more fixes to test006; added sets test

author Pierangelo Masarati <ando@openldap.org>

Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)
author Pierangelo Masarati <ando@openldap.org>
Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)
diff --git a/tests/data/acl.out.master b/tests/data/acl.out.master

index bc73b773ca677467aefe0cd941c3fe7e09676e2d..8a9a3f022883c62c1f8a76424a3a5538f16ef14f 100644 (file)
--- a/tests/data/acl.out.master
+++ b/tests/data/acl.out.master
@@ -47,6 +47,7 @@ member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
  member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
  owner: cn=Manager,dc=example,dc=com
  description: All Alumni Assoc Staff
+description: added by jaj
  cn: Alumni Assoc Staff
  objectClass: groupOfNames
  
@@ -271,6 +272,7 @@ uniqueMember: cn=John Doe,ou=Information Technology Division,ou=People,dc=exam
   ple,dc=com
  uniqueMember: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc
   =com
+ou: Groups
  
  dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example
   ,dc=com
diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf

index 9356ab9b4feafe26a0b1fa895c4b930a6d2f91b1..8a269607bf0cb561d1dbd711e636b83a6320ceaa 100644 (file)
--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -24,8 +24,14 @@ pidfile     ./testrun/slapd.1.pid
  argsfile    ./testrun/slapd.1.args
  
  # global ACLs
-access to dn.exact="" attr=objectClass by users read
-access to * by * read
+#
+# normal installations should protect root dse, cn=monitor, cn=subschema
+#
+
+access         to dn.exact="" attr=objectClass
+               by users read
+access         to *
+               by * read
  
  #mod#modulepath        ../servers/slapd/back-@BACKEND@/
  #mod#moduleload        back_@BACKEND@.la
@@ -45,18 +51,12 @@ rootpw              secret
  #bdb#index             objectClass     eq
  #bdb#index             cn,sn,uid       pres,eq,sub
  
-#
-# normal installations should protect root dse, cn=monitor, cn=subschema
-#
-
-# these are equivalent
-access to dn="" by * read
-access to dn.exact="" by * read
-
+#access                to attr=objectclass dn.subtree="dc=example,dc=com"
  access         to attr=objectclass
                 by * =rsc stop
  
-access         to filter="(objectclass=person)" attr=userpassword dn.subtree=""
+#access                to filter="(objectclass=person)" attr=userpassword dn.subtree="dc=example,dc=com"
+access         to filter="(objectclass=person)" attr=userpassword
                 by anonymous auth
                 by self =wx
  
@@ -65,15 +65,18 @@ access              to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
                 by dn.subtree="dc=example,dc=com" +rs continue
                 by * stop
  
+#access                to attr=member,uniquemember dn.subtree="dc=example,dc=com"
  access         to attr=member,uniquemember
                 by dnattr=member selfwrite
                 by dnattr=uniquemember selfwrite
                 by * read
  
-access to attr=member,uniquemember filter="(mail=*com)"
+#access                to attr=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
+access         to attr=member,uniquemember filter="(mail=*com)"
                 by * read
  
-access to filter="(&(objectclass=groupofnames)(objectClass=groupofuniquenames))"
+#access                to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
+access         to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
                 by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
                 by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
                 by * break
@@ -82,7 +85,12 @@ access               to dn.children="ou=Information Technology Division,ou=People,dc=example,
                 by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
                 by * read
  
-access to filter="(name=X*Y*Z)"
+access         to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
+               by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
+               by * read
+
+#access                to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
+access         to filter="(name=X*Y*Z)"
                 by * continue
  
  # fall into global ACLs
diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls

index 30c8491862bf7f222874ec89f04749645b5eb13c..300b47bea12065e69cb191017d7161999f4dac10 100755 (executable)
--- a/tests/scripts/test006-acls
+++ b/tests/scripts/test006-acls
@@ -92,7 +92,7 @@ homephone: +1 313 555 5444
  EOMODS6
  
  #
-# Try to add a "member" attribute to the "All Staff" group.  It should
+# Try to add a "member" attribute to the "ITD Staff" group.  It should
  # fail when we add some DN other than our own, and should succeed when
  # we add our own DN.
  # bjensen
@@ -117,9 +117,9 @@ uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example,
  EOMODS2
  
  #
-# Try to modify the "All Staff" group.  Two attempts are made:
+# Try to modify the "ITD Staff" group.  Two attempts are made:
  # 1) bound as "James A Jones 1" - should fail
-# 2) bound as "Barbara Jensen" - should succeed
+# 2) bound as "Bjorn Jensen" - should succeed
  #
  $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
         $TESTOUT 2>&1 << EOMODS3
@@ -145,6 +145,28 @@ ou: Groups
  # comment
  EOMODS4
  
+#
+# Try to modify the "ITD Staff" group.  Two attempts are made:
+# 1) bound as "James A Jones 1" - should succeed
+# 2) bound as "Barbara Jensen" - should fail
+# should exploit sets
+#
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS5
+dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
+changetype: modify
+add: description
+description: added by jaj
+EOMODS5
+
+$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
+       $TESTOUT 2>&1 << EOMODS6
+dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
+changetype: modify
+add: description
+description: added by bjensen
+EOMODS6
+
  echo "Using ldapsearch to retrieve all the entries..."
  $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
             'objectClass=*' >> $SEARCHOUT 2>&1
author	Pierangelo Masarati <ando@openldap.org>
	Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Thu, 13 May 2004 00:18:21 +0000 (00:18 +0000)
tests/data/acl.out.master		patch \| blob \| history
tests/data/slapd-acl.conf		patch \| blob \| history
tests/scripts/test006-acls		patch \| blob \| history