more fixes to test006; added sets test

2e03241c · Pierangelo Masarati · f109f1eb · 2e03241c · 2e03241c · 2e03241c
Commit 2e03241c authored May 13, 2004 by Pierangelo Masarati
--- a/tests/data/acl.out.master
+++ b/tests/data/acl.out.master
@@ -47,6 +47,7 @@ member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
 member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
 owner: cn=Manager,dc=example,dc=com
 description: All Alumni Assoc Staff
+description: added by jaj
 cn: Alumni Assoc Staff
 objectClass: groupOfNames

@@ -271,6 +272,7 @@ uniqueMember: cn=John Doe,ou=Information Technology Division,ou=People,dc=exam
 ple,dc=com
 uniqueMember: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc
 =com
+ou: Groups

 dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example
 ,dc=com

--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -24,8 +24,14 @@ pidfile     ./testrun/slapd.1.pid
 argsfile    ./testrun/slapd.1.args

 # global ACLs
-access to dn.exact="" attr=objectClass by users read
-access to * by * read
+#
+# normal installations should protect root dse, cn=monitor, cn=subschema
+#
+
+access		to dn.exact="" attr=objectClass
+		by users read
+access		to *
+		by * read

 #mod#modulepath	../servers/slapd/back-@BACKEND@/
 #mod#moduleload	back_@BACKEND@.la
@@ -45,18 +51,12 @@ rootpw		secret
 #bdb#index		objectClass	eq
 #bdb#index		cn,sn,uid	pres,eq,sub

-#
-# normal installations should protect root dse, cn=monitor, cn=subschema
-#
-
-# these are equivalent
-access to dn="" by * read
-access to dn.exact="" by * read
-
+#access		to attr=objectclass dn.subtree="dc=example,dc=com"
 access		to attr=objectclass
 		by * =rsc stop

-access		to filter="(objectclass=person)" attr=userpassword dn.subtree=""
+#access		to filter="(objectclass=person)" attr=userpassword dn.subtree="dc=example,dc=com"
+access		to filter="(objectclass=person)" attr=userpassword
 		by anonymous auth
 		by self =wx

@@ -65,15 +65,18 @@ access		to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
 		by dn.subtree="dc=example,dc=com" +rs continue
 		by * stop

+#access		to attr=member,uniquemember dn.subtree="dc=example,dc=com"
 access		to attr=member,uniquemember
 		by dnattr=member selfwrite
 		by dnattr=uniquemember selfwrite
 		by * read

-access to attr=member,uniquemember filter="(mail=*com)"
+#access		to attr=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
+access		to attr=member,uniquemember filter="(mail=*com)"
 		by * read

-access to filter="(&(objectclass=groupofnames)(objectClass=groupofuniquenames))"
+#access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
+access		to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
 		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
 		by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
 		by * break
@@ -82,7 +85,12 @@ access		to dn.children="ou=Information Technology Division,ou=People,dc=example,
 		by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
 		by * read

-access	to filter="(name=X*Y*Z)"
+access		to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
+		by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
+		by * read
+
+#access		to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
+access		to filter="(name=X*Y*Z)"
 		by * continue

 # fall into global ACLs
--- a/tests/scripts/test006-acls
+++ b/tests/scripts/test006-acls
@@ -92,7 +92,7 @@ homephone: +1 313 555 5444
 EOMODS6

 #
-# Try to add a "member" attribute to the "All Staff" group.  It should
+# Try to add a "member" attribute to the "ITD Staff" group.  It should
 # fail when we add some DN other than our own, and should succeed when
 # we add our own DN.
 # bjensen
@@ -117,9 +117,9 @@ uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example,
 EOMODS2

 #
-# Try to modify the "All Staff" group.  Two attempts are made:
+# Try to modify the "ITD Staff" group.  Two attempts are made:
 # 1) bound as "James A Jones 1" - should fail
-# 2) bound as "Barbara Jensen" - should succeed
+# 2) bound as "Bjorn Jensen" - should succeed
 #
 $LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
 	$TESTOUT 2>&1 << EOMODS3
@@ -145,6 +145,28 @@ ou: Groups
 # comment
 EOMODS4

+#
+# Try to modify the "ITD Staff" group.  Two attempts are made:
+# 1) bound as "James A Jones 1" - should succeed
+# 2) bound as "Barbara Jensen" - should fail
+# should exploit sets
+#
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+	$TESTOUT 2>&1 << EOMODS5
+dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
+changetype: modify
+add: description
+description: added by jaj
+EOMODS5
+
+$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
+	$TESTOUT 2>&1 << EOMODS6
+dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
+changetype: modify
+add: description
+description: added by bjensen
+EOMODS6
+
 echo "Using ldapsearch to retrieve all the entries..."
 $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	    'objectClass=*' >> $SEARCHOUT 2>&1