test006-acls revision 1.1.1.10
1 #! /bin/sh 2 # $OpenLDAP$ 3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 ## 5 ## Copyright 1998-2024 The OpenLDAP Foundation. 6 ## All rights reserved. 7 ## 8 ## Redistribution and use in source and binary forms, with or without 9 ## modification, are permitted only as authorized by the OpenLDAP 10 ## Public License. 11 ## 12 ## A copy of this license is available in the file LICENSE in the 13 ## top-level directory of the distribution or, alternatively, at 14 ## <http://www.OpenLDAP.org/license.html>. 15 16 case "$BACKEND" in ldif | null) 17 echo "$BACKEND backend does not support access controls, test skipped" 18 exit 0 19 esac 20 21 echo "running defines.sh" 22 . $SRCDIR/scripts/defines.sh 23 24 mkdir -p $TESTDIR $DBDIR1 25 26 echo "Running slapadd to build slapd database..." 27 . $CONFFILTER $BACKEND < $ACLCONF > $CONF1 28 $SLAPADD -f $CONF1 -l $LDIFORDERED 29 RC=$? 30 if test $RC != 0 ; then 31 echo "slapadd failed ($RC)!" 32 exit $RC 33 fi 34 35 echo "Starting slapd on TCP/IP port $PORT1..." 36 $SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & 37 PID=$! 38 if test $WAIT != 0 ; then 39 echo PID $PID 40 read foo 41 fi 42 KILLPIDS="$PID" 43 44 sleep 1 45 46 echo "Testing slapd access control..." 47 for i in 0 1 2 3 4 5; do 48 $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ 49 'objectclass=*' > /dev/null 2>&1 50 RC=$? 51 if test $RC = 0 ; then 52 break 53 fi 54 echo "Waiting 5 seconds for slapd to start..." 55 sleep 5 56 done 57 58 if test $RC != 0 ; then 59 echo "ldapsearch failed ($RC)!" 60 test $KILLSERVERS != no && kill -HUP $KILLPIDS 61 exit $RC 62 fi 63 64 cat /dev/null > $SEARCHOUT 65 66 echo "# Try to read an entry inside the Alumni Association container. 67 # It should give us noSuchObject if we're not bound..." \ 68 >> $SEARCHOUT 69 # FIXME: temporarily remove the "No such object" message to make 70 # the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd 71 $LDAPSEARCH -b "$JAJDN" -H $URI1 "(objectclass=*)" \ 72 2>&1 | grep -v "No such object" >> $SEARCHOUT 73 74 echo "# ... and should return all attributes if we're bound as anyone 75 # under Example." \ 76 >> $SEARCHOUT 77 $LDAPSEARCH -b "$JAJDN" -H $URI1 \ 78 -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1 79 80 # ITS#4253, ITS#4255 81 echo "# Checking exact/regex attrval clause" >> $SEARCHOUT 82 $LDAPSEARCH -H $URI1 \ 83 -D "$BABSDN" -w bjensen \ 84 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 85 $LDAPSEARCH -H $URI1 \ 86 -D "$BJORNSDN" -w bjorn \ 87 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 88 89 $LDAPSEARCH -H $URI1 \ 90 -D "$BABSDN" -w bjensen \ 91 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 92 $LDAPSEARCH -H $URI1 \ 93 -D "$BJORNSDN" -w bjorn \ 94 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 95 96 $LDAPSEARCH -H $URI1 \ 97 -D "$BABSDN" -w bjensen \ 98 -b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 99 $LDAPSEARCH -H $URI1 \ 100 -D "$BJORNSDN" -w bjorn \ 101 -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 102 103 # check selfwrite access (ITS#4587). 6 attempts are made: 104 # 1) delete someone else (should fail) 105 # 2) delete self (should succeed) 106 # 3) add someone else (should fail) 107 # 4) add someone else and self (should fail) 108 # 5) add self and someone else (should fail) 109 # 6) add self (should succeed) 110 # 111 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 112 $TESTOUT 2>&1 << EOMODS 113 dn: cn=All Staff,ou=Groups,dc=example,dc=com 114 changetype: modify 115 delete: member 116 member: $BABSDN 117 EOMODS 118 RC=$? 119 case $RC in 120 50) 121 ;; 122 0) 123 echo "ldapmodify should have failed ($RC)!" 124 test $KILLSERVERS != no && kill -HUP $KILLPIDS 125 exit 1 126 ;; 127 *) 128 echo "ldapmodify failed ($RC)!" 129 test $KILLSERVERS != no && kill -HUP $KILLPIDS 130 exit $RC 131 ;; 132 esac 133 134 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 135 $TESTOUT 2>&1 << EOMODS 136 dn: cn=All Staff,ou=Groups,dc=example,dc=com 137 changetype: modify 138 delete: member 139 member: $JAJDN 140 EOMODS 141 RC=$? 142 if test $RC != 0 ; then 143 echo "ldapmodify failed ($RC)!" 144 test $KILLSERVERS != no && kill -HUP $KILLPIDS 145 exit $RC 146 fi 147 148 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 149 $TESTOUT 2>&1 << EOMODS 150 dn: cn=All Staff,ou=Groups,dc=example,dc=com 151 changetype: modify 152 add: member 153 member: cn=Foo,ou=Bar 154 EOMODS 155 RC=$? 156 case $RC in 157 50) 158 ;; 159 0) 160 echo "ldapmodify should have failed ($RC)!" 161 test $KILLSERVERS != no && kill -HUP $KILLPIDS 162 exit 1 163 ;; 164 *) 165 echo "ldapmodify failed ($RC)!" 166 test $KILLSERVERS != no && kill -HUP $KILLPIDS 167 exit $RC 168 ;; 169 esac 170 171 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 172 $TESTOUT 2>&1 << EOMODS 173 dn: cn=All Staff,ou=Groups,dc=example,dc=com 174 changetype: modify 175 add: member 176 member: cn=Foo,ou=Bar 177 member: $JAJDN 178 EOMODS 179 RC=$? 180 case $RC in 181 50) 182 ;; 183 0) 184 echo "ldapmodify should have failed ($RC)!" 185 test $KILLSERVERS != no && kill -HUP $KILLPIDS 186 exit 1 187 ;; 188 *) 189 echo "ldapmodify failed ($RC)!" 190 test $KILLSERVERS != no && kill -HUP $KILLPIDS 191 exit $RC 192 ;; 193 esac 194 195 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 196 $TESTOUT 2>&1 << EOMODS 197 dn: cn=All Staff,ou=Groups,dc=example,dc=com 198 changetype: modify 199 add: member 200 member: $JAJDN 201 member: cn=Foo,ou=Bar 202 EOMODS 203 RC=$? 204 case $RC in 205 50) 206 ;; 207 0) 208 echo "ldapmodify should have failed ($RC)!" 209 test $KILLSERVERS != no && kill -HUP $KILLPIDS 210 exit 1 211 ;; 212 *) 213 echo "ldapmodify failed ($RC)!" 214 test $KILLSERVERS != no && kill -HUP $KILLPIDS 215 exit $RC 216 ;; 217 esac 218 219 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 220 $TESTOUT 2>&1 << EOMODS 221 dn: cn=All Staff,ou=Groups,dc=example,dc=com 222 changetype: modify 223 add: member 224 member: $JAJDN 225 EOMODS 226 RC=$? 227 if test $RC != 0 ; then 228 echo "ldapmodify failed ($RC)!" 229 test $KILLSERVERS != no && kill -HUP $KILLPIDS 230 exit $RC 231 fi 232 233 # 234 # Check group access. Try to modify Babs' entry. Two attempts: 235 # 1) bound as "James A Jones 1" - should fail 236 # 2) bound as "Bjorn Jensen" - should succeed 237 238 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 239 $TESTOUT 2>&1 << EOMODS5 240 dn: $BABSDN 241 changetype: modify 242 replace: drink 243 drink: wine 244 EOMODS5 245 RC=$? 246 case $RC in 247 50) 248 ;; 249 0) 250 echo "ldapmodify should have failed ($RC)!" 251 test $KILLSERVERS != no && kill -HUP $KILLPIDS 252 exit 1 253 ;; 254 *) 255 echo "ldapmodify failed ($RC)!" 256 test $KILLSERVERS != no && kill -HUP $KILLPIDS 257 exit $RC 258 ;; 259 esac 260 261 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 262 $TESTOUT 2>&1 << EOMODS6 263 dn: $BABSDN 264 changetype: modify 265 add: homephone 266 homephone: +1 313 555 5444 267 EOMODS6 268 RC=$? 269 case $RC in 270 0) 271 ;; 272 *) 273 echo "ldapmodify failed ($RC)!" 274 test $KILLSERVERS != no && kill -HUP $KILLPIDS 275 exit $RC 276 ;; 277 esac 278 279 # 280 # Try to add a "member" attribute to the "ITD Staff" group. It should 281 # fail when we add some DN other than our own, and should succeed when 282 # we add our own DN. 283 # bjensen 284 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 285 $TESTOUT 2>&1 << EOMODS1 286 version: 1 287 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 288 changetype: modify 289 add: uniquemember 290 uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com 291 EOMODS1 292 RC=$? 293 case $RC in 294 50) 295 ;; 296 0) 297 echo "ldapmodify should have failed ($RC)!" 298 test $KILLSERVERS != no && kill -HUP $KILLPIDS 299 exit 1 300 ;; 301 *) 302 echo "ldapmodify failed ($RC)!" 303 test $KILLSERVERS != no && kill -HUP $KILLPIDS 304 exit $RC 305 ;; 306 esac 307 308 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 309 $TESTOUT 2>&1 << EOMODS2 310 version: 1 311 312 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 313 changetype: modify 314 add: uniquemember 315 uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com 316 EOMODS2 317 RC=$? 318 case $RC in 319 0) 320 ;; 321 *) 322 echo "ldapmodify failed ($RC)!" 323 test $KILLSERVERS != no && kill -HUP $KILLPIDS 324 exit $RC 325 ;; 326 esac 327 328 # 329 # Try to modify the "ITD Staff" group. Two attempts are made: 330 # 1) bound as "James A Jones 1" - should fail 331 # 2) bound as "Bjorn Jensen" - should succeed 332 # 333 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 334 $TESTOUT 2>&1 << EOMODS3 335 336 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 337 changetype: modify 338 delete: description 339 EOMODS3 340 RC=$? 341 case $RC in 342 50) 343 ;; 344 0) 345 echo "ldapmodify should have failed ($RC)!" 346 test $KILLSERVERS != no && kill -HUP $KILLPIDS 347 exit 1 348 ;; 349 *) 350 echo "ldapmodify failed ($RC)!" 351 test $KILLSERVERS != no && kill -HUP $KILLPIDS 352 exit $RC 353 ;; 354 esac 355 356 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 357 $TESTOUT 2>&1 << EOMODS4 358 # COMMENT 359 version: 1 360 # comment 361 dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 362 # comment 363 changetype: modify 364 # comment 365 add: ou 366 # comment 367 ou: Groups 368 # comment 369 EOMODS4 370 RC=$? 371 case $RC in 372 0) 373 ;; 374 *) 375 echo "ldapmodify failed ($RC)!" 376 test $KILLSERVERS != no && kill -HUP $KILLPIDS 377 exit $RC 378 ;; 379 esac 380 381 # 382 # Try to modify the "ITD Staff" group. Two attempts are made: 383 # 1) bound as "James A Jones 1" - should succeed 384 # 2) bound as "Barbara Jensen" - should fail 385 # should exploit sets 386 # 387 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 388 $TESTOUT 2>&1 << EOMODS5 389 dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com 390 changetype: modify 391 add: description 392 description: added by jaj (should succeed) 393 - 394 EOMODS5 395 RC=$? 396 case $RC in 397 0) 398 ;; 399 *) 400 echo "ldapmodify failed ($RC)!" 401 test $KILLSERVERS != no && kill -HUP $KILLPIDS 402 exit $RC 403 ;; 404 esac 405 406 $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ 407 $TESTOUT 2>&1 << EOMODS6 408 dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com 409 changetype: modify 410 add: description 411 description: added by bjensen (should fail) 412 - 413 EOMODS6 414 RC=$? 415 case $RC in 416 50) 417 ;; 418 0) 419 echo "ldapmodify should have failed ($RC)!" 420 test $KILLSERVERS != no && kill -HUP $KILLPIDS 421 exit 1 422 ;; 423 *) 424 echo "ldapmodify failed ($RC)!" 425 test $KILLSERVERS != no && kill -HUP $KILLPIDS 426 exit $RC 427 ;; 428 esac 429 430 $LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \ 431 $TESTOUT 2>&1 << EOMODS7 432 dn: ou=Add & Delete,dc=example,dc=com 433 changetype: add 434 objectClass: organizationalUnit 435 ou: Add & Delete 436 EOMODS7 437 RC=$? 438 if test $RC != 0 ; then 439 echo "ldapmodify failed ($RC)!" 440 test $KILLSERVERS != no && kill -HUP $KILLPIDS 441 exit $RC 442 fi 443 444 $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ 445 $TESTOUT 2>&1 << EOMODS8 446 dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com 447 changetype: add 448 objectClass: inetOrgPerson 449 cn: Added by Babs (must fail) 450 sn: None 451 EOMODS8 452 RC=$? 453 case $RC in 454 50) 455 ;; 456 0) 457 echo "ldapmodify should have failed ($RC)!" 458 test $KILLSERVERS != no && kill -HUP $KILLPIDS 459 exit 1 460 ;; 461 *) 462 echo "ldapmodify failed ($RC)!" 463 test $KILLSERVERS != no && kill -HUP $KILLPIDS 464 exit $RC 465 ;; 466 esac 467 468 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 469 $TESTOUT 2>&1 << EOMODS9 470 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 471 changetype: add 472 objectClass: inetOrgPerson 473 cn: Added by Bjorn (must succeed) 474 sn: None 475 476 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 477 changetype: add 478 objectClass: inetOrgPerson 479 cn: Added by Bjorn (will be deleted) 480 sn: None 481 482 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 483 changetype: add 484 objectClass: inetOrgPerson 485 cn: Added by Bjorn (will be renamed) 486 sn: None 487 488 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 489 changetype: modify 490 add: description 491 description: this attribute value has been added __after__entry creation 492 description: this attribute value will be deleted by Babs (must succeed) 493 description: Bjorn will try to delete this attribute value (should fail) 494 - 495 EOMODS9 496 RC=$? 497 case $RC in 498 0) 499 ;; 500 *) 501 echo "ldapmodify failed ($RC)!" 502 test $KILLSERVERS != no && kill -HUP $KILLPIDS 503 exit $RC 504 ;; 505 esac 506 507 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 508 $TESTOUT 2>&1 << EOMODS10 509 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 510 changetype: delete 511 EOMODS10 512 RC=$? 513 case $RC in 514 50) 515 ;; 516 0) 517 echo "ldapmodify should have failed ($RC)!" 518 test $KILLSERVERS != no && kill -HUP $KILLPIDS 519 exit 1 520 ;; 521 *) 522 echo "ldapmodify failed ($RC)!" 523 test $KILLSERVERS != no && kill -HUP $KILLPIDS 524 exit $RC 525 ;; 526 esac 527 528 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 529 $TESTOUT 2>&1 << EOMODS11 530 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 531 changetype: modrdn 532 newrdn: cn=Added by Bjorn (renamed by Bjorn) 533 deleteoldrdn: 1 534 EOMODS11 535 RC=$? 536 case $RC in 537 50) 538 ;; 539 0) 540 echo "ldapmodify should have failed ($RC)!" 541 test $KILLSERVERS != no && kill -HUP $KILLPIDS 542 exit 1 543 ;; 544 *) 545 echo "ldapmodify failed ($RC)!" 546 test $KILLSERVERS != no && kill -HUP $KILLPIDS 547 exit $RC 548 ;; 549 esac 550 551 $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ 552 $TESTOUT 2>&1 << EOMODS12 553 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 554 changetype: modrdn 555 newrdn: cn=Added by Bjorn (renamed by Babs) 556 deleteoldrdn: 1 557 EOMODS12 558 RC=$? 559 case $RC in 560 50) 561 ;; 562 0) 563 echo "ldapmodify should have failed ($RC)!" 564 test $KILLSERVERS != no && kill -HUP $KILLPIDS 565 exit 1 566 ;; 567 *) 568 echo "ldapmodify failed ($RC)!" 569 test $KILLSERVERS != no && kill -HUP $KILLPIDS 570 exit $RC 571 ;; 572 esac 573 574 $LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \ 575 $TESTOUT 2>&1 << EOMODS13 576 dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 577 changetype: modrdn 578 newrdn: cn=Added by Bjorn (renamed by Jaj) 579 deleteoldrdn: 1 580 EOMODS13 581 RC=$? 582 case $RC in 583 0) 584 ;; 585 *) 586 echo "ldapmodify failed ($RC)!" 587 test $KILLSERVERS != no && kill -HUP $KILLPIDS 588 exit $RC 589 ;; 590 esac 591 592 $LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \ 593 $TESTOUT 2>&1 << EOMODS14 594 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 595 changetype: modify 596 delete: description 597 description: Bjorn will try to delete this attribute value (should fail) 598 - 599 EOMODS14 600 RC=$? 601 case $RC in 602 50) 603 ;; 604 0) 605 echo "ldapmodify should have failed ($RC)!" 606 test $KILLSERVERS != no && kill -HUP $KILLPIDS 607 exit 1 608 ;; 609 *) 610 echo "ldapmodify failed ($RC)!" 611 test $KILLSERVERS != no && kill -HUP $KILLPIDS 612 exit $RC 613 ;; 614 esac 615 616 $LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \ 617 $TESTOUT 2>&1 << EOMODS15 618 dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 619 changetype: delete 620 621 dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 622 changetype: modify 623 delete: description 624 description: this attribute value will be deleted by Babs (must succeed) 625 - 626 EOMODS15 627 RC=$? 628 case $RC in 629 0) 630 ;; 631 *) 632 echo "ldapmodify failed ($RC)!" 633 test $KILLSERVERS != no && kill -HUP $KILLPIDS 634 exit $RC 635 ;; 636 esac 637 638 echo "Using ldapsearch to retrieve all the entries..." 639 echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT 640 $LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \ 641 'objectClass=*' >> $SEARCHOUT 2>&1 642 RC=$? 643 test $KILLSERVERS != no && kill -HUP $KILLPIDS 644 if test $RC != 0 ; then 645 echo "ldapsearch failed ($RC)!" 646 exit $RC 647 fi 648 649 LDIF=$ACLOUTPROVIDER 650 651 echo "Filtering ldapsearch results..." 652 $LDIFFILTER < $SEARCHOUT > $SEARCHFLT 653 echo "Filtering original ldif used to create database..." 654 $LDIFFILTER < $LDIF > $LDIFFLT 655 echo "Comparing filter output..." 656 $CMP $SEARCHFLT $LDIFFLT > $CMPOUT 657 658 if test $? != 0 ; then 659 echo "comparison failed - operations did not complete correctly" 660 exit 1 661 fi 662 663 echo ">>>>> Test succeeded" 664 665 test $KILLSERVERS != no && wait 666 667 exit 0 668
Indexes created Sat May 02 00:23:24 UTC 2026