1#! /bin/sh
2# $OpenLDAP$
3## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4##
5## Copyright 1998-2021 The OpenLDAP Foundation.
6## All rights reserved.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted only as authorized by the OpenLDAP
10## Public License.
11##
12## A copy of this license is available in the file LICENSE in the
13## top-level directory of the distribution or, alternatively, at
14## <http://www.OpenLDAP.org/license.html>.
15
16case "$BACKEND" in ldif | null)
17          echo "$BACKEND backend does not support access controls, test skipped"
18          exit 0
19esac
20
21echo "running defines.sh"
22. $SRCDIR/scripts/defines.sh
23
24mkdir -p $TESTDIR $DBDIR1
25
26echo "Running slapadd to build slapd database..."
27. $CONFFILTER $BACKEND < $ACLCONF > $CONF1
28$SLAPADD -f $CONF1 -l $LDIFORDERED
29RC=$?
30if test $RC != 0 ; then
31          echo "slapadd failed ($RC)!"
32          exit $RC
33fi
34
35echo "Starting slapd on TCP/IP port $PORT1..."
36$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 &
37PID=$!
38if test $WAIT != 0 ; then
39    echo PID $PID
40    read foo
41fi
42KILLPIDS="$PID"
43
44sleep 1
45
46echo "Testing slapd access control..."
47for i in 0 1 2 3 4 5; do
48          $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
49                    'objectclass=*' > /dev/null 2>&1
50          RC=$?
51          if test $RC = 0 ; then
52                    break
53          fi
54          echo "Waiting 5 seconds for slapd to start..."
55          sleep 5
56done
57
58if test $RC != 0 ; then
59          echo "ldapsearch failed ($RC)!"
60          test $KILLSERVERS != no && kill -HUP $KILLPIDS
61          exit $RC
62fi
63
64cat /dev/null > $SEARCHOUT
65
66echo "# Try to read an entry inside the Alumni Association container.
67# It should give us noSuchObject if we're not bound..." \
68>> $SEARCHOUT
69# FIXME: temporarily remove the "No such object" message to make
70# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
71$LDAPSEARCH -b "$JAJDN" -H $URI1 "(objectclass=*)" \
72          2>&1 | grep -v "No such object" >> $SEARCHOUT
73
74echo "# ... and should return all attributes if we're bound as anyone
75# under Example." \
76>> $SEARCHOUT
77$LDAPSEARCH -b "$JAJDN" -H $URI1 \
78          -D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
79
80# ITS#4253, ITS#4255
81echo "# Checking exact/regex attrval clause" >> $SEARCHOUT
82$LDAPSEARCH -H $URI1 \
83          -D "$BABSDN" -w bjensen \
84          -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
85$LDAPSEARCH -H $URI1 \
86          -D "$BJORNSDN" -w bjorn \
87          -b "$MELLIOTDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
88
89$LDAPSEARCH -H $URI1 \
90          -D "$BABSDN" -w bjensen \
91          -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
92$LDAPSEARCH -H $URI1 \
93          -D "$BJORNSDN" -w bjorn \
94          -b "$JOHNDDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
95
96$LDAPSEARCH -H $URI1 \
97          -D "$BABSDN" -w bjensen \
98          -b "$BJORNSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
99$LDAPSEARCH -H $URI1 \
100          -D "$BJORNSDN" -w bjorn \
101          -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
102
103# check selfwrite access (ITS#4587).  6 attempts are made:
104# 1) delete someone else (should fail)
105# 2) delete self (should succeed)
106# 3) add someone else (should fail)
107# 4) add someone else and self (should fail)
108# 5) add self and someone else (should fail)
109# 6) add self (should succeed)
110#
111$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
112          $TESTOUT 2>&1 << EOMODS
113dn: cn=All Staff,ou=Groups,dc=example,dc=com
114changetype: modify
115delete: member
116member: $BABSDN
117EOMODS
118RC=$?
119case $RC in
12050)
121          ;;
1220)
123          echo "ldapmodify should have failed ($RC)!"
124          test $KILLSERVERS != no && kill -HUP $KILLPIDS
125          exit -1
126          ;;
127*)
128          echo "ldapmodify failed ($RC)!"
129          test $KILLSERVERS != no && kill -HUP $KILLPIDS
130          exit $RC
131          ;;
132esac
133
134$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
135          $TESTOUT 2>&1 << EOMODS
136dn: cn=All Staff,ou=Groups,dc=example,dc=com
137changetype: modify
138delete: member
139member: $JAJDN
140EOMODS
141RC=$?
142if test $RC != 0 ; then
143          echo "ldapmodify failed ($RC)!"
144          test $KILLSERVERS != no && kill -HUP $KILLPIDS
145          exit $RC
146fi
147
148$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
149          $TESTOUT 2>&1 << EOMODS
150dn: cn=All Staff,ou=Groups,dc=example,dc=com
151changetype: modify
152add: member
153member: cn=Foo,ou=Bar
154EOMODS
155RC=$?
156case $RC in
15750)
158          ;;
1590)
160          echo "ldapmodify should have failed ($RC)!"
161          test $KILLSERVERS != no && kill -HUP $KILLPIDS
162          exit -1
163          ;;
164*)
165          echo "ldapmodify failed ($RC)!"
166          test $KILLSERVERS != no && kill -HUP $KILLPIDS
167          exit $RC
168          ;;
169esac
170
171$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
172          $TESTOUT 2>&1 << EOMODS
173dn: cn=All Staff,ou=Groups,dc=example,dc=com
174changetype: modify
175add: member
176member: cn=Foo,ou=Bar
177member: $JAJDN
178EOMODS
179RC=$?
180case $RC in
18150)
182          ;;
1830)
184          echo "ldapmodify should have failed ($RC)!"
185          test $KILLSERVERS != no && kill -HUP $KILLPIDS
186          exit -1
187          ;;
188*)
189          echo "ldapmodify failed ($RC)!"
190          test $KILLSERVERS != no && kill -HUP $KILLPIDS
191          exit $RC
192          ;;
193esac
194
195$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
196          $TESTOUT 2>&1 << EOMODS
197dn: cn=All Staff,ou=Groups,dc=example,dc=com
198changetype: modify
199add: member
200member: $JAJDN
201member: cn=Foo,ou=Bar
202EOMODS
203RC=$?
204case $RC in
20550)
206          ;;
2070)
208          echo "ldapmodify should have failed ($RC)!"
209          test $KILLSERVERS != no && kill -HUP $KILLPIDS
210          exit -1
211          ;;
212*)
213          echo "ldapmodify failed ($RC)!"
214          test $KILLSERVERS != no && kill -HUP $KILLPIDS
215          exit $RC
216          ;;
217esac
218
219$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
220          $TESTOUT 2>&1 << EOMODS
221dn: cn=All Staff,ou=Groups,dc=example,dc=com
222changetype: modify
223add: member
224member: $JAJDN
225EOMODS
226RC=$?
227if test $RC != 0 ; then
228          echo "ldapmodify failed ($RC)!"
229          test $KILLSERVERS != no && kill -HUP $KILLPIDS
230          exit $RC
231fi
232
233#
234# Check group access. Try to modify Babs' entry. Two attempts:
235# 1) bound as "James A Jones 1" - should fail
236# 2) bound as "Bjorn Jensen" - should succeed
237
238$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
239          $TESTOUT 2>&1 << EOMODS5
240dn: $BABSDN
241changetype: modify
242replace: drink
243drink: wine
244EOMODS5
245RC=$?
246case $RC in
24750)
248          ;;
2490)
250          echo "ldapmodify should have failed ($RC)!"
251          test $KILLSERVERS != no && kill -HUP $KILLPIDS
252          exit -1
253          ;;
254*)
255          echo "ldapmodify failed ($RC)!"
256          test $KILLSERVERS != no && kill -HUP $KILLPIDS
257          exit $RC
258          ;;
259esac
260
261$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
262          $TESTOUT 2>&1 << EOMODS6
263dn: $BABSDN
264changetype: modify
265add: homephone
266homephone: +1 313 555 5444
267EOMODS6
268RC=$?
269case $RC in
2700)
271          ;;
272*)
273          echo "ldapmodify failed ($RC)!"
274          test $KILLSERVERS != no && kill -HUP $KILLPIDS
275          exit $RC
276          ;;
277esac
278
279#
280# Try to add a "member" attribute to the "ITD Staff" group.  It should
281# fail when we add some DN other than our own, and should succeed when
282# we add our own DN.
283# bjensen
284$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
285          $TESTOUT 2>&1 << EOMODS1
286version: 1
287dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
288changetype: modify
289add: uniquemember
290uniquemember: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
291EOMODS1
292RC=$?
293case $RC in
29450)
295          ;;
2960)
297          echo "ldapmodify should have failed ($RC)!"
298          test $KILLSERVERS != no && kill -HUP $KILLPIDS
299          exit -1
300          ;;
301*)
302          echo "ldapmodify failed ($RC)!"
303          test $KILLSERVERS != no && kill -HUP $KILLPIDS
304          exit $RC
305          ;;
306esac
307
308$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
309          $TESTOUT 2>&1 << EOMODS2
310version: 1
311
312dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
313changetype: modify
314add: uniquemember
315uniquemember: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com
316EOMODS2
317RC=$?
318case $RC in
3190)
320          ;;
321*)
322          echo "ldapmodify failed ($RC)!"
323          test $KILLSERVERS != no && kill -HUP $KILLPIDS
324          exit $RC
325          ;;
326esac
327
328#
329# Try to modify the "ITD Staff" group.  Two attempts are made:
330# 1) bound as "James A Jones 1" - should fail
331# 2) bound as "Bjorn Jensen" - should succeed
332#
333$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
334          $TESTOUT 2>&1 << EOMODS3
335
336dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
337changetype: modify
338delete: description
339EOMODS3
340RC=$?
341case $RC in
34250)
343          ;;
3440)
345          echo "ldapmodify should have failed ($RC)!"
346          test $KILLSERVERS != no && kill -HUP $KILLPIDS
347          exit -1
348          ;;
349*)
350          echo "ldapmodify failed ($RC)!"
351          test $KILLSERVERS != no && kill -HUP $KILLPIDS
352          exit $RC
353          ;;
354esac
355
356$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
357          $TESTOUT 2>&1 << EOMODS4
358# COMMENT
359version: 1
360# comment
361dn: cn=ITD Staff, ou=Groups, dc=example, dc=com
362# comment
363changetype: modify
364# comment
365add: ou
366# comment
367ou: Groups
368# comment
369EOMODS4
370RC=$?
371case $RC in
3720)
373          ;;
374*)
375          echo "ldapmodify failed ($RC)!"
376          test $KILLSERVERS != no && kill -HUP $KILLPIDS
377          exit $RC
378          ;;
379esac
380
381#
382# Try to modify the "ITD Staff" group.  Two attempts are made:
383# 1) bound as "James A Jones 1" - should succeed
384# 2) bound as "Barbara Jensen" - should fail
385# should exploit sets
386#
387$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
388          $TESTOUT 2>&1 << EOMODS5
389dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
390changetype: modify
391add: description
392description: added by jaj (should succeed)
393-
394EOMODS5
395RC=$?
396case $RC in
3970)
398          ;;
399*)
400          echo "ldapmodify failed ($RC)!"
401          test $KILLSERVERS != no && kill -HUP $KILLPIDS
402          exit $RC
403          ;;
404esac
405
406$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
407          $TESTOUT 2>&1 << EOMODS6
408dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
409changetype: modify
410add: description
411description: added by bjensen (should fail)
412-
413EOMODS6
414RC=$?
415case $RC in
41650)
417          ;;
4180)
419          echo "ldapmodify should have failed ($RC)!"
420          test $KILLSERVERS != no && kill -HUP $KILLPIDS
421          exit -1
422          ;;
423*)
424          echo "ldapmodify failed ($RC)!"
425          test $KILLSERVERS != no && kill -HUP $KILLPIDS
426          exit $RC
427          ;;
428esac
429
430$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
431          $TESTOUT 2>&1 << EOMODS7
432dn: ou=Add & Delete,dc=example,dc=com
433changetype: add
434objectClass: organizationalUnit
435ou: Add & Delete
436EOMODS7
437RC=$?
438if test $RC != 0 ; then
439          echo "ldapmodify failed ($RC)!"
440          test $KILLSERVERS != no && kill -HUP $KILLPIDS
441          exit $RC
442fi
443
444$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
445          $TESTOUT 2>&1 << EOMODS8
446dn: cn=Added by Babs (must fail),ou=Add & Delete,dc=example,dc=com
447changetype: add
448objectClass: inetOrgPerson
449cn: Added by Babs (must fail)
450sn: None
451EOMODS8
452RC=$?
453case $RC in
45450)
455          ;;
4560)
457          echo "ldapmodify should have failed ($RC)!"
458          test $KILLSERVERS != no && kill -HUP $KILLPIDS
459          exit -1
460          ;;
461*)
462          echo "ldapmodify failed ($RC)!"
463          test $KILLSERVERS != no && kill -HUP $KILLPIDS
464          exit $RC
465          ;;
466esac
467
468$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
469          $TESTOUT 2>&1 << EOMODS9
470dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
471changetype: add
472objectClass: inetOrgPerson
473cn: Added by Bjorn (must succeed)
474sn: None
475
476dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
477changetype: add
478objectClass: inetOrgPerson
479cn: Added by Bjorn (will be deleted)
480sn: None
481
482dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
483changetype: add
484objectClass: inetOrgPerson
485cn: Added by Bjorn (will be renamed)
486sn: None
487
488dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
489changetype: modify
490add: description
491description: this attribute value has been added __after__entry creation
492description: this attribute value will be deleted by Babs (must succeed)
493description: Bjorn will try to delete this attribute value (should fail)
494-
495EOMODS9
496RC=$?
497case $RC in
4980)
499          ;;
500*)
501          echo "ldapmodify failed ($RC)!"
502          test $KILLSERVERS != no && kill -HUP $KILLPIDS
503          exit $RC
504          ;;
505esac
506
507$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
508          $TESTOUT 2>&1 << EOMODS10
509dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
510changetype: delete
511EOMODS10
512RC=$?
513case $RC in
51450)
515          ;;
5160)
517          echo "ldapmodify should have failed ($RC)!"
518          test $KILLSERVERS != no && kill -HUP $KILLPIDS
519          exit -1
520          ;;
521*)
522          echo "ldapmodify failed ($RC)!"
523          test $KILLSERVERS != no && kill -HUP $KILLPIDS
524          exit $RC
525          ;;
526esac
527
528$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
529          $TESTOUT 2>&1 << EOMODS11
530dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
531changetype: modrdn
532newrdn: cn=Added by Bjorn (renamed by Bjorn)
533deleteoldrdn: 1
534EOMODS11
535RC=$?
536case $RC in
53750)
538          ;;
5390)
540          echo "ldapmodify should have failed ($RC)!"
541          test $KILLSERVERS != no && kill -HUP $KILLPIDS
542          exit -1
543          ;;
544*)
545          echo "ldapmodify failed ($RC)!"
546          test $KILLSERVERS != no && kill -HUP $KILLPIDS
547          exit $RC
548          ;;
549esac
550
551$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
552          $TESTOUT 2>&1 << EOMODS12
553dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
554changetype: modrdn
555newrdn: cn=Added by Bjorn (renamed by Babs)
556deleteoldrdn: 1
557EOMODS12
558RC=$?
559case $RC in
56050)
561          ;;
5620)
563          echo "ldapmodify should have failed ($RC)!"
564          test $KILLSERVERS != no && kill -HUP $KILLPIDS
565          exit -1
566          ;;
567*)
568          echo "ldapmodify failed ($RC)!"
569          test $KILLSERVERS != no && kill -HUP $KILLPIDS
570          exit $RC
571          ;;
572esac
573
574$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
575          $TESTOUT 2>&1 << EOMODS13
576dn: cn=Added by Bjorn (will be renamed),ou=Add & Delete,dc=example,dc=com
577changetype: modrdn
578newrdn: cn=Added by Bjorn (renamed by Jaj)
579deleteoldrdn: 1
580EOMODS13
581RC=$?
582case $RC in
5830)
584          ;;
585*)
586          echo "ldapmodify failed ($RC)!"
587          test $KILLSERVERS != no && kill -HUP $KILLPIDS
588          exit $RC
589          ;;
590esac
591
592$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
593          $TESTOUT 2>&1 << EOMODS14
594dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
595changetype: modify
596delete: description
597description: Bjorn will try to delete this attribute value (should fail)
598-
599EOMODS14
600RC=$?
601case $RC in
60250)
603          ;;
6040)
605          echo "ldapmodify should have failed ($RC)!"
606          test $KILLSERVERS != no && kill -HUP $KILLPIDS
607          exit -1
608          ;;
609*)
610          echo "ldapmodify failed ($RC)!"
611          test $KILLSERVERS != no && kill -HUP $KILLPIDS
612          exit $RC
613          ;;
614esac
615
616$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
617          $TESTOUT 2>&1 << EOMODS15
618dn: cn=Added by Bjorn (will be deleted),ou=Add & Delete,dc=example,dc=com
619changetype: delete
620
621dn: cn=Added by Bjorn (must succeed),ou=Add & Delete,dc=example,dc=com
622changetype: modify
623delete: description
624description: this attribute value will be deleted by Babs (must succeed)
625-
626EOMODS15
627RC=$?
628case $RC in
6290)
630          ;;
631*)
632          echo "ldapmodify failed ($RC)!"
633          test $KILLSERVERS != no && kill -HUP $KILLPIDS
634          exit $RC
635          ;;
636esac
637
638echo "Using ldapsearch to retrieve all the entries..."
639echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
640$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
641              'objectClass=*' >> $SEARCHOUT 2>&1
642RC=$?
643test $KILLSERVERS != no && kill -HUP $KILLPIDS
644if test $RC != 0 ; then
645          echo "ldapsearch failed ($RC)!"
646          exit $RC
647fi
648
649LDIF=$ACLOUTPROVIDER
650
651echo "Filtering ldapsearch results..."
652$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
653echo "Filtering original ldif used to create database..."
654$LDIFFILTER < $LDIF > $LDIFFLT
655echo "Comparing filter output..."
656$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
657
658if test $? != 0 ; then
659          echo "comparison failed - operations did not complete correctly"
660          exit 1
661fi
662
663echo ">>>>> Test succeeded"
664
665test $KILLSERVERS != no && wait
666
667exit 0
668