#! /bin/sh
## $OpenLDAP$
## This work is part of OpenLDAP Software .
##
## Copyright 2016-2024 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## .
##
## ACKNOWLEDGEMENTS:
## This module was written in 2016 by Ondřej Kuzník for Symas Corp.
case "$BACKEND" in ldif | null)
echo "$BACKEND backend does not support access controls, test skipped"
exit 0
esac
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
CONF=$ACLCONF
. ${SCRIPTDIR}/common.sh
echo "Applying test-specific configuration..."
. $CONFFILTER $BACKEND $MONITORDB < data/test006-config.ldif | \
$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF \
>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: ou=Add & Delete,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
ou: Add & Delete
dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: dc=example,dc=com
dn: sn=Doe,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: OpenLDAPperson
cn: John
uid: jd
dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: OpenLDAPperson
cn: Mark
uid: me
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Testing search ACL processing..."
echo "# Try to read an entry inside the Alumni Association container.
# It should give us noSuchObject if we're not bound..." \
>> $SEARCHOUT
# FIXME: temporarily remove the "No such object" message to make
# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 "(objectclass=*)" \
2>&1 | grep -v "No such object" >> $SEARCHOUT
echo >>$SEARCHOUT
echo "# ... and should return appropriate attributes if we're bound as anyone
# under Example." \
>> $SEARCHOUT
$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \
-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \
-D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1
echo >>$SEARCHOUT
echo "# Add & Delete subtree contents as seen by Babs" >> $SEARCHOUT
$LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \
-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
echo >>$SEARCHOUT
echo "# Add & Delete subtree contents as seen by Bjorn" >> $SEARCHOUT
$LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \
-D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1
echo "Testing modifications..."
echo "... ACL on the alternative entry"
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: seealso
seealso: $BJORNSDN
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
changetype: modify
add: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
;;
0)
echo "ldapmodify should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
;;
*)
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
esac
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: seealso
seealso: $BABSDN
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
changetype: modify
add: description
description: added by bjorn (removed later)
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
delete: description
description: added by bjorn (removed later)
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com
changetype: add
objectClass: inetOrgPerson
sn: Jensen
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: another one added by bjorn (should succeed)
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "... ACL on the variant entry"
$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
;;
0)
echo "ldapmodify should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
;;
*)
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
esac
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
$TESTOUT 2>&1 << EOMODS
dn: sn=Doe,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: added by bjorn (will be removed)
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com
changetype: modify
replace: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
;;
0)
echo "ldapmodify should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
;;
*)
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
esac
$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
$TESTOUT 2>&1 << EOMODS
dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com
changetype: modify
delete: description
description: added by bjorn (will be removed)
-
add: description
description: added by jaj (should succeed)
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
sleep $SLEEP0
echo >>$SEARCHOUT
echo "Using ldapsearch to retrieve all the entries..."
echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
$LDAPSEARCH -S "" -b "ou=Add & Delete,dc=example,dc=com" \
-D "$MANAGERDN" -H $URI1 -w $PASSWD \
'objectClass=*' >> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
exit $RC
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
LDIF=data/test006-out.ldif
echo "Filtering ldapsearch results..."
$LDIFFILTER -s e < $SEARCHOUT > $SEARCHFLT
echo "Filtering expected entries..."
$LDIFFILTER -s e < $LDIF > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
if test $? != 0 ; then
echo "comparison failed - operations did not complete correctly"
exit 1
fi
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0