246, 247, 1112, 1113, 1114, 1065
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_TopQuotaUsage, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_TopQuotaUsage);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1065,
@"msDS-TopQuotaUsage rootDSE attribute is supported by Windows 2003 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
245,
@"An LDAP request to msDS-ReplQueueStatistics rootDSE attribute returns replication queue statistics.");
Site.CaptureRequirement(
246,
@"An LDAP request to msDS-TopQuotaUsage rootDSE attribute returns a multivalued set of strings specifying the top 10
quota users in all NC-replicas on this DC.");
Site.CaptureRequirement(
247,
@"While making LDAP request to msDs-TopQuotaUsage rootDSE attribute, the caller must have the RIGHT_DS_READ_PROPERTY
access right on the Quotas container.");
Site.CaptureRequirement(
1111,
@"The DC responds to msDS-TopQuotaUsage rootDSE attribute by returning the quota usage for the requested
range of quota users.");
if (filter.ToLower(CultureInfo.InvariantCulture) == "msDS-TopQuotaUsage;Range=0-*".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirement(
1112,
@"An attribute specification of the form msDS-TopQuotaUsage;Range=0-* will return the complete list of quota
usage.");
}
if (filter.ToLower(CultureInfo.InvariantCulture) == "msDS-TopQuotaUsage;Range=1-9".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirement(
1113,
@"An attribute specification of the form msDS-TopQuotaUsage;Range=1-9 will return the 2nd highest through
the 10th highest quota usage.");
}
if (filter.ToLower(CultureInfo.InvariantCulture) == "msDS-TopQuotaUsage;Range=2-2".ToLower(CultureInfo.InvariantCulture))
{
Site.CaptureRequirement(
1114,
@"An attribute specification of the form msDS-TopQuotaUsage;Range=2-2 will return the 3rd highest quota usage.");
}
}
#endregion
#region MS-AD_LDAP_R249, 1067
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedConfigurableSettings, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedConfigurableSettings);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1067,
@"supportedConfigurableSettings rootDSE attribute is supported by Windows 2003 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedConfigurableSettings] : rootDSEAttributesForLds[RootDSEAttribute.supportedConfigurableSettings];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
249,
@"An LDAP Request to supportedConfigurableSettings rootDSE attribute returns a multivalued set of strings
specifying the configurable settings supported by the DC.");
}
#endregion
#region MS-AD_LDAP_R250, 1069
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.supportedExtension, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.supportedExtension);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1069,
@"supportedExtension rootDSE attribute is supported by Windows 2003 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.supportedExtension] : rootDSEAttributesForLds[RootDSEAttribute.supportedExtension];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
250,
@"An LDAP Request to supportedExtension rootDSE attribute returns a multivalued set of
OIDs specifying the extended LDAP operations that the DC supports.");
#region SupportedExtension
if (searchAttrVals.Any(x => x.Equals(ExtendedOperation.LDAP_SERVER_FAST_BIND_OID)))
{
Site.CaptureRequirement(
1402,
@"The LDAP_SERVER_FAST_BIND_OID LDAP extended operation is supported by Windows Server 2003 and later.");
}
if (searchAttrVals.Any(x => x.Equals(ExtendedOperation.LDAP_SERVER_START_TLS_OID)))
{
Site.CaptureRequirement(
1403,
@"The LDAP_SERVER_START_TLS_OID LDAP extended operation is supported by Windows Server 2003 and later.");
}
if (searchAttrVals.Any(x => x.Equals(ExtendedOperation.LDAP_TTL_REFRESH_OID)))
{
Site.CaptureRequirement(
1404,
@"The LDAP_TTL_REFRESH_OID LDAP extended operation is supported by Windows Server 2003 and later.");
}
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008
&& searchAttrVals.Any(x => x.Equals(ExtendedOperation.LDAP_SERVER_WHO_AM_I_OID)))
{
Site.CaptureRequirement(
1405,
@"The LDAP_SERVER_WHO_AM_I_OID LDAP extended operation is supported by Windows Server 2003 and later.");
}
if (currentWorkingDC.OSVersion >= ServerVersion.Win2012
&& searchAttrVals.Any(x => x.Equals(ExtendedOperation.LDAP_SERVER_BATCH_REQUEST_OID)))
{
Site.Log.Add(
LogEntryKind.Checkpoint,
@"The LDAP_SERVER_BATCH_REQUEST_OID LDAP extended operation is supported by Windows Server 2003 and later.");
}
// if there exists an extendedopertion that is not listed in [MS-ADTS]
if (searchAttrVals.Any(x => !(x.Equals(ExtendedOperation.LDAP_SERVER_FAST_BIND_OID)
|| x.Equals(ExtendedOperation.LDAP_SERVER_START_TLS_OID)
|| x.Equals(ExtendedOperation.LDAP_TTL_REFRESH_OID)
|| x.Equals(ExtendedOperation.LDAP_SERVER_WHO_AM_I_OID)
|| x.Equals(ExtendedOperation.LDAP_SERVER_BATCH_REQUEST_OID))))
{
Site.Assert.Fail(string.Format("DC supports an extended operation that is not listed in [MS-ADTS]."));
}
#endregion
}
#endregion
#region MS-AD_LDAP_R251, 1071
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.validFSMOs, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.validFSMOs);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1071,
@"validFSMOs rootDSE attribute is supported by Windows 2003 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.validFSMOs] : rootDSEAttributesForLds[RootDSEAttribute.validFSMOs];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
251,
@"An LDAP Request to validFSMOs rootDSE attribute returns a set of DNs
of objects representing the FSMO roles owned by the DC.");
}
#endregion
}
if (currentWorkingDC.OSVersion >= ServerVersion.Win2008)
{
#region MS-AD_LDAP_R252, 1073, 1120
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.dsaVersionString, StringComparison.InvariantCultureIgnoreCase)))
{
// Assumption: The user is a member of domain and enterprise admin
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.dsaVersionString);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1073,
@"dsaVersionString rootDSE attribute is supported by Windows 2008 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1120,
@"dsaVersionString rootDSE attribute is readable by Domain Administrators (section 7.1.1.6.5)
and Enterprise Administrators (section 7.1.1.6.10) only.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.dsaVersionString] : rootDSEAttributesForLds[RootDSEAttribute.dsaVersionString];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
252,
@"An LDAP Request to dsaVersionString rootDSE attribute returns a string indicating the version of
Active Directory running on the DC.");
}
#endregion
#region MS-AD_LDAP_R254, 1075
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_PortLDAP, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_PortLDAP);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1075,
@"msDS-PortLDAP rootDSE attribute is supported by Windows 2008 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.msDS_PortLDAP] : rootDSEAttributesForLds[RootDSEAttribute.msDS_PortLDAP];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
254,
@"For AD/DS an LDAP request to msDS-PortLDAP rootDSE attribute always returns 389 as the TCP/UDP port number.");
}
#endregion
#region MS-AD_LDAP_R255, 256, 1077
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_PortSSL, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_PortSSL);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1077,
@"msDS-PortSSL rootDSE attribute is supported by Windows 2008 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
255,
@"An LDAP request to msDS-PortSSL rootDSE attribute returns the integer TCP/UDP port number on which the DC
is listening for TLS/SSL-protected LDAP requests.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.msDS_PortSSL] : rootDSEAttributesForLds[RootDSEAttribute.msDS_PortSSL];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
256,
@"For AD/DS an LDAP Request to msDS-PortSSL rootDSE attribute always returns 636 as the TCP/UDP port number.");
}
#endregion
#region MS-AD_LDAP_R257, 258, 1079
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.msDS_PrincipalName, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.msDS_PrincipalName);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1079,
@"msDS-PrincipalName rootDSE attribute is supported by Windows 2008 and later.");
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
257,
@"An LDAP Request to msDS-PrincipalName rootDSE attribute returns a string name of the security principal
that has authenticated on the LDAP connection.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.msDS_PrincipalName] : rootDSEAttributesForLds[RootDSEAttribute.msDS_PrincipalName];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
258,
@"While making LDAP Request to msDS-PrincipalName rootDSE attribute, if the client authenticated as a
Microsoft Windows security principal, the string contains either (1) the NetBIOS domain name, followed by a
backslash ('\'), followed by the sAMAccountName of the security principal, or (2) the SID of the security principal,
in SDDL SID string format.");
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
259,
@"While making LDAP Request to msDS-PrincipalName rootDSE attribute, if the client authenticated as an
AD/LDS security principal, the string contains the DN of the security principal.");
}
#endregion
#region MS-AD_LDAP_R261, 1123-1128, 1081
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.serviceAccountInfo, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.serviceAccountInfo);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1081,
@"serviceAccountInfo rootDSE attribute is supported by Windows 2008 and later.");
if (searchAttrVals.Any(x => x.Contains("replAuthenticationMode")))
{
Site.CaptureRequirement(
1123,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is replAuthenticationMode and
the value is the value of the msDS-ReplAuthenticationMode attribute on the root of the config NC, or 1
if that attribute is not set.");
}
if (searchAttrVals.Any(x => x.Contains("accountType")))
{
Site.CaptureRequirement(
1124,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is accountType and the value is
if the service account is a domain account, the value is domain. Otherwise if the service account is a local
account, and the value is local.");
}
if (searchAttrVals.Any(x => x.Contains("systemAccount")))
{
Site.CaptureRequirement(
1125,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is systemAccount and the value is
if the service account is a system account (meaning it has one of the SIDs SID S-1-5-20 and S-1-5-18) the value
is true; otherwise the value is false.");
}
if (searchAttrVals.Any(x => x.Contains("domainType")))
{
Site.CaptureRequirement(
1126,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is domainType and the value is
if the DC is running on a computer that is part of an Active Directory domain (always the case for an AD DS DC),
the value is domainWithKerb.");
}
if (searchAttrVals.Any(x => x.Contains("machineDomainName")))
{
Site.CaptureRequirement(
1128,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is machineDomainName and the values
is if domainType is domainWithKerb or domainNoKerb the value is the NetBIOS name of the domain.
Otherwise the value is the NetBIOS name of the computer.");
}
if (searchAttrVals.Any(x => x.Contains("serviceAccountName")))
{
Site.CaptureRequirement(
1127,
@"serviceAccountInfo rootDSE attribute returns the name-value pair where name is serviceAccountName and its value is
SAM name of the DC's service account if the value of replAuthenticationMode is 0. Otherwise this name-value pair
is not present.");
}
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.serviceAccountInfo] : rootDSEAttributesForLds[RootDSEAttribute.serviceAccountInfo];
Site.Assert.AreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
@"serviceAccountInfo rootDSE attribute returns a set of strings, each string containing a name-value pair encoded as name=value");
}
#endregion
#region MS-AD_LDAP_R262, 264, 1129, 1083
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.spnRegistrationResult, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.spnRegistrationResult);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1083,
@"spnRegistrationResult rootDSE attribute is supported by Windows 2008 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.spnRegistrationResult] : rootDSEAttributesForLds[RootDSEAttribute.spnRegistrationResult];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
262,
@"When running as AD/DS, an LDAP Request to spnRegistrationResult rootDSE attribute returns a value 0.");
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
264,
@"When running as AD/LDS, if the DC was unable to register its service principal names (SPNs), an LDAP Request
to spnRegistrationResult rootDSE attribute returns the Windows error code associated with the failure. Otherwise,
it returns zero.");
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
1129,
@"Note: When running as AD DS on Windows Server 2008 operating system and Windows Server 2008 R2 operating system,
this value [in spnRegistrationResult attribute] is 21.");
}
#endregion
#region MS-AD_LDAP_R265, 1085
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.tokenGroups, StringComparison.InvariantCultureIgnoreCase)))
{
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.tokenGroups);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1085,
@"tokenGroups rootDSE attribute is supported by Windows 2008 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.tokenGroups] : rootDSEAttributesForLds[RootDSEAttribute.tokenGroups];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
string.Join(";", searchAttrVals).ToLower(CultureInfo.InvariantCulture),
265,
@"An LDAP Request to tokenGroups rootDSE attribute returns the SIDs contained in the security context as which the
client has authenticated the LDAP connection.");
}
#endregion
#region MS-AD_LDAP_R266, 1087
if (attrsToReturn.Any(x => x.Equals(RootDSEAttribute.usnAtRifm, StringComparison.InvariantCultureIgnoreCase)))
{
// require RODC setup
searchAttrVals = adLdapClient.GetAttributeValuesInString(entrypacket, RootDSEAttribute.usnAtRifm);
Site.CaptureRequirementIfIsNotNull(
searchAttrVals,
1087,
@"usnAtRifm rootDSE attribute is supported by Windows 2008 and later.");
expectedValue = currentService.Equals(ADImplementations.AD_DS) ? rootDSEAttributesForDs[RootDSEAttribute.usnAtRifm] : rootDSEAttributesForLds[RootDSEAttribute.usnAtRifm];
Site.CaptureRequirementIfAreEqual<string>(
expectedValue.ToLower(CultureInfo.InvariantCulture),
searchAttrVals[0].ToLower(CultureInfo.InvariantCulture),
266,
@"If the DC is an RODC and was installed using the Install From Media feature, reading the usnAtRifm rootDSE
attribute returns the value of dc.usn that was present in the Active Directory database on the installation media.");
}
#endregion
}
}
#endregion
}
SearchOpResponse(SearchResp.retrievalSuccessful);
}
else
{
SearchOpResponse(SearchResp.retreivalUnsuccessful);
}
}