#! /bin/sh ## $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 2016-2024 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . ## ## ACKNOWLEDGEMENTS: ## This module was written in 2016 by Ondřej Kuzník for Symas Corp. case "$BACKEND" in ldif | null) echo "$BACKEND backend does not support access controls, test skipped" exit 0 esac echo "running defines.sh" . $SRCDIR/scripts/defines.sh CONF=$ACLCONF . ${SCRIPTDIR}/common.sh echo "Applying test-specific configuration..." . $CONFFILTER $BACKEND $MONITORDB < data/test006-config.ldif | \ $LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF \ >> $TESTOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ $TESTOUT 2>&1 << EOMODS dn: ou=Add & Delete,dc=example,dc=com changetype: add objectClass: organizationalUnit ou: Add & Delete dn: cn=group,ou=Add & Delete,dc=example,dc=com changetype: add objectclass: groupOfNames member: dc=example,dc=com dn: sn=Doe,ou=Add & Delete,dc=example,dc=com changetype: add objectclass: OpenLDAPperson cn: John uid: jd dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com changetype: add objectclass: OpenLDAPperson cn: Mark uid: me EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "Testing search ACL processing..." echo "# Try to read an entry inside the Alumni Association container. # It should give us noSuchObject if we're not bound..." \ >> $SEARCHOUT # FIXME: temporarily remove the "No such object" message to make # the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd $LDAPSEARCH -b "$MELLIOTDN" -H $URI1 "(objectclass=*)" \ 2>&1 | grep -v "No such object" >> $SEARCHOUT echo >>$SEARCHOUT echo "# ... and should return appropriate attributes if we're bound as anyone # under Example." \ >> $SEARCHOUT $LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \ -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1 $LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \ -D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1 echo >>$SEARCHOUT echo "# Add & Delete subtree contents as seen by Babs" >> $SEARCHOUT $LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \ -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1 echo >>$SEARCHOUT echo "# Add & Delete subtree contents as seen by Bjorn" >> $SEARCHOUT $LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \ -D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1 echo "Testing modifications..." echo "... ACL on the alternative entry" $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ $TESTOUT 2>&1 << EOMODS dn: cn=group,ou=Add & Delete,dc=example,dc=com changetype: modify add: seealso seealso: $BJORNSDN EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com changetype: modify add: description description: added by bjensen (should fail) EOMODS RC=$? case $RC in 50) ;; 0) echo "ldapmodify should have failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit -1 ;; *) echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC ;; esac $LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ $TESTOUT 2>&1 << EOMODS dn: cn=group,ou=Add & Delete,dc=example,dc=com changetype: modify add: seealso seealso: $BABSDN EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com changetype: modify add: description description: added by bjorn (removed later) EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Group,ou=Add & Delete,dc=example,dc=com changetype: modify delete: description description: added by bjorn (removed later) EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com changetype: add objectClass: inetOrgPerson sn: Jensen EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Group,ou=Add & Delete,dc=example,dc=com changetype: modify add: description description: another one added by bjorn (should succeed) EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi echo "... ACL on the variant entry" $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Group,ou=Add & Delete,dc=example,dc=com changetype: modify add: description description: added by bjensen (should fail) EOMODS RC=$? case $RC in 50) ;; 0) echo "ldapmodify should have failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit -1 ;; *) echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC ;; esac $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ $TESTOUT 2>&1 << EOMODS dn: sn=Doe,ou=Add & Delete,dc=example,dc=com changetype: modify add: description description: added by bjorn (will be removed) EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ $TESTOUT 2>&1 << EOMODS dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com changetype: modify replace: description description: added by bjensen (should fail) EOMODS RC=$? case $RC in 50) ;; 0) echo "ldapmodify should have failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit -1 ;; *) echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC ;; esac $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ $TESTOUT 2>&1 << EOMODS dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com changetype: modify delete: description description: added by bjorn (will be removed) - add: description description: added by jaj (should succeed) EOMODS RC=$? if test $RC != 0 ; then echo "ldapmodify failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi sleep $SLEEP0 echo >>$SEARCHOUT echo "Using ldapsearch to retrieve all the entries..." echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "ou=Add & Delete,dc=example,dc=com" \ -D "$MANAGERDN" -H $URI1 -w $PASSWD \ 'objectClass=*' >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" exit $RC fi test $KILLSERVERS != no && kill -HUP $KILLPIDS LDIF=data/test006-out.ldif echo "Filtering ldapsearch results..." $LDIFFILTER -s e < $SEARCHOUT > $SEARCHFLT echo "Filtering expected entries..." $LDIFFILTER -s e < $LDIF > $LDIFFLT echo "Comparing filter output..." $CMP $SEARCHFLT $LDIFFLT > $CMPOUT if test $? != 0 ; then echo "comparison failed - operations did not complete correctly" exit 1 fi echo ">>>>> Test succeeded" test $KILLSERVERS != no && wait exit 0