Merge remote branch 'origin/mdb.master'

[openldap] / tests / scripts / test006-acls

diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls
index 66f55760080d2ddea4a37b99c438922166a37f0c..5a4459d2d6ef9c637162475da9509dca4d2eb11c 100755 (executable)
--- a/tests/scripts/test006-acls
+++ b/tests/scripts/test006-acls
@@ -2,7 +2,7 @@
 # $OpenLDAP$
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2005 The OpenLDAP Foundation.
+## Copyright 1998-2012 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -13,11 +13,8 @@
 ## top-level directory of the distribution or, alternatively, at
 ## <http://www.OpenLDAP.org/license.html>.
 
-case "$BACKEND" in
-bdb|hdb|ldbm)
-       ;;
-*)
-       echo "Test does not support $BACKEND backend"
+case "$BACKEND" in ldif | null)
+       echo "$BACKEND backend does not support access controls, test skipped"
        exit 0
 esac
 
@@ -72,7 +69,7 @@ echo "# Try to read an entry inside the Alumni Association container.
 # FIXME: temporarily remove the "No such object" message to make
 # the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
 $LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
-       2>&1 | grep -v "^No such object" >> $SEARCHOUT
+       2>&1 | grep -v "No such object" >> $SEARCHOUT
 
 echo "# ... and should return all attributes if we're bound as anyone
 # under Example." \
@@ -103,6 +100,136 @@ $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
        -D "$BJORNSDN" -w bjorn \
        -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
 
+# check selfwrite access (ITS#4587).  6 attempts are made:
+# 1) delete someone else (should fail)
+# 2) delete self (should succeed)
+# 3) add someone else (should fail)
+# 4) add someone else and self (should fail)
+# 5) add self and someone else (should fail)
+# 6) add self (should succeed)
+#
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+member: $BABSDN
+EOMODS
+RC=$?
+case $RC in
+50)
+       ;;
+0)
+       echo "ldapmodify should have failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+       ;;
+*)
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+       ;;
+esac
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+member: $JAJDN
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: cn=Foo,ou=Bar
+EOMODS
+RC=$?
+case $RC in
+50)
+       ;;
+0)
+       echo "ldapmodify should have failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+       ;;
+*)
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+       ;;
+esac
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: cn=Foo,ou=Bar
+member: $JAJDN
+EOMODS
+RC=$?
+case $RC in
+50)
+       ;;
+0)
+       echo "ldapmodify should have failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+       ;;
+*)
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+       ;;
+esac
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: $JAJDN
+member: cn=Foo,ou=Bar
+EOMODS
+RC=$?
+case $RC in
+50)
+       ;;
+0)
+       echo "ldapmodify should have failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+       ;;
+*)
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+       ;;
+esac
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+add: member
+member: $JAJDN
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
 #
 # Check group access. Try to modify Babs' entry. Two attempts:
 # 1) bound as "James A Jones 1" - should fail
@@ -154,7 +281,7 @@ esac
 # fail when we add some DN other than our own, and should succeed when
 # we add our own DN.
 # bjensen
-$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj > \
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
        $TESTOUT 2>&1 << EOMODS1
 version: 1
 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
@@ -522,9 +649,9 @@ fi
 LDIF=$ACLOUTMASTER
 
 echo "Filtering ldapsearch results..."
-. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
 echo "Filtering original ldif used to create database..."
-. $LDIFFILTER < $LDIF > $LDIFFLT
+$LDIFFILTER < $LDIF > $LDIFFLT
 echo "Comparing filter output..."
 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
 
@@ -534,4 +661,7 @@ if test $? != 0 ; then
 fi
 
 echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
 exit 0