diff --git a/tests/data/acl.out.master b/tests/data/acl.out.master index bc73b773ca677467aefe0cd941c3fe7e09676e2d..8a9a3f022883c62c1f8a76424a3a5538f16ef14f 100644 --- a/tests/data/acl.out.master +++ b/tests/data/acl.out.master @@ -47,6 +47,7 @@ member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com owner: cn=Manager,dc=example,dc=com description: All Alumni Assoc Staff +description: added by jaj cn: Alumni Assoc Staff objectClass: groupOfNames @@ -271,6 +272,7 @@ uniqueMember: cn=John Doe,ou=Information Technology Division,ou=People,dc=exam ple,dc=com uniqueMember: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc =com +ou: Groups dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example ,dc=com diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf index 9356ab9b4feafe26a0b1fa895c4b930a6d2f91b1..8a269607bf0cb561d1dbd711e636b83a6320ceaa 100644 --- a/tests/data/slapd-acl.conf +++ b/tests/data/slapd-acl.conf @@ -24,8 +24,14 @@ pidfile ./testrun/slapd.1.pid argsfile ./testrun/slapd.1.args # global ACLs -access to dn.exact="" attr=objectClass by users read -access to * by * read +# +# normal installations should protect root dse, cn=monitor, cn=subschema +# + +access to dn.exact="" attr=objectClass + by users read +access to * + by * read #mod#modulepath ../servers/slapd/back-@BACKEND@/ #mod#moduleload back_@BACKEND@.la @@ -45,18 +51,12 @@ rootpw secret #bdb#index objectClass eq #bdb#index cn,sn,uid pres,eq,sub -# -# normal installations should protect root dse, cn=monitor, cn=subschema -# - -# these are equivalent -access to dn="" by * read -access to dn.exact="" by * read - +#access to attr=objectclass dn.subtree="dc=example,dc=com" access to attr=objectclass by * =rsc stop -access to filter="(objectclass=person)" attr=userpassword dn.subtree="" +#access to filter="(objectclass=person)" attr=userpassword dn.subtree="dc=example,dc=com" +access to filter="(objectclass=person)" attr=userpassword by anonymous auth by self =wx @@ -65,15 +65,18 @@ access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com" by dn.subtree="dc=example,dc=com" +rs continue by * stop +#access to attr=member,uniquemember dn.subtree="dc=example,dc=com" access to attr=member,uniquemember by dnattr=member selfwrite by dnattr=uniquemember selfwrite by * read -access to attr=member,uniquemember filter="(mail=*com)" +#access to attr=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com" +access to attr=member,uniquemember filter="(mail=*com)" by * read -access to filter="(&(objectclass=groupofnames)(objectClass=groupofuniquenames))" +#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com" +access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop by * break @@ -82,7 +85,12 @@ access to dn.children="ou=Information Technology Division,ou=People,dc=example, by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write by * read -access to filter="(name=X*Y*Z)" +access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com" + by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write + by * read + +#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com" +access to filter="(name=X*Y*Z)" by * continue # fall into global ACLs diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls index 30c8491862bf7f222874ec89f04749645b5eb13c..300b47bea12065e69cb191017d7161999f4dac10 100755 --- a/tests/scripts/test006-acls +++ b/tests/scripts/test006-acls @@ -92,7 +92,7 @@ homephone: +1 313 555 5444 EOMODS6 # -# Try to add a "member" attribute to the "All Staff" group. It should +# Try to add a "member" attribute to the "ITD Staff" group. It should # fail when we add some DN other than our own, and should succeed when # we add our own DN. # bjensen @@ -117,9 +117,9 @@ uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, EOMODS2 # -# Try to modify the "All Staff" group. Two attempts are made: +# Try to modify the "ITD Staff" group. Two attempts are made: # 1) bound as "James A Jones 1" - should fail -# 2) bound as "Barbara Jensen" - should succeed +# 2) bound as "Bjorn Jensen" - should succeed # $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ $TESTOUT 2>&1 << EOMODS3 @@ -145,6 +145,28 @@ ou: Groups # comment EOMODS4 +# +# Try to modify the "ITD Staff" group. Two attempts are made: +# 1) bound as "James A Jones 1" - should succeed +# 2) bound as "Barbara Jensen" - should fail +# should exploit sets +# +$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ + $TESTOUT 2>&1 << EOMODS5 +dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com +changetype: modify +add: description +description: added by jaj +EOMODS5 + +$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \ + $TESTOUT 2>&1 << EOMODS6 +dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com +changetype: modify +add: description +description: added by bjensen +EOMODS6 + echo "Using ldapsearch to retrieve all the entries..." $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 'objectClass=*' >> $SEARCHOUT 2>&1