ITS#8057 test cases

diff --git a/tests/data/slapd-unique.conf b/tests/data/slapd-unique.conf
index 7f9da07436906864d47a0c90b14b47b8949546ea..a07f8c760e14867b1351e490092997bf63586049 100644 (file)
--- a/tests/data/slapd-unique.conf
+++ b/tests/data/slapd-unique.conf
@@ -44,6 +44,9 @@ rootpw                secret
 #ndb#dbname db_1
 #ndb#include @DATADIR@/ndb.conf
 
+access to attrs=userPassword by * auth
+access to * by users write
+
 overlay                        unique
 
 unique_attributes      employeeNumber displayName

diff --git a/tests/scripts/test024-unique b/tests/scripts/test024-unique
index 1227511105b59fc85255e4a420e4dd6946fa4c38..20c137f0a29287a3b4c794b53355d09c0e2258ce 100755 (executable)
--- a/tests/scripts/test024-unique
+++ b/tests/scripts/test024-unique
@@ -73,6 +73,7 @@ $LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
        > /dev/null << EOTUNIQ1
 dn: uid=dave,ou=users,o=unique
 objectClass: inetOrgPerson
+objectClass: simpleSecurityObject
 uid: dave
 sn: nothere
 cn: dave
@@ -85,6 +86,7 @@ displayName: Dave (ITS#4212)
 employeeNumber: 69
 employeeType: contractor
 givenName: Dave
+userpassword: $PASSWD
 EOTUNIQ1
 RC=$?
 if test $RC != 0 ; then
@@ -94,7 +96,7 @@ if test $RC != 0 ; then
 fi
 
 echo "Adding a non-unique record..."
-$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOTUNIQ2
 dn: uid=bill,ou=users,o=unique
 objectClass: inetOrgPerson
@@ -116,6 +118,64 @@ if test $RC != $RCODEconstraint ; then
        exit -1
 fi
 
+# ITS#6641/8057
+echo "Trying to bypass uniqueness as a normal user..."
+$LDAPADD -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+        $TESTOUT 2>&1 << EOTUNIQ2
+dn: uid=bill,ou=users,o=unique
+objectClass: inetOrgPerson
+uid: bill
+sn: johnson
+cn: bill
+businessCategory: rtest
+carLicense: ABC123
+departmentNumber: 42
+displayName: Bill
+employeeNumber: 5150
+employeeType: contractor
+givenName: Bill
+EOTUNIQ2
+RC=$?
+if test $RC != $RCODEconstraint ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
+
+# ITS#6641/8057
+echo "Bypassing uniqueness as an admin user..."
+$LDAPADD -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+        $TESTOUT 2>&1 << EOTUNIQ2
+dn: uid=bill,ou=users,o=unique
+objectClass: inetOrgPerson
+uid: bill
+sn: johnson
+cn: bill
+businessCategory: rtest
+carLicense: ABC123
+departmentNumber: 42
+displayName: Bill
+employeeNumber: 5150
+employeeType: contractor
+givenName: Bill
+EOTUNIQ2
+RC=$?
+if test $RC != 0 ; then
+       echo "spurious unique error ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+echo "Cleaning up"
+$LDAPDELETE -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+    "uid=bill,ou=users,o=unique" > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0; then
+       echo "ldapdelete failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
 echo Dynamically retrieving initial configuration...
 $LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/initial-config.ldif
 cat <<EOF >$TESTDIR/initial-reference.ldif
@@ -210,7 +270,7 @@ if test $RC != 0 ; then
 fi
 
 echo "Adding a non-unique record..."
-$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOTUNIQ2
 dn: uid=bill,ou=users,o=unique
 objectClass: inetOrgPerson
@@ -267,7 +327,7 @@ if test $RC != 0 ; then
 fi
 
 echo "Verifying we removed the right attr..."
-$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOTUNIQ2
 dn: uid=bill,ou=users,o=unique
 objectClass: inetOrgPerson
@@ -327,7 +387,7 @@ if test $RC != 0 ; then
 fi
 
 echo "Adding a non-unique record..."
-$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOTUNIQ2
 dn: uid=bill,ou=users,o=unique
 objectClass: inetOrgPerson
@@ -495,11 +555,138 @@ if test $RC != 0 ; then
        exit -1
 fi
 
+echo "Making a record non-unique"
+$LDAPMODIFY -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+    $TESTOUT 2>&1 << EOF
+dn: uid=empty,ou=users,o=unique
+changetype: modify
+replace: sn
+sn: johnson
+EOF
 
-echo "Adding a record unique in one domain, non-unique in the filtered domain..."
+RC=$?
+if test $RC != $RCODEconstraint ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
 
+# ITS#6641/8057
+echo "Trying to bypass uniqueness as a normal user..."
+$LDAPMODIFY -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+    $TESTOUT 2>&1 << EOF
+dn: uid=empty,ou=users,o=unique
+changetype: modify
+replace: sn
+sn: johnson
+EOF
+
+RC=$?
+if test $RC != $RCODEconstraint ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
+
+# ITS#6641/8057
+echo "Bypassing uniqueness as an admin user..."
+$LDAPMODIFY -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+    $TESTOUT 2>&1 << EOF
+dn: uid=empty,ou=users,o=unique
+changetype: modify
+replace: sn
+sn: johnson
+EOF
+
+RC=$?
+if test $RC != 0 ; then
+       echo "spurious unique error ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+echo "Cleaning up"
+$LDAPMODIFY -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+    $TESTOUT 2>&1 << EOF
+dn: uid=empty,ou=users,o=unique
+changetype: modify
+replace: sn
+sn: empty
+EOF
+
+RC=$?
+if test $RC != 0; then
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+echo "Adding another unique record..."
 $LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOF
+dn: uid=not edgar,uid=edgar,ou=users,o=unique
+objectClass: inetOrgPerson
+uid: not edgar
+sn: Alan
+cn: not edgar
+EOF
+
+RC=$?
+if test $RC != 0 ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
+
+echo "Making the record non-unique with modrdn..."
+$LDAPMODRDN -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+       "uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
+
+RC=$?
+if test $RC != $RCODEconstraint ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
+
+# ITS#6641/8057
+echo "Trying to bypass uniqueness as a normal user..."
+$LDAPMODRDN -M -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+       "uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
+
+RC=$?
+if test $RC != $RCODEconstraint ; then
+       echo "unique check failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+fi
+
+# ITS#6641/8057
+echo "Bypassing uniqueness as an admin user..."
+$LDAPMODRDN -M -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+       "uid=not edgar,uid=edgar,ou=users,o=unique" "uid=edgar" > $TESTOUT 2>&1
+
+RC=$?
+if test $RC != 0 ; then
+       echo "spurious unique error ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+echo "Cleaning up"
+$LDAPDELETE -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+    "uid=edgar,uid=edgar,ou=users,o=unique" > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0; then
+       echo "ldapdelete failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
+echo "Adding a record unique in one domain, non-unique in the filtered domain..."
+
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+        $TESTOUT 2>&1 << EOF
 dn: uid=elvis,ou=users,o=unique
 objectClass: inetOrgPerson
 uid: elvis
@@ -569,7 +756,7 @@ fi
 
 echo "Adding a record non-unique in the ignore-domain..."
 
-$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+$LDAPADD -D "uid=dave,ou=users,o=unique" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
         $TESTOUT 2>&1 << EOF
 dn: uid=harry,ou=users,o=unique
 objectClass: inetOrgPerson