honor 'disclose' ACL on searchBase/compare/referral/matched (ITS#3472 and comments...

diff --git a/tests/data/acl.out.master b/tests/data/acl.out.master
index b44d98cb136048cfd0a0b01ba33f99f10cc6b79f..023e1a7fc86b12855272dd32dbcaab1eac82d20f 100644 (file)
--- a/tests/data/acl.out.master
+++ b/tests/data/acl.out.master
@@ -1,3 +1,8 @@
+# Try to read an entry inside the Alumni Association container.
+# It should give us noSuchObject if we're not bound...
+No such object (32)
+# ... and should return all attributes if we're bound as anyone
+# under Example.
 dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: James A Jones 1
@@ -16,6 +21,7 @@ mail: jaj@mail.alumni.example.com
 facsimileTelephoneNumber: +1 313 555 4332
 telephoneNumber: +1 313 555 0895
 
+# Using ldapsearch to retrieve all the entries...
 dn: cn=All Staff,ou=Groups,dc=example,dc=com
 member: cn=Manager,dc=example,dc=com
 member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam

diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf
index 4e02a8c4e1e5ead8df13964e7a680dfbd65e9a3e..f01b747f8f2422609cd2c45e1fea80034f3112bb 100644 (file)
--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -64,6 +64,7 @@ access                to filter="(objectclass=person)" attr=userpassword
 access         to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
                by dn.regex=".+,dc=example,dc=com" +c continue
                by dn.subtree="dc=example,dc=com" +rs continue
+               by dn.children="dc=example,dc=com" +d continue
                by * stop
 
 #access                to attr=member,uniquemember dn.subtree="dc=example,dc=com"

diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls
index de72e9f3f57de39d19930d7d84360fdb2b9d3752..0f294f0cad3e1b356002ce71f1b017e551259abd 100755 (executable)
--- a/tests/scripts/test006-acls
+++ b/tests/scripts/test006-acls
@@ -56,16 +56,17 @@ fi
 
 cat /dev/null > $SEARCHOUT
 
-#
-# Try to read an entry inside the Alumni Association container.  It should
-# give us nothing if we're not bound, and should return all attributes
-# if we're bound as anyone under UM.
-#
-$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "objectclass=*" \
+echo "# Try to read an entry inside the Alumni Association container.
+# It should give us noSuchObject if we're not bound..." \
+>> $SEARCHOUT
+$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
        >> $SEARCHOUT 2>&1
 
+echo "# ... and should return all attributes if we're bound as anyone
+# under Example." \
+>> $SEARCHOUT
 $LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \
-       -D "$BABSDN" -w bjensen "objectclass=*"  >> $SEARCHOUT 2>&1
+       -D "$BABSDN" -w bjensen "(objectclass=*)"  >> $SEARCHOUT 2>&1
 
 #
 # Check group access. Try to modify Babs' entry. Two attempts:
@@ -170,6 +171,7 @@ description: added by bjensen (should fail)
 EOMODS6
 
 echo "Using ldapsearch to retrieve all the entries..."
+echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
 $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
            'objectClass=*' >> $SEARCHOUT 2>&1
 RC=$?
@@ -189,7 +191,7 @@ echo "Comparing filter output..."
 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
 
 if test $? != 0 ; then
-       echo "comparison failed - modify operations did not complete correctly"
+       echo "comparison failed - operations did not complete correctly"
        exit 1
 fi