xref: /netbsd-src/external/bsd/openldap/dist/tests/scripts/test006-acls (revision 274254cdae52594c1aa480a736aef78313d15c9c) 
1#! /bin/sh
2# $OpenLDAP: pkg/ldap/tests/scripts/test006-acls,v 1.59.2.5 2008/02/11 23:26:51 kurt Exp $
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2008 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16case "$BACKEND" in
17bdb|hdb)
18	;;
19*)
20	echo "Test does not support $BACKEND backend"
21	exit 0
22esac
23
24echo "running defines.sh"
25. $SRCDIR/scripts/defines.sh
26
27mkdir -p $TESTDIR $DBDIR1
28
29echo "Running slapadd to build slapd database..."
30. $CONFFILTER $BACKEND $MONITORDB < $ACLCONF > $CONF1
31$SLAPADD -f $CONF1 -l $LDIFORDERED
32RC=$?
33if test $RC != 0 ; then
34	echo "slapadd failed ($RC)!"
35	exit $RC
36fi
37
38echo "Starting slapd on TCP/IP port $PORT1..."
39$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
40PID=$!
41if test $WAIT != 0 ; then
42    echo PID $PID
43    read foo
44fi
45KILLPIDS="$PID"
46
47sleep 1
48
49echo "Testing slapd access control..."
50for i in 0 1 2 3 4 5; do
51	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
52		'objectclass=*' > /dev/null 2>&1
53	RC=$?
54	if test $RC = 0 ; then
55		break
56	fi
57	echo "Waiting 5 seconds for slapd to start..."
58	sleep 5
59done
60
61if test $RC != 0 ; then
62	echo "ldapsearch failed ($RC)!"
63	test $KILLSERVERS != no && kill -HUP $KILLPIDS
64	exit $RC
65fi
66
67cat /dev/null > $SEARCHOUT
68
69echo "# Try to read an entry inside the Alumni Association container.
70# It should give us noSuchObject if we're not bound..." \
71>> $SEARCHOUT
72# FIXME: temporarily remove the "No such object" message to make
73# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
74$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
75	2>&1 | grep -v "^No such object" >> $SEARCHOUT
76
77echo "# ... and should return all attributes if we're bound as anyone
78# under Example." \
79>> $SEARCHOUT
80$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \
81	-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
82
83# ITS#4253, ITS#4255
84echo "# Checking exact/regex attrval clause" >> $SEARCHOUT
85$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
86	-D "$BABSDN" -w bjensen \
87	-b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
88$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
89	-D "$BJORNSDN" -w bjorn \
90	-b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
91
92$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
93	-D "$BABSDN" -w bjensen \
94	-b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
95$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
96	-D "$BJORNSDN" -w bjorn \
97	-b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
98
99$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
100	-D "$BABSDN" -w bjensen \
101	-b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
102$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
103	-D "$BJORNSDN" -w bjorn \
104	-b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
105
106# check selfwrite access (ITS#4587).  6 attempts are made:
107# 1) delete someone else (should fail)
108# 2) delete self (should succeed)
109# 3) add someone else (should fail)
110# 4) add someone else and self (should fail)
111# 5) add self and someone else (should fail)
112# 6) add self (should succeed)
113#
114$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
115	$TESTOUT 2>&1 << EOMODS
116dn: cn=All Staff,ou=Groups,dc=example,dc=com
117changetype: modify
118delete: member
119member: $BABSDN
120EOMODS
121RC=$?
122case $RC in
12350)
124	;;
1250)
126	echo "ldapmodify should have failed ($RC)!"
127	test $KILLSERVERS != no && kill -HUP $KILLPIDS
128	exit -1
129	;;
130*)
131	echo "ldapmodify failed ($RC)!"
132	test $KILLSERVERS != no && kill -HUP $KILLPIDS
133	exit $RC
134	;;
135esac
136
137$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
138	$TESTOUT 2>&1 << EOMODS
139dn: cn=All Staff,ou=Groups,dc=example,dc=com
140changetype: modify
141delete: member
142member: $JAJDN
143EOMODS
144RC=$?
145if test $RC != 0 ; then
146	echo "ldapmodify failed ($RC)!"
147	test $KILLSERVERS != no && kill -HUP $KILLPIDS
148	exit $RC
149fi
150
151$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
152	$TESTOUT 2>&1 << EOMODS
153dn: cn=All Staff,ou=Groups,dc=example,dc=com
154changetype: modify
155add: member
156member: cn=Foo,ou=Bar
157EOMODS
158RC=$?
159case $RC in
16050)
161	;;
1620)
163	echo "ldapmodify should have failed ($RC)!"
164	test $KILLSERVERS != no && kill -HUP $KILLPIDS
165	exit -1
166	;;
167*)
168	echo "ldapmodify failed ($RC)!"
169	test $KILLSERVERS != no && kill -HUP $KILLPIDS
170	exit $RC
171	;;
172esac
173
174$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
175	$TESTOUT 2>&1 << EOMODS
176dn: cn=All Staff,ou=Groups,dc=example,dc=com
177changetype: modify
178add: member
179member: cn=Foo,ou=Bar
180member: $JAJDN
181EOMODS
182RC=$?
183case $RC in
18450)
185	;;
1860)
187	echo "ldapmodify should have failed ($RC)!"
188	test $KILLSERVERS != no && kill -HUP $KILLPIDS
189	exit -1
190	;;
191*)
192	echo "ldapmodify failed ($RC)!"
193	test $KILLSERVERS != no && kill -HUP $KILLPIDS
194	exit $RC
195	;;
196esac
197
198$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
199	$TESTOUT 2>&1 << EOMODS
200dn: cn=All Staff,ou=Groups,dc=example,dc=com
201changetype: modify
202add: member
203member: $JAJDN
204member: cn=Foo,ou=Bar
205EOMODS
206RC=$?
207case $RC in
20850)
209	;;
2100)
211	echo "ldapmodify should have failed ($RC)!"
212	test $KILLSERVERS != no && kill -HUP $KILLPIDS
213	exit -1
214	;;
215*)
216	echo "ldapmodify failed ($RC)!"
217	test $KILLSERVERS != no && kill -HUP $KILLPIDS
218	exit $RC
219	;;
220esac
221
222$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
223	$TESTOUT 2>&1 << EOMODS
224dn: cn=All Staff,ou=Groups,dc=example,dc=com
225changetype: modify
226add: member
227member: $JAJDN
228EOMODS
229RC=$?
230if test $RC != 0 ; then
231	echo "ldapmodify failed ($RC)!"
232	test $KILLSERVERS != no && kill -HUP $KILLPIDS
233	exit $RC
234fi
235
236#
237# Check group access. Try to modify Babs' entry. Two attempts:
238# 1) bound as "James A Jones 1" - should fail
239# 2) bound as "Bjorn Jensen" - should succeed
240
241$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
242	$TESTOUT 2>&1 << EOMODS5
243dn: $BABSDN
244changetype: modify
245replace: drink
246drink: wine
247EOMODS5
248RC=$?
249case $RC in
25050)
251	;;
2520)
253	echo "ldapmodify should have failed ($RC)!"
254	test $KILLSERVERS != no && kill -HUP $KILLPIDS
255	exit -1
256	;;
257*)
258	echo "ldapmodify failed ($RC)!"
259	test $KILLSERVERS != no && kill -HUP $KILLPIDS
260	exit $RC
261	;;
262esac
263
264$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
265	$TESTOUT 2>&1 << EOMODS6
266dn: $BABSDN
267changetype: modify
268add: homephone
269homephone: +1 313 555 5444
270EOMODS6
271RC=$?
272case $RC in
2730)
274	;;
275*)
276	echo "ldapmodify failed ($RC)!"
277	test $KILLSERVERS != no && kill -HUP $KILLPIDS
278	exit $RC
279	;;
280esac
281
282#
283# Try to add a "member" attribute to the "ITD Staff" group.  It should
284# fail when we add some DN other than our own, and should succeed when
285# we add our own DN.
286# bjensen
287$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj > \
288	$TESTOUT 2>&1 << EOMODS1
289version: 1
290dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
291changetype: modify
292add: uniquemember
293uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
294EOMODS1
295RC=$?
296case $RC in
29750)
298	;;
2990)
300	echo "ldapmodify should have failed ($RC)!"
301	test $KILLSERVERS != no && kill -HUP $KILLPIDS
302	exit -1
303	;;
304*)
305	echo "ldapmodify failed ($RC)!"
306	test $KILLSERVERS != no && kill -HUP $KILLPIDS
307	exit $RC
308	;;
309esac
310
311$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
312	$TESTOUT 2>&1 << EOMODS2
313version: 1
314
315dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
316changetype: modify
317add: uniquemember
318uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com
319EOMODS2
320RC=$?
321case $RC in
3220)
323	;;
324*)
325	echo "ldapmodify failed ($RC)!"
326	test $KILLSERVERS != no && kill -HUP $KILLPIDS
327	exit $RC
328	;;
329esac
330
331#
332# Try to modify the "ITD Staff" group.  Two attempts are made:
333# 1) bound as "James A Jones 1" - should fail
334# 2) bound as "Bjorn Jensen" - should succeed
335#
336$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
337	$TESTOUT 2>&1 << EOMODS3
338
339dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
340changetype: modify
341delete: description
342EOMODS3
343RC=$?
344case $RC in
34550)
346	;;
3470)
348	echo "ldapmodify should have failed ($RC)!"
349	test $KILLSERVERS != no && kill -HUP $KILLPIDS
350	exit -1
351	;;
352*)
353	echo "ldapmodify failed ($RC)!"
354	test $KILLSERVERS != no && kill -HUP $KILLPIDS
355	exit $RC
356	;;
357esac
358
359$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
360	$TESTOUT 2>&1 << EOMODS4
361# COMMENT
362version: 1
363# comment
364dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
365# comment
366changetype: modify
367# comment
368add: ou
369# comment
370ou: Groups
371# comment
372EOMODS4
373RC=$?
374case $RC in
3750)
376	;;
377*)
378	echo "ldapmodify failed ($RC)!"
379	test $KILLSERVERS != no && kill -HUP $KILLPIDS
380	exit $RC
381	;;
382esac
383
384#
385# Try to modify the "ITD Staff" group.  Two attempts are made:
386# 1) bound as "James A Jones 1" - should succeed
387# 2) bound as "Barbara Jensen" - should fail
388# should exploit sets
389#
390$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
391	$TESTOUT 2>&1 << EOMODS5
392dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
393changetype: modify
394add: description
395description: added by jaj (should succeed)
396-
397EOMODS5
398RC=$?
399case $RC in
4000)
401	;;
402*)
403	echo "ldapmodify failed ($RC)!"
404	test $KILLSERVERS != no && kill -HUP $KILLPIDS
405	exit $RC
406	;;
407esac
408
409$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
410	$TESTOUT 2>&1 << EOMODS6
411dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
412changetype: modify
413add: description
414description: added by bjensen (should fail)
415-
416EOMODS6
417RC=$?
418case $RC in
41950)
420	;;
4210)
422	echo "ldapmodify should have failed ($RC)!"
423	test $KILLSERVERS != no && kill -HUP $KILLPIDS
424	exit -1
425	;;
426*)
427	echo "ldapmodify failed ($RC)!"
428	test $KILLSERVERS != no && kill -HUP $KILLPIDS
429	exit $RC
430	;;
431esac
432
433$LDAPMODIFY -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
434	$TESTOUT 2>&1 << EOMODS7
435dn: ou=Add & Delete,dc=example,dc=com
436changetype: add
437objectClass: organizationalUnit
438ou: Add & Delete
439EOMODS7
440RC=$?
441if test $RC != 0 ; then
442	echo "ldapmodify failed ($RC)!"
443	test $KILLSERVERS != no && kill -HUP $KILLPIDS
444	exit $RC
445fi
446
447$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
448	$TESTOUT 2>&1 << EOMODS8
449dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com
450changetype: add
451objectClass: inetOrgPerson
452cn: Added by Babs (must fail)
453sn: None
454EOMODS8
455RC=$?
456case $RC in
45750)
458	;;
4590)
460	echo "ldapmodify should have failed ($RC)!"
461	test $KILLSERVERS != no && kill -HUP $KILLPIDS
462	exit -1
463	;;
464*)
465	echo "ldapmodify failed ($RC)!"
466	test $KILLSERVERS != no && kill -HUP $KILLPIDS
467	exit $RC
468	;;
469esac
470
471$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
472	$TESTOUT 2>&1 << EOMODS9
473dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
474changetype: add
475objectClass: inetOrgPerson
476cn: Added by Bjorn (must succeed)
477sn: None
478
479dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
480changetype: add
481objectClass: inetOrgPerson
482cn: Added by Bjorn (will be deleted)
483sn: None
484
485dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
486changetype: add
487objectClass: inetOrgPerson
488cn: Added by Bjorn (will be renamed)
489sn: None
490
491dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
492changetype: modify
493add: description
494description: this attribute value has been added __after__entry creation
495description: this attribute value will be deleted by Babs (must succeed)
496description: Bjorn will try to delete this attribute value (should fail)
497-
498EOMODS9
499RC=$?
500case $RC in
5010)
502	;;
503*)
504	echo "ldapmodify failed ($RC)!"
505	test $KILLSERVERS != no && kill -HUP $KILLPIDS
506	exit $RC
507	;;
508esac
509
510$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
511	$TESTOUT 2>&1 << EOMODS10
512dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
513changetype: delete
514EOMODS10
515RC=$?
516case $RC in
51750)
518	;;
5190)
520	echo "ldapmodify should have failed ($RC)!"
521	test $KILLSERVERS != no && kill -HUP $KILLPIDS
522	exit -1
523	;;
524*)
525	echo "ldapmodify failed ($RC)!"
526	test $KILLSERVERS != no && kill -HUP $KILLPIDS
527	exit $RC
528	;;
529esac
530
531$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
532	$TESTOUT 2>&1 << EOMODS11
533dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
534changetype: modrdn
535newrdn: cn=Added by Bjorn (renamed by Bjorn)
536deleteoldrdn: 1
537EOMODS11
538RC=$?
539case $RC in
54050)
541	;;
5420)
543	echo "ldapmodify should have failed ($RC)!"
544	test $KILLSERVERS != no && kill -HUP $KILLPIDS
545	exit -1
546	;;
547*)
548	echo "ldapmodify failed ($RC)!"
549	test $KILLSERVERS != no && kill -HUP $KILLPIDS
550	exit $RC
551	;;
552esac
553
554$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
555	$TESTOUT 2>&1 << EOMODS12
556dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
557changetype: modrdn
558newrdn: cn=Added by Bjorn (renamed by Babs)
559deleteoldrdn: 1
560EOMODS12
561RC=$?
562case $RC in
56350)
564	;;
5650)
566	echo "ldapmodify should have failed ($RC)!"
567	test $KILLSERVERS != no && kill -HUP $KILLPIDS
568	exit -1
569	;;
570*)
571	echo "ldapmodify failed ($RC)!"
572	test $KILLSERVERS != no && kill -HUP $KILLPIDS
573	exit $RC
574	;;
575esac
576
577$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
578	$TESTOUT 2>&1 << EOMODS13
579dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
580changetype: modrdn
581newrdn: cn=Added by Bjorn (renamed by Jaj)
582deleteoldrdn: 1
583EOMODS13
584RC=$?
585case $RC in
5860)
587	;;
588*)
589	echo "ldapmodify failed ($RC)!"
590	test $KILLSERVERS != no && kill -HUP $KILLPIDS
591	exit $RC
592	;;
593esac
594
595$LDAPMODIFY -D "$BJORNSDN" -h $LOCALHOST -p $PORT1 -w bjorn >> \
596	$TESTOUT 2>&1 << EOMODS14
597dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
598changetype: modify
599delete: description
600description: Bjorn will try to delete this attribute value (should fail)
601-
602EOMODS14
603RC=$?
604case $RC in
60550)
606	;;
6070)
608	echo "ldapmodify should have failed ($RC)!"
609	test $KILLSERVERS != no && kill -HUP $KILLPIDS
610	exit -1
611	;;
612*)
613	echo "ldapmodify failed ($RC)!"
614	test $KILLSERVERS != no && kill -HUP $KILLPIDS
615	exit $RC
616	;;
617esac
618
619$LDAPMODIFY -D "$BABSDN" -h $LOCALHOST -p $PORT1 -w bjensen >> \
620	$TESTOUT 2>&1 << EOMODS15
621dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
622changetype: delete
623
624dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
625changetype: modify
626delete: description
627description: this attribute value will be deleted by Babs (must succeed)
628-
629EOMODS15
630RC=$?
631case $RC in
6320)
633	;;
634*)
635	echo "ldapmodify failed ($RC)!"
636	test $KILLSERVERS != no && kill -HUP $KILLPIDS
637	exit $RC
638	;;
639esac
640
641echo "Using ldapsearch to retrieve all the entries..."
642echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
643$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
644	    'objectClass=*' >> $SEARCHOUT 2>&1
645RC=$?
646test $KILLSERVERS != no && kill -HUP $KILLPIDS
647if test $RC != 0 ; then
648	echo "ldapsearch failed ($RC)!"
649	exit $RC
650fi
651
652LDIF=$ACLOUTMASTER
653
654echo "Filtering ldapsearch results..."
655. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
656echo "Filtering original ldif used to create database..."
657. $LDIFFILTER < $LDIF > $LDIFFLT
658echo "Comparing filter output..."
659$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
660
661if test $? != 0 ; then
662	echo "comparison failed - operations did not complete correctly"
663	exit 1
664fi
665
666echo ">>>>> Test succeeded"
667
668test $KILLSERVERS != no && wait
669
670exit 0
671