1#! /bin/sh
2# OpenLDAP: pkg/ldap/tests/scripts/test006-acls,v 1.59.2.9 2010/04/19 19:14:33 quanah Exp
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2010 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16case "$BACKEND" in ldif | null)
17	echo "$BACKEND backend does not support access controls, test skipped"
18	exit 0
19esac
20
21echo "running defines.sh"
22. $SRCDIR/scripts/defines.sh
23
24mkdir -p $TESTDIR $DBDIR1
25
26echo "Running slapadd to build slapd database..."
27. $CONFFILTER $BACKEND $MONITORDB < $ACLCONF > $CONF1
28$SLAPADD -f $CONF1 -l $LDIFORDERED
29RC=$?
30if test $RC != 0 ; then
31	echo "slapadd failed ($RC)!"
32	exit $RC
33fi
34
35echo "Starting slapd on TCP/IP port $PORT1..."
36$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
37PID=$!
38if test $WAIT != 0 ; then
39    echo PID $PID
40    read foo
41fi
42KILLPIDS="$PID"
43
44sleep 1
45
46echo "Testing slapd access control..."
47for i in 0 1 2 3 4 5; do
48	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
49		'objectclass=*' > /dev/null 2>&1
50	RC=$?
51	if test $RC = 0 ; then
52		break
53	fi
54	echo "Waiting 5 seconds for slapd to start..."
55	sleep 5
56done
57
58if test $RC != 0 ; then
59	echo "ldapsearch failed ($RC)!"
60	test $KILLSERVERS != no && kill -HUP $KILLPIDS
61	exit $RC
62fi
63
64cat /dev/null > $SEARCHOUT
65
66echo "# Try to read an entry inside the Alumni Association container.
67# It should give us noSuchObject if we're not bound..." \
68>> $SEARCHOUT
69# FIXME: temporarily remove the "No such object" message to make
70# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
71$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
72	2>&1 | grep -v "^No such object" >> $SEARCHOUT
73
74echo "# ... and should return all attributes if we're bound as anyone
75# under Example." \
76>> $SEARCHOUT
77$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \
78	-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
79
80# ITS#4253, ITS#4255
81echo "# Checking exact/regex attrval clause" >> $SEARCHOUT
82$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
83	-D "$BABSDN" -w bjensen \
84	-b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
85$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
86	-D "$BJORNSDN" -w bjorn \
87	-b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
88
89$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
90	-D "$BABSDN" -w bjensen \
91	-b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
92$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
93	-D "$BJORNSDN" -w bjorn \
94	-b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
95
96$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
97	-D "$BABSDN" -w bjensen \
98	-b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
99$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
100	-D "$BJORNSDN" -w bjorn \
101	-b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
102
103# check selfwrite access (ITS#4587).  6 attempts are made:
104# 1) delete someone else (should fail)
105# 2) delete self (should succeed)
106# 3) add someone else (should fail)
107# 4) add someone else and self (should fail)
108# 5) add self and someone else (should fail)
109# 6) add self (should succeed)
110#
111$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
112	$TESTOUT 2>&1 << EOMODS
113dn: cn=All Staff,ou=Groups,dc=example,dc=com
114changetype: modify
115delete: member
116member: $BABSDN
117EOMODS
118RC=$?
119case $RC in
12050)
121	;;
1220)
123	echo "ldapmodify should have failed ($RC)!"
124	test $KILLSERVERS != no && kill -HUP $KILLPIDS
125	exit -1
126	;;
127*)
128	echo "ldapmodify failed ($RC)!"
129	test $KILLSERVERS != no && kill -HUP $KILLPIDS
130	exit $RC
131	;;
132esac
133
134$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
135	$TESTOUT 2>&1 << EOMODS
136dn: cn=All Staff,ou=Groups,dc=example,dc=com
137changetype: modify
138delete: member
139member: $JAJDN
140EOMODS
141RC=$?
142if test $RC != 0 ; then
143	echo "ldapmodify failed ($RC)!"
144	test $KILLSERVERS != no && kill -HUP $KILLPIDS
145	exit $RC
146fi
147
148$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
149	$TESTOUT 2>&1 << EOMODS
150dn: cn=All Staff,ou=Groups,dc=example,dc=com
151changetype: modify
152add: member
153member: cn=Foo,ou=Bar
154EOMODS
155RC=$?
156case $RC in
15750)
158	;;
1590)
160	echo "ldapmodify should have failed ($RC)!"
161	test $KILLSERVERS != no && kill -HUP $KILLPIDS
162	exit -1
163	;;
164*)
165	echo "ldapmodify failed ($RC)!"
166	test $KILLSERVERS != no && kill -HUP $KILLPIDS
167	exit $RC
168	;;
169esac
170
171$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
172	$TESTOUT 2>&1 << EOMODS
173dn: cn=All Staff,ou=Groups,dc=example,dc=com
174changetype: modify
175add: member
176member: cn=Foo,ou=Bar
177member: $JAJDN
178EOMODS
179RC=$?
180case $RC in
18150)
182	;;
1830)
184	echo "ldapmodify should have failed ($RC)!"
185	test $KILLSERVERS != no && kill -HUP $KILLPIDS
186	exit -1
187	;;
188*)
189	echo "ldapmodify failed ($RC)!"
190	test $KILLSERVERS != no && kill -HUP $KILLPIDS
191	exit $RC
192	;;
193esac
194
195$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
196	$TESTOUT 2>&1 << EOMODS
197dn: cn=All Staff,ou=Groups,dc=example,dc=com
198changetype: modify
199add: member
200member: $JAJDN
201member: cn=Foo,ou=Bar
202EOMODS
203RC=$?
204case $RC in
20550)
206	;;
2070)
208	echo "ldapmodify should have failed ($RC)!"
209	test $KILLSERVERS != no && kill -HUP $KILLPIDS
210	exit -1
211	;;
212*)
213	echo "ldapmodify failed ($RC)!"
214	test $KILLSERVERS != no && kill -HUP $KILLPIDS
215	exit $RC
216	;;
217esac
218
219$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
220	$TESTOUT 2>&1 << EOMODS
221dn: cn=All Staff,ou=Groups,dc=example,dc=com
222changetype: modify
223add: member
224member: $JAJDN
225EOMODS
226RC=$?
227if test $RC != 0 ; then
228	echo "ldapmodify failed ($RC)!"
229	test $KILLSERVERS != no && kill -HUP $KILLPIDS
230	exit $RC
231fi
232
233#
234# Check group access. Try to modify Babs' entry. Two attempts:
235# 1) bound as "James A Jones 1" - should fail
236# 2) bound as "Bjorn Jensen" - should succeed
237
238$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
239	$TESTOUT 2>&1 << EOMODS5
240dn: $BABSDN
241changetype: modify
242replace: drink
243drink: wine
244EOMODS5
245RC=$?
246case $RC in
24750)
248	;;
2490)
250	echo "ldapmodify should have failed ($RC)!"
251	test $KILLSERVERS != no && kill -HUP $KILLPIDS
252	exit -1
253	;;
254*)
255	echo "ldapmodify failed ($RC)!"
256	test $KILLSERVERS != no && kill -HUP $KILLPIDS
257	exit $RC
258	;;
259esac
260
261$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
262	$TESTOUT 2>&1 << EOMODS6
263dn: $BABSDN
264changetype: modify
265add: homephone
266homephone: +1 313 555 5444
267EOMODS6
268RC=$?
269case $RC in
2700)
271	;;
272*)
273	echo "ldapmodify failed ($RC)!"
274	test $KILLSERVERS != no && kill -HUP $KILLPIDS
275	exit $RC
276	;;
277esac
278
279#
280# Try to add a "member" attribute to the "ITD Staff" group.  It should
281# fail when we add some DN other than our own, and should succeed when
282# we add our own DN.
283# bjensen
284$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
285	$TESTOUT 2>&1 << EOMODS1
286version: 1
287dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
288changetype: modify
289add: uniquemember
290uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
291EOMODS1
292RC=$?
293case $RC in
29450)
295	;;
2960)
297	echo "ldapmodify should have failed ($RC)!"
298	test $KILLSERVERS != no && kill -HUP $KILLPIDS
299	exit -1
300	;;
301*)
302	echo "ldapmodify failed ($RC)!"
303	test $KILLSERVERS != no && kill -HUP $KILLPIDS
304	exit $RC
305	;;
306esac
307
308$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
309	$TESTOUT 2>&1 << EOMODS2
310version: 1
311
312dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
313changetype: modify
314add: uniquemember
315uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com
316EOMODS2
317RC=$?
318case $RC in
3190)
320	;;
321*)
322	echo "ldapmodify failed ($RC)!"
323	test $KILLSERVERS != no && kill -HUP $KILLPIDS
324	exit $RC
325	;;
326esac
327
328#
329# Try to modify the "ITD Staff" group.  Two attempts are made:
330# 1) bound as "James A Jones 1" - should fail
331# 2) bound as "Bjorn Jensen" - should succeed
332#
333$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
334	$TESTOUT 2>&1 << EOMODS3
335
336dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
337changetype: modify
338delete: description
339EOMODS3
340RC=$?
341case $RC in
34250)
343	;;
3440)
345	echo "ldapmodify should have failed ($RC)!"
346	test $KILLSERVERS != no && kill -HUP $KILLPIDS
347	exit -1
348	;;
349*)
350	echo "ldapmodify failed ($RC)!"
351	test $KILLSERVERS != no && kill -HUP $KILLPIDS
352	exit $RC
353	;;
354esac
355
356$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
357	$TESTOUT 2>&1 << EOMODS4
358# COMMENT
359version: 1
360# comment
361dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
362# comment
363changetype: modify
364# comment
365add: ou
366# comment
367ou: Groups
368# comment
369EOMODS4
370RC=$?
371case $RC in
3720)
373	;;
374*)
375	echo "ldapmodify failed ($RC)!"
376	test $KILLSERVERS != no && kill -HUP $KILLPIDS
377	exit $RC
378	;;
379esac
380
381#
382# Try to modify the "ITD Staff" group.  Two attempts are made:
383# 1) bound as "James A Jones 1" - should succeed
384# 2) bound as "Barbara Jensen" - should fail
385# should exploit sets
386#
387$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
388	$TESTOUT 2>&1 << EOMODS5
389dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
390changetype: modify
391add: description
392description: added by jaj (should succeed)
393-
394EOMODS5
395RC=$?
396case $RC in
3970)
398	;;
399*)
400	echo "ldapmodify failed ($RC)!"
401	test $KILLSERVERS != no && kill -HUP $KILLPIDS
402	exit $RC
403	;;
404esac
405
406$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
407	$TESTOUT 2>&1 << EOMODS6
408dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
409changetype: modify
410add: description
411description: added by bjensen (should fail)
412-
413EOMODS6
414RC=$?
415case $RC in
41650)
417	;;
4180)
419	echo "ldapmodify should have failed ($RC)!"
420	test $KILLSERVERS != no && kill -HUP $KILLPIDS
421	exit -1
422	;;
423*)
424	echo "ldapmodify failed ($RC)!"
425	test $KILLSERVERS != no && kill -HUP $KILLPIDS
426	exit $RC
427	;;
428esac
429
430$LDAPMODIFY -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
431	$TESTOUT 2>&1 << EOMODS7
432dn: ou=Add & Delete,dc=example,dc=com
433changetype: add
434objectClass: organizationalUnit
435ou: Add & Delete
436EOMODS7
437RC=$?
438if test $RC != 0 ; then
439	echo "ldapmodify failed ($RC)!"
440	test $KILLSERVERS != no && kill -HUP $KILLPIDS
441	exit $RC
442fi
443
444$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
445	$TESTOUT 2>&1 << EOMODS8
446dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com
447changetype: add
448objectClass: inetOrgPerson
449cn: Added by Babs (must fail)
450sn: None
451EOMODS8
452RC=$?
453case $RC in
45450)
455	;;
4560)
457	echo "ldapmodify should have failed ($RC)!"
458	test $KILLSERVERS != no && kill -HUP $KILLPIDS
459	exit -1
460	;;
461*)
462	echo "ldapmodify failed ($RC)!"
463	test $KILLSERVERS != no && kill -HUP $KILLPIDS
464	exit $RC
465	;;
466esac
467
468$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
469	$TESTOUT 2>&1 << EOMODS9
470dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
471changetype: add
472objectClass: inetOrgPerson
473cn: Added by Bjorn (must succeed)
474sn: None
475
476dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
477changetype: add
478objectClass: inetOrgPerson
479cn: Added by Bjorn (will be deleted)
480sn: None
481
482dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
483changetype: add
484objectClass: inetOrgPerson
485cn: Added by Bjorn (will be renamed)
486sn: None
487
488dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
489changetype: modify
490add: description
491description: this attribute value has been added __after__entry creation
492description: this attribute value will be deleted by Babs (must succeed)
493description: Bjorn will try to delete this attribute value (should fail)
494-
495EOMODS9
496RC=$?
497case $RC in
4980)
499	;;
500*)
501	echo "ldapmodify failed ($RC)!"
502	test $KILLSERVERS != no && kill -HUP $KILLPIDS
503	exit $RC
504	;;
505esac
506
507$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
508	$TESTOUT 2>&1 << EOMODS10
509dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
510changetype: delete
511EOMODS10
512RC=$?
513case $RC in
51450)
515	;;
5160)
517	echo "ldapmodify should have failed ($RC)!"
518	test $KILLSERVERS != no && kill -HUP $KILLPIDS
519	exit -1
520	;;
521*)
522	echo "ldapmodify failed ($RC)!"
523	test $KILLSERVERS != no && kill -HUP $KILLPIDS
524	exit $RC
525	;;
526esac
527
528$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
529	$TESTOUT 2>&1 << EOMODS11
530dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
531changetype: modrdn
532newrdn: cn=Added by Bjorn (renamed by Bjorn)
533deleteoldrdn: 1
534EOMODS11
535RC=$?
536case $RC in
53750)
538	;;
5390)
540	echo "ldapmodify should have failed ($RC)!"
541	test $KILLSERVERS != no && kill -HUP $KILLPIDS
542	exit -1
543	;;
544*)
545	echo "ldapmodify failed ($RC)!"
546	test $KILLSERVERS != no && kill -HUP $KILLPIDS
547	exit $RC
548	;;
549esac
550
551$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
552	$TESTOUT 2>&1 << EOMODS12
553dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
554changetype: modrdn
555newrdn: cn=Added by Bjorn (renamed by Babs)
556deleteoldrdn: 1
557EOMODS12
558RC=$?
559case $RC in
56050)
561	;;
5620)
563	echo "ldapmodify should have failed ($RC)!"
564	test $KILLSERVERS != no && kill -HUP $KILLPIDS
565	exit -1
566	;;
567*)
568	echo "ldapmodify failed ($RC)!"
569	test $KILLSERVERS != no && kill -HUP $KILLPIDS
570	exit $RC
571	;;
572esac
573
574$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
575	$TESTOUT 2>&1 << EOMODS13
576dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
577changetype: modrdn
578newrdn: cn=Added by Bjorn (renamed by Jaj)
579deleteoldrdn: 1
580EOMODS13
581RC=$?
582case $RC in
5830)
584	;;
585*)
586	echo "ldapmodify failed ($RC)!"
587	test $KILLSERVERS != no && kill -HUP $KILLPIDS
588	exit $RC
589	;;
590esac
591
592$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
593	$TESTOUT 2>&1 << EOMODS14
594dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
595changetype: modify
596delete: description
597description: Bjorn will try to delete this attribute value (should fail)
598-
599EOMODS14
600RC=$?
601case $RC in
60250)
603	;;
6040)
605	echo "ldapmodify should have failed ($RC)!"
606	test $KILLSERVERS != no && kill -HUP $KILLPIDS
607	exit -1
608	;;
609*)
610	echo "ldapmodify failed ($RC)!"
611	test $KILLSERVERS != no && kill -HUP $KILLPIDS
612	exit $RC
613	;;
614esac
615
616$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
617	$TESTOUT 2>&1 << EOMODS15
618dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
619changetype: delete
620
621dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
622changetype: modify
623delete: description
624description: this attribute value will be deleted by Babs (must succeed)
625-
626EOMODS15
627RC=$?
628case $RC in
6290)
630	;;
631*)
632	echo "ldapmodify failed ($RC)!"
633	test $KILLSERVERS != no && kill -HUP $KILLPIDS
634	exit $RC
635	;;
636esac
637
638echo "Using ldapsearch to retrieve all the entries..."
639echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
640$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
641	    'objectClass=*' >> $SEARCHOUT 2>&1
642RC=$?
643test $KILLSERVERS != no && kill -HUP $KILLPIDS
644if test $RC != 0 ; then
645	echo "ldapsearch failed ($RC)!"
646	exit $RC
647fi
648
649LDIF=$ACLOUTMASTER
650
651echo "Filtering ldapsearch results..."
652$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
653echo "Filtering original ldif used to create database..."
654$LDIFFILTER < $LDIF > $LDIFFLT
655echo "Comparing filter output..."
656$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
657
658if test $? != 0 ; then
659	echo "comparison failed - operations did not complete correctly"
660	exit 1
661fi
662
663echo ">>>>> Test succeeded"
664
665test $KILLSERVERS != no && wait
666
667exit 0
668