3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 ## Copyright 1998-2009 The OpenLDAP Foundation.
6 ## All rights reserved.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted only as authorized by the OpenLDAP
12 ## A copy of this license is available in the file LICENSE in the
13 ## top-level directory of the distribution or, alternatively, at
14 ## <http://www.OpenLDAP.org/license.html>.
16 case "$BACKEND" in ldif | null)
17 echo "$BACKEND backend does not support access controls, test skipped"
21 echo "running defines.sh"
22 . $SRCDIR/scripts/defines.sh
24 mkdir -p $TESTDIR $DBDIR1
26 echo "Running slapadd to build slapd database..."
27 . $CONFFILTER $BACKEND $MONITORDB < $ACLCONF > $CONF1
28 $SLAPADD -f $CONF1 -l $LDIFORDERED
30 if test $RC != 0 ; then
31 echo "slapadd failed ($RC)!"
35 echo "Starting slapd on TCP/IP port $PORT1..."
36 $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
38 if test $WAIT != 0 ; then
46 echo "Testing slapd access control..."
47 for i in 0 1 2 3 4 5; do
48 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
49 'objectclass=*' > /dev/null 2>&1
51 if test $RC = 0 ; then
54 echo "Waiting 5 seconds for slapd to start..."
58 if test $RC != 0 ; then
59 echo "ldapsearch failed ($RC)!"
60 test $KILLSERVERS != no && kill -HUP $KILLPIDS
64 cat /dev/null > $SEARCHOUT
66 echo "# Try to read an entry inside the Alumni Association container.
67 # It should give us noSuchObject if we're not bound..." \
69 # FIXME: temporarily remove the "No such object" message to make
70 # the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
71 $LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
72 2>&1 | grep -v "^No such object" >> $SEARCHOUT
74 echo "# ... and should return all attributes if we're bound as anyone
77 $LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \
78 -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
81 echo "# Checking exact/regex attrval clause" >> $SEARCHOUT
82 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
83 -D "$BABSDN" -w bjensen \
84 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
85 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
86 -D "$BJORNSDN" -w bjorn \
87 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
89 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
90 -D "$BABSDN" -w bjensen \
91 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
92 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
93 -D "$BJORNSDN" -w bjorn \
94 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
96 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
97 -D "$BABSDN" -w bjensen \
98 -b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
99 $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
100 -D "$BJORNSDN" -w bjorn \
101 -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
103 # check selfwrite access (ITS#4587). 6 attempts are made:
104 # 1) delete someone else (should fail)
105 # 2) delete self (should succeed)
106 # 3) add someone else (should fail)
107 # 4) add someone else and self (should fail)
108 # 5) add self and someone else (should fail)
109 # 6) add self (should succeed)
111 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
112 $TESTOUT 2>&1 << EOMODS
113 dn: cn=All Staff,ou=Groups,dc=example,dc=com
123 echo "ldapmodify should have failed ($RC)!"
124 test $KILLSERVERS != no && kill -HUP $KILLPIDS
128 echo "ldapmodify failed ($RC)!"
129 test $KILLSERVERS != no && kill -HUP $KILLPIDS
134 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
135 $TESTOUT 2>&1 << EOMODS
136 dn: cn=All Staff,ou=Groups,dc=example,dc=com
142 if test $RC != 0 ; then
143 echo "ldapmodify failed ($RC)!"
144 test $KILLSERVERS != no && kill -HUP $KILLPIDS
148 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
149 $TESTOUT 2>&1 << EOMODS
150 dn: cn=All Staff,ou=Groups,dc=example,dc=com
153 member: cn=Foo,ou=Bar
160 echo "ldapmodify should have failed ($RC)!"
161 test $KILLSERVERS != no && kill -HUP $KILLPIDS
165 echo "ldapmodify failed ($RC)!"
166 test $KILLSERVERS != no && kill -HUP $KILLPIDS
171 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
172 $TESTOUT 2>&1 << EOMODS
173 dn: cn=All Staff,ou=Groups,dc=example,dc=com
176 member: cn=Foo,ou=Bar
184 echo "ldapmodify should have failed ($RC)!"
185 test $KILLSERVERS != no && kill -HUP $KILLPIDS
189 echo "ldapmodify failed ($RC)!"
190 test $KILLSERVERS != no && kill -HUP $KILLPIDS
195 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
196 $TESTOUT 2>&1 << EOMODS
197 dn: cn=All Staff,ou=Groups,dc=example,dc=com
201 member: cn=Foo,ou=Bar
208 echo "ldapmodify should have failed ($RC)!"
209 test $KILLSERVERS != no && kill -HUP $KILLPIDS
213 echo "ldapmodify failed ($RC)!"
214 test $KILLSERVERS != no && kill -HUP $KILLPIDS
219 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
220 $TESTOUT 2>&1 << EOMODS
221 dn: cn=All Staff,ou=Groups,dc=example,dc=com
227 if test $RC != 0 ; then
228 echo "ldapmodify failed ($RC)!"
229 test $KILLSERVERS != no && kill -HUP $KILLPIDS
234 # Check group access. Try to modify Babs' entry. Two attempts:
235 # 1) bound as "James A Jones 1" - should fail
236 # 2) bound as "Bjorn Jensen" - should succeed
238 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
239 $TESTOUT 2>&1 << EOMODS5
250 echo "ldapmodify should have failed ($RC)!"
251 test $KILLSERVERS != no && kill -HUP $KILLPIDS
255 echo "ldapmodify failed ($RC)!"
256 test $KILLSERVERS != no && kill -HUP $KILLPIDS
261 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
262 $TESTOUT 2>&1 << EOMODS6
266 homephone: +1 313 555 5444
273 echo "ldapmodify failed ($RC)!"
274 test $KILLSERVERS != no && kill -HUP $KILLPIDS
280 # Try to add a "member" attribute to the "ITD Staff" group. It should
281 # fail when we add some DN other than our own, and should succeed when
284 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
285 $TESTOUT 2>&1 << EOMODS1
287 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
290 uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
297 echo "ldapmodify should have failed ($RC)!"
298 test $KILLSERVERS != no && kill -HUP $KILLPIDS
302 echo "ldapmodify failed ($RC)!"
303 test $KILLSERVERS != no && kill -HUP $KILLPIDS
308 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
309 $TESTOUT 2>&1 << EOMODS2
312 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
315 uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com
322 echo "ldapmodify failed ($RC)!"
323 test $KILLSERVERS != no && kill -HUP $KILLPIDS
329 # Try to modify the "ITD Staff" group. Two attempts are made:
330 # 1) bound as "James A Jones 1" - should fail
331 # 2) bound as "Bjorn Jensen" - should succeed
333 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
334 $TESTOUT 2>&1 << EOMODS3
336 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
345 echo "ldapmodify should have failed ($RC)!"
346 test $KILLSERVERS != no && kill -HUP $KILLPIDS
350 echo "ldapmodify failed ($RC)!"
351 test $KILLSERVERS != no && kill -HUP $KILLPIDS
356 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
357 $TESTOUT 2>&1 << EOMODS4
361 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
375 echo "ldapmodify failed ($RC)!"
376 test $KILLSERVERS != no && kill -HUP $KILLPIDS
382 # Try to modify the "ITD Staff" group. Two attempts are made:
383 # 1) bound as "James A Jones 1" - should succeed
384 # 2) bound as "Barbara Jensen" - should fail
385 # should exploit sets
387 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
388 $TESTOUT 2>&1 << EOMODS5
389 dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
392 description: added by jaj (should succeed)
400 echo "ldapmodify failed ($RC)!"
401 test $KILLSERVERS != no && kill -HUP $KILLPIDS
406 $LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
407 $TESTOUT 2>&1 << EOMODS6
408 dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
411 description: added by bjensen (should fail)
419 echo "ldapmodify should have failed ($RC)!"
420 test $KILLSERVERS != no && kill -HUP $KILLPIDS
424 echo "ldapmodify failed ($RC)!"
425 test $KILLSERVERS != no && kill -HUP $KILLPIDS
430 $LDAPMODIFY -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
431 $TESTOUT 2>&1 << EOMODS7
432 dn: ou=Add & Delete,dc=example,dc=com
434 objectClass: organizationalUnit
438 if test $RC != 0 ; then
439 echo "ldapmodify failed ($RC)!"
440 test $KILLSERVERS != no && kill -HUP $KILLPIDS
444 $LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
445 $TESTOUT 2>&1 << EOMODS8
446 dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com
448 objectClass: inetOrgPerson
449 cn: Added by Babs (must fail)
457 echo "ldapmodify should have failed ($RC)!"
458 test $KILLSERVERS != no && kill -HUP $KILLPIDS
462 echo "ldapmodify failed ($RC)!"
463 test $KILLSERVERS != no && kill -HUP $KILLPIDS
468 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
469 $TESTOUT 2>&1 << EOMODS9
470 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
472 objectClass: inetOrgPerson
473 cn: Added by Bjorn (must succeed)
476 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
478 objectClass: inetOrgPerson
479 cn: Added by Bjorn (will be deleted)
482 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
484 objectClass: inetOrgPerson
485 cn: Added by Bjorn (will be renamed)
488 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
491 description: this attribute value has been added __after__entry creation
492 description: this attribute value will be deleted by Babs (must succeed)
493 description: Bjorn will try to delete this attribute value (should fail)
501 echo "ldapmodify failed ($RC)!"
502 test $KILLSERVERS != no && kill -HUP $KILLPIDS
507 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
508 $TESTOUT 2>&1 << EOMODS10
509 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
517 echo "ldapmodify should have failed ($RC)!"
518 test $KILLSERVERS != no && kill -HUP $KILLPIDS
522 echo "ldapmodify failed ($RC)!"
523 test $KILLSERVERS != no && kill -HUP $KILLPIDS
528 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
529 $TESTOUT 2>&1 << EOMODS11
530 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
532 newrdn: cn=Added by Bjorn (renamed by Bjorn)
540 echo "ldapmodify should have failed ($RC)!"
541 test $KILLSERVERS != no && kill -HUP $KILLPIDS
545 echo "ldapmodify failed ($RC)!"
546 test $KILLSERVERS != no && kill -HUP $KILLPIDS
551 $LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
552 $TESTOUT 2>&1 << EOMODS12
553 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
555 newrdn: cn=Added by Bjorn (renamed by Babs)
563 echo "ldapmodify should have failed ($RC)!"
564 test $KILLSERVERS != no && kill -HUP $KILLPIDS
568 echo "ldapmodify failed ($RC)!"
569 test $KILLSERVERS != no && kill -HUP $KILLPIDS
574 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
575 $TESTOUT 2>&1 << EOMODS13
576 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
578 newrdn: cn=Added by Bjorn (renamed by Jaj)
586 echo "ldapmodify failed ($RC)!"
587 test $KILLSERVERS != no && kill -HUP $KILLPIDS
592 $LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
593 $TESTOUT 2>&1 << EOMODS14
594 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
597 description: Bjorn will try to delete this attribute value (should fail)
605 echo "ldapmodify should have failed ($RC)!"
606 test $KILLSERVERS != no && kill -HUP $KILLPIDS
610 echo "ldapmodify failed ($RC)!"
611 test $KILLSERVERS != no && kill -HUP $KILLPIDS
616 $LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
617 $TESTOUT 2>&1 << EOMODS15
618 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
621 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
624 description: this attribute value will be deleted by Babs (must succeed)
632 echo "ldapmodify failed ($RC)!"
633 test $KILLSERVERS != no && kill -HUP $KILLPIDS
638 echo "Using ldapsearch to retrieve all the entries..."
639 echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
640 $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
641 'objectClass=*' >> $SEARCHOUT 2>&1
643 test $KILLSERVERS != no && kill -HUP $KILLPIDS
644 if test $RC != 0 ; then
645 echo "ldapsearch failed ($RC)!"
651 echo "Filtering ldapsearch results..."
652 $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
653 echo "Filtering original ldif used to create database..."
654 $LDIFFILTER < $LDIF > $LDIFFLT
655 echo "Comparing filter output..."
656 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
658 if test $? != 0 ; then
659 echo "comparison failed - operations did not complete correctly"
663 echo ">>>>> Test succeeded"
665 test $KILLSERVERS != no && wait