1#! /bin/sh 2# OpenLDAP: pkg/ldap/tests/scripts/test006-acls,v 1.59.2.9 2010/04/19 19:14:33 quanah Exp 3## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4## 5## Copyright 1998-2010 The OpenLDAP Foundation. 6## All rights reserved. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted only as authorized by the OpenLDAP 10## Public License. 11## 12## A copy of this license is available in the file LICENSE in the 13## top-level directory of the distribution or, alternatively, at 14## <http://www.OpenLDAP.org/license.html>. 15 16case "$BACKEND" in ldif | null) 17 echo "$BACKEND backend does not support access controls, test skipped" 18 exit 0 19esac 20 21echo "running defines.sh" 22. $SRCDIR/scripts/defines.sh 23 24mkdir -p $TESTDIR $DBDIR1 25 26echo "Running slapadd to build slapd database..." 27. $CONFFILTER $BACKEND $MONITORDB < $ACLCONF > $CONF1 28$SLAPADD -f $CONF1 -l $LDIFORDERED 29RC=$? 30if test $RC != 0 ; then 31 echo "slapadd failed ($RC)!" 32 exit $RC 33fi 34 35echo "Starting slapd on TCP/IP port $PORT1..." 36$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & 37PID=$! 38if test $WAIT != 0 ; then 39 echo PID $PID 40 read foo 41fi 42KILLPIDS="$PID" 43 44sleep 1 45 46echo "Testing slapd access control..." 47for i in 0 1 2 3 4 5; do 48 $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 49 'objectclass=*' > /dev/null 2>&1 50 RC=$? 51 if test $RC = 0 ; then 52 break 53 fi 54 echo "Waiting 5 seconds for slapd to start..." 55 sleep 5 56done 57 58if test $RC != 0 ; then 59 echo "ldapsearch failed ($RC)!" 60 test $KILLSERVERS != no && kill -HUP $KILLPIDS 61 exit $RC 62fi 63 64cat /dev/null > $SEARCHOUT 65 66echo "# Try to read an entry inside the Alumni Association container. 67# It should give us noSuchObject if we're not bound..." \ 68>> $SEARCHOUT 69# FIXME: temporarily remove the "No such object" message to make 70# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd 71$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \ 72 2>&1 | grep -v "^No such object" >> $SEARCHOUT 73 74echo "# ... and should return all attributes if we're bound as anyone 75# under Example." \ 76>> $SEARCHOUT 77$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \ 78 -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1 79 80# ITS#4253, ITS#4255 81echo "# Checking exact/regex attrval clause" >> $SEARCHOUT 82$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 83 -D "$BABSDN" -w bjensen \ 84 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 85$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 86 -D "$BJORNSDN" -w bjorn \ 87 -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 88 89$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 90 -D "$BABSDN" -w bjensen \ 91 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 92$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 93 -D "$BJORNSDN" -w bjorn \ 94 -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 95 96$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 97 -D "$BABSDN" -w bjensen \ 98 -b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 99$LDAPSEARCH -h $LOCALHOST -p $PORT1 \ 100 -D "$BJORNSDN" -w bjorn \ 101 -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 102 103# check selfwrite access (ITS#4587). 6 attempts are made: 104# 1) delete someone else (should fail) 105# 2) delete self (should succeed) 106# 3) add someone else (should fail) 107# 4) add someone else and self (should fail) 108# 5) add self and someone else (should fail) 109# 6) add self (should succeed) 110# 111$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 112 $TESTOUT 2>&1 << EOMODS 113dn: cn=All Staff,ou=Groups,dc=example,dc=com 114changetype: modify 115delete: member 116member: $BABSDN 117EOMODS 118RC=$? 119case $RC in 12050) 121 ;; 1220) 123 echo "ldapmodify should have failed ($RC)!" 124 test $KILLSERVERS != no && kill -HUP $KILLPIDS 125 exit -1 126 ;; 127*) 128 echo "ldapmodify failed ($RC)!" 129 test $KILLSERVERS != no && kill -HUP $KILLPIDS 130 exit $RC 131 ;; 132esac 133 134$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 135 $TESTOUT 2>&1 << EOMODS 136dn: cn=All Staff,ou=Groups,dc=example,dc=com 137changetype: modify 138delete: member 139member: $JAJDN 140EOMODS 141RC=$? 142if test $RC != 0 ; then 143 echo "ldapmodify failed ($RC)!" 144 test $KILLSERVERS != no && kill -HUP $KILLPIDS 145 exit $RC 146fi 147 148$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 149 $TESTOUT 2>&1 << EOMODS 150dn: cn=All Staff,ou=Groups,dc=example,dc=com 151changetype: modify 152add: member 153member: cn=Foo,ou=Bar 154EOMODS 155RC=$? 156case $RC in 15750) 158 ;; 1590) 160 echo "ldapmodify should have failed ($RC)!" 161 test $KILLSERVERS != no && kill -HUP $KILLPIDS 162 exit -1 163 ;; 164*) 165 echo "ldapmodify failed ($RC)!" 166 test $KILLSERVERS != no && kill -HUP $KILLPIDS 167 exit $RC 168 ;; 169esac 170 171$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 172 $TESTOUT 2>&1 << EOMODS 173dn: cn=All Staff,ou=Groups,dc=example,dc=com 174changetype: modify 175add: member 176member: cn=Foo,ou=Bar 177member: $JAJDN 178EOMODS 179RC=$? 180case $RC in 18150) 182 ;; 1830) 184 echo "ldapmodify should have failed ($RC)!" 185 test $KILLSERVERS != no && kill -HUP $KILLPIDS 186 exit -1 187 ;; 188*) 189 echo "ldapmodify failed ($RC)!" 190 test $KILLSERVERS != no && kill -HUP $KILLPIDS 191 exit $RC 192 ;; 193esac 194 195$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 196 $TESTOUT 2>&1 << EOMODS 197dn: cn=All Staff,ou=Groups,dc=example,dc=com 198changetype: modify 199add: member 200member: $JAJDN 201member: cn=Foo,ou=Bar 202EOMODS 203RC=$? 204case $RC in 20550) 206 ;; 2070) 208 echo "ldapmodify should have failed ($RC)!" 209 test $KILLSERVERS != no && kill -HUP $KILLPIDS 210 exit -1 211 ;; 212*) 213 echo "ldapmodify failed ($RC)!" 214 test $KILLSERVERS != no && kill -HUP $KILLPIDS 215 exit $RC 216 ;; 217esac 218 219$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 220 $TESTOUT 2>&1 << EOMODS 221dn: cn=All Staff,ou=Groups,dc=example,dc=com 222changetype: modify 223add: member 224member: $JAJDN 225EOMODS 226RC=$? 227if test $RC != 0 ; then 228 echo "ldapmodify failed ($RC)!" 229 test $KILLSERVERS != no && kill -HUP $KILLPIDS 230 exit $RC 231fi 232 233# 234# Check group access. Try to modify Babs' entry. Two attempts: 235# 1) bound as "James A Jones 1" - should fail 236# 2) bound as "Bjorn Jensen" - should succeed 237 238$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 239 $TESTOUT 2>&1 << EOMODS5 240dn: $BABSDN 241changetype: modify 242replace: drink 243drink: wine 244EOMODS5 245RC=$? 246case $RC in 24750) 248 ;; 2490) 250 echo "ldapmodify should have failed ($RC)!" 251 test $KILLSERVERS != no && kill -HUP $KILLPIDS 252 exit -1 253 ;; 254*) 255 echo "ldapmodify failed ($RC)!" 256 test $KILLSERVERS != no && kill -HUP $KILLPIDS 257 exit $RC 258 ;; 259esac 260 261$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 262 $TESTOUT 2>&1 << EOMODS6 263dn: $BABSDN 264changetype: modify 265add: homephone 266homephone: +1 313 555 5444 267EOMODS6 268RC=$? 269case $RC in 2700) 271 ;; 272*) 273 echo "ldapmodify failed ($RC)!" 274 test $KILLSERVERS != no && kill -HUP $KILLPIDS 275 exit $RC 276 ;; 277esac 278 279# 280# Try to add a "member" attribute to the "ITD Staff" group. It should 281# fail when we add some DN other than our own, and should succeed when 282# we add our own DN. 283# bjensen 284$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 285 $TESTOUT 2>&1 << EOMODS1 286version: 1 287dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 288changetype: modify 289add: uniquemember 290uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com 291EOMODS1 292RC=$? 293case $RC in 29450) 295 ;; 2960) 297 echo "ldapmodify should have failed ($RC)!" 298 test $KILLSERVERS != no && kill -HUP $KILLPIDS 299 exit -1 300 ;; 301*) 302 echo "ldapmodify failed ($RC)!" 303 test $KILLSERVERS != no && kill -HUP $KILLPIDS 304 exit $RC 305 ;; 306esac 307 308$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 309 $TESTOUT 2>&1 << EOMODS2 310version: 1 311 312dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 313changetype: modify 314add: uniquemember 315uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com 316EOMODS2 317RC=$? 318case $RC in 3190) 320 ;; 321*) 322 echo "ldapmodify failed ($RC)!" 323 test $KILLSERVERS != no && kill -HUP $KILLPIDS 324 exit $RC 325 ;; 326esac 327 328# 329# Try to modify the "ITD Staff" group. Two attempts are made: 330# 1) bound as "James A Jones 1" - should fail 331# 2) bound as "Bjorn Jensen" - should succeed 332# 333$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 334 $TESTOUT 2>&1 << EOMODS3 335 336dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 337changetype: modify 338delete: description 339EOMODS3 340RC=$? 341case $RC in 34250) 343 ;; 3440) 345 echo "ldapmodify should have failed ($RC)!" 346 test $KILLSERVERS != no && kill -HUP $KILLPIDS 347 exit -1 348 ;; 349*) 350 echo "ldapmodify failed ($RC)!" 351 test $KILLSERVERS != no && kill -HUP $KILLPIDS 352 exit $RC 353 ;; 354esac 355 356$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 357 $TESTOUT 2>&1 << EOMODS4 358# COMMENT 359version: 1 360# comment 361dn: cn=ITD Staff, ou=Groups, dc=example, dc=com 362# comment 363changetype: modify 364# comment 365add: ou 366# comment 367ou: Groups 368# comment 369EOMODS4 370RC=$? 371case $RC in 3720) 373 ;; 374*) 375 echo "ldapmodify failed ($RC)!" 376 test $KILLSERVERS != no && kill -HUP $KILLPIDS 377 exit $RC 378 ;; 379esac 380 381# 382# Try to modify the "ITD Staff" group. Two attempts are made: 383# 1) bound as "James A Jones 1" - should succeed 384# 2) bound as "Barbara Jensen" - should fail 385# should exploit sets 386# 387$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 388 $TESTOUT 2>&1 << EOMODS5 389dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com 390changetype: modify 391add: description 392description: added by jaj (should succeed) 393- 394EOMODS5 395RC=$? 396case $RC in 3970) 398 ;; 399*) 400 echo "ldapmodify failed ($RC)!" 401 test $KILLSERVERS != no && kill -HUP $KILLPIDS 402 exit $RC 403 ;; 404esac 405 406$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \ 407 $TESTOUT 2>&1 << EOMODS6 408dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com 409changetype: modify 410add: description 411description: added by bjensen (should fail) 412- 413EOMODS6 414RC=$? 415case $RC in 41650) 417 ;; 4180) 419 echo "ldapmodify should have failed ($RC)!" 420 test $KILLSERVERS != no && kill -HUP $KILLPIDS 421 exit -1 422 ;; 423*) 424 echo "ldapmodify failed ($RC)!" 425 test $KILLSERVERS != no && kill -HUP $KILLPIDS 426 exit $RC 427 ;; 428esac 429 430$LDAPMODIFY -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \ 431 $TESTOUT 2>&1 << EOMODS7 432dn: ou=Add & Delete,dc=example,dc=com 433changetype: add 434objectClass: organizationalUnit 435ou: Add & Delete 436EOMODS7 437RC=$? 438if test $RC != 0 ; then 439 echo "ldapmodify failed ($RC)!" 440 test $KILLSERVERS != no && kill -HUP $KILLPIDS 441 exit $RC 442fi 443 444$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \ 445 $TESTOUT 2>&1 << EOMODS8 446dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com 447changetype: add 448objectClass: inetOrgPerson 449cn: Added by Babs (must fail) 450sn: None 451EOMODS8 452RC=$? 453case $RC in 45450) 455 ;; 4560) 457 echo "ldapmodify should have failed ($RC)!" 458 test $KILLSERVERS != no && kill -HUP $KILLPIDS 459 exit -1 460 ;; 461*) 462 echo "ldapmodify failed ($RC)!" 463 test $KILLSERVERS != no && kill -HUP $KILLPIDS 464 exit $RC 465 ;; 466esac 467 468$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 469 $TESTOUT 2>&1 << EOMODS9 470dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 471changetype: add 472objectClass: inetOrgPerson 473cn: Added by Bjorn (must succeed) 474sn: None 475 476dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 477changetype: add 478objectClass: inetOrgPerson 479cn: Added by Bjorn (will be deleted) 480sn: None 481 482dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 483changetype: add 484objectClass: inetOrgPerson 485cn: Added by Bjorn (will be renamed) 486sn: None 487 488dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 489changetype: modify 490add: description 491description: this attribute value has been added __after__entry creation 492description: this attribute value will be deleted by Babs (must succeed) 493description: Bjorn will try to delete this attribute value (should fail) 494- 495EOMODS9 496RC=$? 497case $RC in 4980) 499 ;; 500*) 501 echo "ldapmodify failed ($RC)!" 502 test $KILLSERVERS != no && kill -HUP $KILLPIDS 503 exit $RC 504 ;; 505esac 506 507$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 508 $TESTOUT 2>&1 << EOMODS10 509dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 510changetype: delete 511EOMODS10 512RC=$? 513case $RC in 51450) 515 ;; 5160) 517 echo "ldapmodify should have failed ($RC)!" 518 test $KILLSERVERS != no && kill -HUP $KILLPIDS 519 exit -1 520 ;; 521*) 522 echo "ldapmodify failed ($RC)!" 523 test $KILLSERVERS != no && kill -HUP $KILLPIDS 524 exit $RC 525 ;; 526esac 527 528$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 529 $TESTOUT 2>&1 << EOMODS11 530dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 531changetype: modrdn 532newrdn: cn=Added by Bjorn (renamed by Bjorn) 533deleteoldrdn: 1 534EOMODS11 535RC=$? 536case $RC in 53750) 538 ;; 5390) 540 echo "ldapmodify should have failed ($RC)!" 541 test $KILLSERVERS != no && kill -HUP $KILLPIDS 542 exit -1 543 ;; 544*) 545 echo "ldapmodify failed ($RC)!" 546 test $KILLSERVERS != no && kill -HUP $KILLPIDS 547 exit $RC 548 ;; 549esac 550 551$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \ 552 $TESTOUT 2>&1 << EOMODS12 553dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 554changetype: modrdn 555newrdn: cn=Added by Bjorn (renamed by Babs) 556deleteoldrdn: 1 557EOMODS12 558RC=$? 559case $RC in 56050) 561 ;; 5620) 563 echo "ldapmodify should have failed ($RC)!" 564 test $KILLSERVERS != no && kill -HUP $KILLPIDS 565 exit -1 566 ;; 567*) 568 echo "ldapmodify failed ($RC)!" 569 test $KILLSERVERS != no && kill -HUP $KILLPIDS 570 exit $RC 571 ;; 572esac 573 574$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ 575 $TESTOUT 2>&1 << EOMODS13 576dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com 577changetype: modrdn 578newrdn: cn=Added by Bjorn (renamed by Jaj) 579deleteoldrdn: 1 580EOMODS13 581RC=$? 582case $RC in 5830) 584 ;; 585*) 586 echo "ldapmodify failed ($RC)!" 587 test $KILLSERVERS != no && kill -HUP $KILLPIDS 588 exit $RC 589 ;; 590esac 591 592$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \ 593 $TESTOUT 2>&1 << EOMODS14 594dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 595changetype: modify 596delete: description 597description: Bjorn will try to delete this attribute value (should fail) 598- 599EOMODS14 600RC=$? 601case $RC in 60250) 603 ;; 6040) 605 echo "ldapmodify should have failed ($RC)!" 606 test $KILLSERVERS != no && kill -HUP $KILLPIDS 607 exit -1 608 ;; 609*) 610 echo "ldapmodify failed ($RC)!" 611 test $KILLSERVERS != no && kill -HUP $KILLPIDS 612 exit $RC 613 ;; 614esac 615 616$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \ 617 $TESTOUT 2>&1 << EOMODS15 618dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com 619changetype: delete 620 621dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com 622changetype: modify 623delete: description 624description: this attribute value will be deleted by Babs (must succeed) 625- 626EOMODS15 627RC=$? 628case $RC in 6290) 630 ;; 631*) 632 echo "ldapmodify failed ($RC)!" 633 test $KILLSERVERS != no && kill -HUP $KILLPIDS 634 exit $RC 635 ;; 636esac 637 638echo "Using ldapsearch to retrieve all the entries..." 639echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT 640$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ 641 'objectClass=*' >> $SEARCHOUT 2>&1 642RC=$? 643test $KILLSERVERS != no && kill -HUP $KILLPIDS 644if test $RC != 0 ; then 645 echo "ldapsearch failed ($RC)!" 646 exit $RC 647fi 648 649LDIF=$ACLOUTMASTER 650 651echo "Filtering ldapsearch results..." 652$LDIFFILTER < $SEARCHOUT > $SEARCHFLT 653echo "Filtering original ldif used to create database..." 654$LDIFFILTER < $LDIF > $LDIFFLT 655echo "Comparing filter output..." 656$CMP $SEARCHFLT $LDIFFLT > $CMPOUT 657 658if test $? != 0 ; then 659 echo "comparison failed - operations did not complete correctly" 660 exit 1 661fi 662 663echo ">>>>> Test succeeded" 664 665test $KILLSERVERS != no && wait 666 667exit 0 668