Browse Source

Issue 4262 - Remove legacy tools subpackage

Description:  Remove all the legacy tool scripts, libraries, and obsolete files

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: viktor & firstyear (Thanks!!)

Apply Viktor's suggestions
tags/upstream/1.4.4.8
Mark Reynolds 1 year ago
parent
commit
a2584e1dd2
100 changed files with 561 additions and 2324 deletions
  1. +10
    -371
      Makefile.am
  2. +9
    -1
      dirsrvtests/tests/suites/acl/acl_deny_test.py
  3. +16
    -7
      dirsrvtests/tests/suites/acl/acl_test.py
  4. +3
    -3
      dirsrvtests/tests/suites/acl/deladd_test.py
  5. +3
    -5
      dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py
  6. +22
    -14
      dirsrvtests/tests/suites/acl/globalgroup_part2_test.py
  7. +12
    -4
      dirsrvtests/tests/suites/acl/globalgroup_test.py
  8. +20
    -22
      dirsrvtests/tests/suites/acl/keywords_part2_test.py
  9. +11
    -11
      dirsrvtests/tests/suites/acl/keywords_test.py
  10. +26
    -17
      dirsrvtests/tests/suites/acl/misc_test.py
  11. +15
    -5
      dirsrvtests/tests/suites/acl/modify_test.py
  12. +4
    -4
      dirsrvtests/tests/suites/acl/modrdn_test.py
  13. +6
    -6
      dirsrvtests/tests/suites/acl/repeated_ldap_add_test.py
  14. +2
    -2
      dirsrvtests/tests/suites/acl/roledn_test.py
  15. +38
    -26
      dirsrvtests/tests/suites/acl/search_real_part2_test.py
  16. +28
    -17
      dirsrvtests/tests/suites/acl/search_real_part3_test.py
  17. +26
    -15
      dirsrvtests/tests/suites/acl/search_real_test.py
  18. +3
    -3
      dirsrvtests/tests/suites/acl/selfdn_permissions_test.py
  19. +27
    -29
      dirsrvtests/tests/suites/acl/syntax_test.py
  20. +3
    -3
      dirsrvtests/tests/suites/acl/userattr_test.py
  21. +11
    -0
      dirsrvtests/tests/suites/acl/valueacl_part2_test.py
  22. +12
    -1
      dirsrvtests/tests/suites/acl/valueacl_test.py
  23. +9
    -9
      dirsrvtests/tests/suites/attr_encryption/attr_encryption_test.py
  24. +2
    -3
      dirsrvtests/tests/suites/clu/dsidm_config_test.py
  25. +16
    -10
      dirsrvtests/tests/suites/cos/indirect_cos_test.py
  26. +16
    -20
      dirsrvtests/tests/suites/ds_logs/ds_logs_test.py
  27. +2
    -2
      dirsrvtests/tests/suites/export/export_test.py
  28. +1
    -1
      dirsrvtests/tests/suites/filter/basic_filter_test.py
  29. +13
    -5
      dirsrvtests/tests/suites/filter/complex_filters_test.py
  30. +3
    -3
      dirsrvtests/tests/suites/filter/filter_cert_test.py
  31. +27
    -23
      dirsrvtests/tests/suites/filter/filter_logic_test.py
  32. +4
    -7
      dirsrvtests/tests/suites/filter/filter_test.py
  33. +7
    -0
      dirsrvtests/tests/suites/filter/filter_with_non_root_user_test.py
  34. +16
    -2
      dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py
  35. +2
    -2
      dirsrvtests/tests/suites/fractional/fractional_test.py
  36. +1
    -5
      dirsrvtests/tests/suites/healthcheck/health_config_test.py
  37. +8
    -15
      dirsrvtests/tests/suites/healthcheck/health_repl_test.py
  38. +6
    -9
      dirsrvtests/tests/suites/healthcheck/health_security_test.py
  39. +11
    -13
      dirsrvtests/tests/suites/healthcheck/health_sync_test.py
  40. +10
    -12
      dirsrvtests/tests/suites/healthcheck/healthcheck_test.py
  41. +7
    -6
      dirsrvtests/tests/suites/import/regression_test.py
  42. +16
    -15
      dirsrvtests/tests/suites/memberof_plugin/regression_test.py
  43. +5
    -6
      dirsrvtests/tests/suites/paged_results/paged_results_test.py
  44. +9
    -0
      dirsrvtests/tests/suites/password/password_policy_test.py
  45. +11
    -4
      dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py
  46. +9
    -11
      dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py
  47. +1
    -1
      dirsrvtests/tests/suites/password/pwp_test.py
  48. +1
    -1
      dirsrvtests/tests/suites/password/regression_test.py
  49. +24
    -23
      dirsrvtests/tests/suites/plugins/accpol_test.py
  50. +2
    -2
      dirsrvtests/tests/suites/psearch/psearch_test.py
  51. +2
    -2
      dirsrvtests/tests/suites/replication/conflict_resolve_test.py
  52. +7
    -3
      dirsrvtests/tests/suites/roles/basic_test.py
  53. +6
    -7
      dirsrvtests/tests/suites/sasl/regression_test.py
  54. +0
    -84
      dirsrvtests/tests/suites/setup_ds/setup_ds_test.py
  55. +0
    -1
      docs/CREDITS.artwork
  56. +0
    -143
      docs/intro.md
  57. +0
    -90
      docs/job-safety.md
  58. BIN
      docs/logo-banner.png
  59. BIN
      docs/logo-banner.xcf
  60. BIN
      docs/logo-square.xcf
  61. BIN
      docs/nunc-stans-intro.dia
  62. BIN
      docs/nunc-stans-intro.png
  63. BIN
      docs/nunc-stans-job-states.dia
  64. BIN
      docs/nunc-stans-job-states.png
  65. BIN
      docs/tops_tops.xcf
  66. +0
    -214
      ldap/admin/src/makemccvlvindexes
  67. +0
    -112
      ldap/admin/src/makevlvindex
  68. +0
    -141
      ldap/admin/src/makevlvsearch
  69. +0
    -23
      ldap/admin/src/scripts/10cleanupldapi.pl
  70. +0
    -23
      ldap/admin/src/scripts/10delautodnsuffix.pl
  71. +0
    -39
      ldap/admin/src/scripts/10fixrundir.pl
  72. +0
    -74
      ldap/admin/src/scripts/20betxn.pl
  73. +0
    -16
      ldap/admin/src/scripts/50AES-pbe-plugin.ldif
  74. +0
    -21
      ldap/admin/src/scripts/50acctusabilityplugin.ldif
  75. +0
    -6
      ldap/admin/src/scripts/50addchainingsaslpwroles.ldif
  76. +0
    -15
      ldap/admin/src/scripts/50automemberplugin.ldif
  77. +0
    -14
      ldap/admin/src/scripts/50bitstringsyntaxplugin.ldif
  78. +0
    -23
      ldap/admin/src/scripts/50contentsync.ldif
  79. +0
    -14
      ldap/admin/src/scripts/50deliverymethodsyntaxplugin.ldif
  80. +0
    -16
      ldap/admin/src/scripts/50derefplugin.ldif
  81. +0
    -9
      ldap/admin/src/scripts/50disableurisyntaxplugin.ldif
  82. +0
    -14
      ldap/admin/src/scripts/50enhancedguidesyntaxplugin.ldif
  83. +0
    -7
      ldap/admin/src/scripts/50entryusnindex.ldif
  84. +0
    -14
      ldap/admin/src/scripts/50faxnumbersyntaxplugin.ldif
  85. +0
    -14
      ldap/admin/src/scripts/50faxsyntaxplugin.ldif
  86. +0
    -241
      ldap/admin/src/scripts/50fixNsState.pl
  87. +0
    -14
      ldap/admin/src/scripts/50guidesyntaxplugin.ldif
  88. +0
    -16
      ldap/admin/src/scripts/50linkedattrsplugin.ldif
  89. +0
    -16
      ldap/admin/src/scripts/50managedentriesplugin.ldif
  90. +0
    -6
      ldap/admin/src/scripts/50memberofindex.ldif
  91. +0
    -17
      ldap/admin/src/scripts/50memberofplugin.ldif
  92. +0
    -14
      ldap/admin/src/scripts/50nameuidsyntaxplugin.ldif
  93. +0
    -7
      ldap/admin/src/scripts/50nstombstonecsn.ldif
  94. +0
    -14
      ldap/admin/src/scripts/50numericstringsyntaxplugin.ldif
  95. +0
    -14
      ldap/admin/src/scripts/50printablestringsyntaxplugin.ldif
  96. +0
    -4
      ldap/admin/src/scripts/50refintprecedence.ldif
  97. +0
    -4
      ldap/admin/src/scripts/50retroclprecedence.ldif
  98. +0
    -15
      ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif
  99. +0
    -14
      ldap/admin/src/scripts/50schemareloadplugin.ldif
  100. +0
    -13
      ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif

+ 10
- 371
Makefile.am View File

@@ -55,18 +55,6 @@ RUST_LDFLAGS =
RUST_DEFINES =
endif

if ENABLE_PERL
PERL_ON = 1
else
PERL_ON = 0
endif

if ENABLE_LEGACY
LEGACY_ON = 1
else
LEGACY_ON = 0
endif

if CLANG_ENABLE
CLANG_ON = 1
CLANG_LDFLAGS = -latomic
@@ -237,32 +225,7 @@ LIBPOSIX_WINSYNC_PLUGIN = libposix-winsync-plugin.la
endif

CLEANFILES = dberrstrs.h ns-slapd.properties \
ldap/admin/src/scripts/template-dbverify ldap/admin/src/template-initconfig \
ldap/admin/src/scripts/dscreate.map ldap/admin/src/scripts/remove-ds.pl \
ldap/admin/src/scripts/DSCreate.pm ldap/admin/src/scripts/DSMigration.pm \
ldap/admin/src/scripts/DSUpdate.pm ldap/admin/src/scripts/dsupdate.map \
ldap/admin/src/scripts/dsorgentries.map ldap/admin/src/scripts/migrate-ds.pl \
ldap/admin/src/scripts/Migration.pm ldap/admin/src/scripts/SetupDialogs.pm \
ldap/admin/src/scripts/setup-ds.pl ldap/admin/src/scripts/setup-ds.res \
ldap/admin/src/scripts/start-dirsrv ldap/admin/src/scripts/stop-dirsrv \
ldap/admin/src/scripts/restart-dirsrv ldap/admin/src/scripts/Setup.pm \
ldap/admin/src/scripts/status-dirsrv \
ldap/admin/src/scripts/template-bak2db ldap/admin/src/scripts/template-bak2db.pl \
ldap/admin/src/scripts/template-db2bak ldap/admin/src/scripts/template-db2bak.pl \
ldap/admin/src/scripts/template-db2index ldap/admin/src/scripts/template-db2index.pl \
ldap/admin/src/scripts/template-db2ldif ldap/admin/src/scripts/template-db2ldif.pl \
ldap/admin/src/scripts/template-ldif2db ldap/admin/src/scripts/template-ldif2db.pl \
ldap/admin/src/scripts/template-ldif2ldap ldap/admin/src/scripts/template-monitor \
ldap/admin/src/scripts/template-ns-accountstatus.pl ldap/admin/src/scripts/template-ns-activate.pl \
ldap/admin/src/scripts/template-ns-inactivate.pl ldap/admin/src/scripts/template-ns-newpwpolicy.pl \
ldap/admin/src/scripts/template-restart-slapd ldap/admin/src/scripts/template-restoreconfig \
ldap/admin/src/scripts/template-saveconfig ldap/admin/src/scripts/template-start-slapd \
ldap/admin/src/scripts/template-stop-slapd ldap/admin/src/scripts/template-suffix2instance \
ldap/admin/src/scripts/template-upgradedb \
ldap/admin/src/scripts/template-upgradednformat \
ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl \
ldap/admin/src/scripts/template-verify-db.pl \
ldap/admin/src/scripts/template-vlvindex ldap/admin/src/scripts/DSUtil.pm \
ldap/admin/src/template-initconfig \
ldap/ldif/template-baseacis.ldif ldap/ldif/template-bitwise.ldif ldap/ldif/template-country.ldif \
ldap/ldif/template-dnaplugin.ldif ldap/ldif/template-domain.ldif ldap/ldif/template-dse.ldif \
ldap/ldif/template-dse-minimal.ldif \
@@ -270,24 +233,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \
ldap/ldif/template-ldapi.ldif ldap/ldif/template-locality.ldif ldap/ldif/template-org.ldif \
ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \
ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif \
ldap/admin/src/scripts/bak2db ldap/admin/src/scripts/db2bak ldap/admin/src/scripts/upgradedb \
ldap/admin/src/scripts/db2index ldap/admin/src/scripts/db2ldif \
ldap/admin/src/scripts/dn2rdn ldap/admin/src/scripts/ldif2db \
ldap/admin/src/scripts/ldif2ldap ldap/admin/src/scripts/monitor \
ldap/admin/src/scripts/restoreconfig ldap/admin/src/scripts/saveconfig \
ldap/admin/src/scripts/suffix2instance \
ldap/admin/src/scripts/upgradednformat ldap/admin/src/scripts/vlvindex \
ldap/admin/src/scripts/bak2db.pl ldap/admin/src/scripts/db2bak.pl \
ldap/admin/src/scripts/db2index.pl ldap/admin/src/scripts/db2ldif.pl \
ldap/admin/src/scripts/fixup-linkedattrs.pl ldap/admin/src/scripts/fixup-memberof.pl \
ldap/admin/src/scripts/cleanallruv.pl ldap/admin/src/scripts/ldif2db.pl \
ldap/admin/src/scripts/ns-accountstatus.pl ldap/admin/src/scripts/ns-activate.pl \
ldap/admin/src/scripts/ns-inactivate.pl ldap/admin/src/scripts/ns-newpwpolicy.pl \
ldap/admin/src/scripts/schema-reload.pl ldap/admin/src/scripts/syntax-validate.pl \
ldap/admin/src/scripts/usn-tombstone-cleanup.pl ldap/admin/src/scripts/verify-db.pl \
ldap/admin/src/scripts/ds_selinux_port_query ldap/admin/src/scripts/ds_selinux_enabled \
ldap/admin/src/scripts/dbverify ldap/admin/src/scripts/readnsstate \
doxyfile.stamp ldap/admin/src/scripts/dbmon.sh \
doxyfile.stamp \
$(NULL)

if RUST_ENABLE
@@ -303,7 +249,7 @@ if RUST_ENABLE
endif

dberrstrs.h: Makefile
perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o .
$(srcdir)/ldap/servers/slapd/mkDBErrStrs.py -i @db_incdir@ -o .


#------------------------
@@ -352,14 +298,6 @@ sbin_PROGRAMS = ns-slapd ldap-agent
bin_PROGRAMS = dbscan \
ldclt \
pwdhash
if ENABLE_LEGACY
bin_PROGRAMS += \
infadd \
ldif \
migratecred \
mmldif \
rsearch
endif

# ----------------------------------------------------------------------------------------
# This odd looking definition is to keep the libraries in ORDER that they are needed. rsds
@@ -578,12 +516,6 @@ dist_noinst_HEADERS = \
ldap/servers/slapd/tools/ldclt/remote.h \
ldap/servers/slapd/tools/ldclt/scalab01.h \
ldap/servers/slapd/tools/ldclt/utils.h \
ldap/servers/slapd/tools/rsearch/addthread.h \
ldap/servers/slapd/tools/rsearch/infadd.h \
ldap/servers/slapd/tools/rsearch/nametable.h \
ldap/servers/slapd/tools/rsearch/rsearch.h \
ldap/servers/slapd/tools/rsearch/sdattable.h \
ldap/servers/slapd/tools/rsearch/searchthread.h \
ldap/servers/snmp/ldap-agent.h \
ldap/systools/pio.h \
lib/base/lexer_pvt.h \
@@ -638,11 +570,8 @@ dist_noinst_DATA = \
$(srcdir)/buildnum.py \
$(srcdir)/ldap/admin/src/*.in \
$(srcdir)/ldap/admin/src/scripts/*.in \
$(srcdir)/ldap/admin/src/scripts/*.ldif \
$(srcdir)/ldap/admin/src/scripts/*.py \
$(srcdir)/ldap/admin/src/scripts/*.sh \
$(srcdir)/ldap/admin/src/scripts/ds-replcheck \
$(srcdir)/ldap/admin/src/scripts/migrate-ds.res \
$(srcdir)/ldap/ldif/*.in \
$(srcdir)/ldap/ldif/*.ldif \
$(srcdir)/ldap/schema/*.ldif \
@@ -666,10 +595,7 @@ dist_noinst_DATA = \
if ENABLE_PERL
dist_noinst_DATA += \
$(srcdir)/ldap/admin/src/*.pl \
$(srcdir)/ldap/admin/src/scripts/*.pl \
$(srcdir)/ldap/admin/src/scripts/*.pm \
$(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl \
$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen*
$(srcdir)/ldap/servers/slapd/mkDBErrStrs.py
endif

#------------------------
@@ -688,8 +614,7 @@ endif
# with the default schema e.g. there is
# considerable overlap of 60changelog.ldif and 01common.ldif
# and 60inetmail.ldif and 50ns-mail.ldif among others
sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
$(srcdir)/ldap/ldif/Ace.ldif \
sampledata_DATA = $(srcdir)/ldap/ldif/Ace.ldif \
$(srcdir)/ldap/ldif/European.ldif \
$(srcdir)/ldap/ldif/Eurosuffix.ldif \
$(srcdir)/ldap/ldif/Example.ldif \
@@ -710,10 +635,7 @@ sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
ldap/ldif/template-orgunit.ldif \
ldap/ldif/template-baseacis.ldif \
ldap/ldif/template-sasl.ldif \
$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-FamilyNames \
$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-GivenNames \
$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-OrgUnits \
$(srcdir)/ldap/schema/10rfc2307.ldif \
$(srcdir)/ldap/schema/10rfc2307compat.ldif \
$(srcdir)/ldap/schema/10rfc2307bis.ldif \
$(srcdir)/ldap/schema/60changelog.ldif \
$(srcdir)/ldap/schema/60inetmail.ldif \
@@ -726,6 +648,9 @@ sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
$(srcdir)/ldap/schema/60samba.ldif \
$(srcdir)/ldap/schema/60sendmail.ldif \
$(srcdir)/ldap/schema/dsee.schema \
$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-FamilyNames \
$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-GivenNames \
$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-OrgUnits \
$(LIBPRESENCE_SCHEMA)

systemschema_DATA = $(srcdir)/ldap/schema/00core.ldif \
@@ -790,61 +715,8 @@ install-data-hook:
endif

sbin_SCRIPTS =
if ENABLE_PERL
sbin_SCRIPTS += ldap/admin/src/scripts/setup-ds.pl \
ldap/admin/src/scripts/migrate-ds.pl \
ldap/admin/src/scripts/remove-ds.pl \
ldap/admin/src/scripts/bak2db.pl \
ldap/admin/src/scripts/db2bak.pl \
ldap/admin/src/scripts/db2index.pl \
ldap/admin/src/scripts/db2ldif.pl \
ldap/admin/src/scripts/fixup-linkedattrs.pl \
ldap/admin/src/scripts/fixup-memberof.pl \
ldap/admin/src/scripts/cleanallruv.pl \
ldap/admin/src/scripts/ldif2db.pl \
ldap/admin/src/scripts/ns-accountstatus.pl \
ldap/admin/src/scripts/ns-activate.pl \
ldap/admin/src/scripts/ns-inactivate.pl \
ldap/admin/src/scripts/ns-newpwpolicy.pl \
ldap/admin/src/scripts/schema-reload.pl \
ldap/admin/src/scripts/syntax-validate.pl \
ldap/admin/src/scripts/usn-tombstone-cleanup.pl \
ldap/admin/src/scripts/verify-db.pl
endif
if ENABLE_LEGACY
sbin_SCRIPTS += \
ldap/admin/src/scripts/start-dirsrv \
ldap/admin/src/scripts/stop-dirsrv \
ldap/admin/src/scripts/restart-dirsrv \
ldap/admin/src/scripts/status-dirsrv \
ldap/admin/src/scripts/bak2db \
ldap/admin/src/scripts/db2bak \
ldap/admin/src/scripts/db2index \
ldap/admin/src/scripts/db2ldif \
ldap/admin/src/scripts/dn2rdn \
ldap/admin/src/scripts/ldif2db \
ldap/admin/src/scripts/ldif2ldap \
ldap/admin/src/scripts/monitor \
ldap/admin/src/scripts/restoreconfig \
ldap/admin/src/scripts/saveconfig \
ldap/admin/src/scripts/suffix2instance \
ldap/admin/src/scripts/upgradednformat \
ldap/admin/src/scripts/vlvindex \
ldap/admin/src/scripts/dbverify \
ldap/admin/src/scripts/upgradedb \
ldap/admin/src/scripts/dbmon.sh
endif

bin_SCRIPTS = \
ldap/admin/src/scripts/readnsstate

if ENABLE_PERL
bin_SCRIPTS += ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \
wrappers/cl-dump \
ldap/admin/src/scripts/cl-dump.pl \
wrappers/repl-monitor \
ldap/admin/src/scripts/repl-monitor.pl
endif
bin_SCRIPTS =

# For scripts that are "as is".
dist_bin_SCRIPTS = ldap/admin/src/scripts/ds-replcheck \
@@ -852,26 +724,6 @@ dist_bin_SCRIPTS = ldap/admin/src/scripts/ds-replcheck \

dist_bin_SCRIPTS += ldap/admin/src/logconv.pl

# SCRIPTS makes them executables - these are perl modules
# and should not be marked as executable - so use DATA
if ENABLE_PERL
perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
ldap/admin/src/scripts/Resource.pm \
ldap/admin/src/scripts/DSUtil.pm \
ldap/admin/src/scripts/Setup.pm \
ldap/admin/src/scripts/SetupDialogs.pm \
ldap/admin/src/scripts/Inf.pm \
ldap/admin/src/scripts/DialogManager.pm \
ldap/admin/src/scripts/Dialog.pm \
ldap/admin/src/scripts/DSDialogs.pm \
ldap/admin/src/scripts/Migration.pm \
ldap/admin/src/scripts/DSMigration.pm \
ldap/admin/src/scripts/FileConn.pm \
ldap/admin/src/scripts/DSCreate.pm \
ldap/admin/src/scripts/DSUpdate.pm \
ldap/admin/src/scripts/DSUpdateDialogs.pm
endif

python_DATA = ldap/admin/src/scripts/failedbinds.py \
ldap/admin/src/scripts/logregex.py

@@ -879,46 +731,6 @@ gdbautoload_DATA = ldap/admin/src/scripts/ns-slapd-gdb.py

dist_sysctl_DATA = ldap/admin/src/70-dirsrv.conf

if ENABLE_PERL
property_DATA = ldap/admin/src/scripts/setup-ds.res \
ldap/admin/src/scripts/migrate-ds.res

task_SCRIPTS = ldap/admin/src/scripts/template-bak2db \
ldap/admin/src/scripts/template-db2bak \
ldap/admin/src/scripts/template-db2index \
ldap/admin/src/scripts/template-db2ldif \
ldap/admin/src/scripts/template-dn2rdn \
ldap/admin/src/scripts/template-ldif2db \
ldap/admin/src/scripts/template-ldif2ldap \
ldap/admin/src/scripts/template-monitor \
ldap/admin/src/scripts/template-restart-slapd \
ldap/admin/src/scripts/template-restoreconfig \
ldap/admin/src/scripts/template-saveconfig \
ldap/admin/src/scripts/template-start-slapd \
ldap/admin/src/scripts/template-stop-slapd \
ldap/admin/src/scripts/template-suffix2instance \
ldap/admin/src/scripts/template-upgradednformat \
ldap/admin/src/scripts/template-vlvindex \
ldap/admin/src/scripts/template-bak2db.pl \
ldap/admin/src/scripts/template-db2bak.pl \
ldap/admin/src/scripts/template-db2index.pl \
ldap/admin/src/scripts/template-db2ldif.pl \
ldap/admin/src/scripts/template-fixup-linkedattrs.pl \
ldap/admin/src/scripts/template-fixup-memberof.pl \
ldap/admin/src/scripts/template-fixup-memberuid.pl \
ldap/admin/src/scripts/template-cleanallruv.pl \
ldap/admin/src/scripts/template-ldif2db.pl \
ldap/admin/src/scripts/template-ns-accountstatus.pl \
ldap/admin/src/scripts/template-ns-activate.pl \
ldap/admin/src/scripts/template-ns-inactivate.pl \
ldap/admin/src/scripts/template-ns-newpwpolicy.pl \
ldap/admin/src/scripts/template-schema-reload.pl \
ldap/admin/src/scripts/template-syntax-validate.pl \
ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl \
ldap/admin/src/scripts/template-verify-db.pl \
ldap/admin/src/scripts/template-dbverify
endif

if SYSTEMD
# yes, that is an @ in the filename . . .
systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \
@@ -943,9 +755,6 @@ initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME)
endif

inf_DATA = ldap/admin/src/slapd.inf \
ldap/admin/src/scripts/dscreate.map \
ldap/admin/src/scripts/dsupdate.map \
ldap/admin/src/scripts/dsorgentries.map \
ldap/admin/src/defaults.inf

mib_DATA = ldap/servers/snmp/redhat-directory.mib
@@ -975,135 +784,12 @@ dist_man_MANS = man/man1/dbscan.1 \
man/man1/ldclt.1 \
man/man1/logconv.pl.1 \
man/man1/pwdhash.1 \
man/man1/readnsstate.1 \
man/man5/99user.ldif.5 \
man/man8/ns-slapd.8 \
man/man5/certmap.conf.5 \
man/man5/dirsrv.5 \
man/man5/dirsrv.systemd.5 \
man/man5/slapd-collations.conf.5
if ENABLE_LEGACY
dist_man_MANS += \
man/man1/infadd.1 \
man/man1/ldif.1 \
man/man1/migratecred.1 \
man/man1/mmldif.1 \
man/man1/rsearch.1
endif
if ENABLE_PERL
dist_man_MANS += man/man1/cl-dump.1 \
man/man1/cl-dump.pl.1 \
man/man1/dbgen.pl.1 \
man/man1/repl-monitor.1 \
man/man1/repl-monitor.pl.1 \
man/man8/migrate-ds.pl.8 \
man/man8/restart-dirsrv.8 \
man/man8/setup-ds.pl.8 \
man/man8/start-dirsrv.8 \
man/man8/stop-dirsrv.8 \
man/man8/status-dirsrv.8 \
man/man8/bak2db.8 \
man/man8/bak2db.pl.8 \
man/man8/cleanallruv.pl.8 \
man/man8/dbverify.8 \
man/man8/db2bak.8 \
man/man8/db2bak.pl.8 \
man/man8/db2ldif.8 \
man/man8/db2ldif.pl.8 \
man/man8/db2index.8 \
man/man8/db2index.pl.8 \
man/man8/fixup-linkedattrs.pl.8 \
man/man8/fixup-memberof.pl.8 \
man/man8/ldif2db.8 \
man/man8/ldif2db.pl.8 \
man/man8/dbmon.sh.8 \
man/man8/dn2rdn.8 \
man/man8/ldif2ldap.8 \
man/man8/monitor.8 \
man/man8/ns-accountstatus.pl.8 \
man/man8/ns-newpwpolicy.pl.8 \
man/man8/ns-activate.pl.8 \
man/man8/ns-inactivate.pl.8 \
man/man8/remove-ds.pl.8 \
man/man8/restoreconfig.8 \
man/man8/saveconfig.8 \
man/man8/schema-reload.pl.8 \
man/man8/suffix2instance.8 \
man/man8/syntax-validate.pl.8 \
man/man8/upgradednformat.8 \
man/man8/upgradedb.8 \
man/man8/usn-tombstone-cleanup.pl.8 \
man/man8/vlvindex.8 \
man/man8/verify-db.pl.8 \
man/man5/template-initconfig.5
endif

#------------------------
# updates
# the first 3 are just the examples provided - since they
# do not begin with two digits, they will be ignored
# the remaining items should begin with two digits that
# correspond to the order in which they should be applied
# perl files and LDIF files are DATA - not executable
# processed by the update script
# shell scripts and other files are SCRIPTS - executable
#------------------------
if ENABLE_PERL
update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
ldap/admin/src/scripts/exampleupdate.ldif \
ldap/admin/src/scripts/10cleanupldapi.pl \
ldap/admin/src/scripts/10delautodnsuffix.pl \
ldap/admin/src/scripts/10fixrundir.pl \
ldap/admin/src/scripts/20betxn.pl \
ldap/admin/src/scripts/50addchainingsaslpwroles.ldif \
ldap/admin/src/scripts/50acctusabilityplugin.ldif \
ldap/admin/src/scripts/50automemberplugin.ldif \
ldap/admin/src/scripts/50memberofindex.ldif \
ldap/admin/src/scripts/50nstombstonecsn.ldif \
ldap/admin/src/scripts/50bitstringsyntaxplugin.ldif \
ldap/admin/src/scripts/50managedentriesplugin.ldif \
ldap/admin/src/scripts/50memberofplugin.ldif \
ldap/admin/src/scripts/50deliverymethodsyntaxplugin.ldif \
ldap/admin/src/scripts/50nameuidsyntaxplugin.ldif \
ldap/admin/src/scripts/50derefplugin.ldif \
ldap/admin/src/scripts/50numericstringsyntaxplugin.ldif \
ldap/admin/src/scripts/50disableurisyntaxplugin.ldif \
ldap/admin/src/scripts/50printablestringsyntaxplugin.ldif \
ldap/admin/src/scripts/50enhancedguidesyntaxplugin.ldif \
ldap/admin/src/scripts/50schemareloadplugin.ldif \
ldap/admin/src/scripts/50entryusnindex.ldif \
ldap/admin/src/scripts/50syntaxvalidplugin.ldif \
ldap/admin/src/scripts/50faxnumbersyntaxplugin.ldif \
ldap/admin/src/scripts/50teletexterminalidsyntaxplugin.ldif \
ldap/admin/src/scripts/50faxsyntaxplugin.ldif \
ldap/admin/src/scripts/50fixNsState.pl \
ldap/admin/src/scripts/50telexnumbersyntaxplugin.ldif \
ldap/admin/src/scripts/50guidesyntaxplugin.ldif \
ldap/admin/src/scripts/50targetuniqueid.ldif \
ldap/admin/src/scripts/60removeLegacyReplication.ldif \
ldap/admin/src/scripts/50linkedattrsplugin.ldif \
ldap/admin/src/scripts/50usnplugin.ldif \
ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \
ldap/admin/src/scripts/50refintprecedence.ldif \
ldap/admin/src/scripts/50retroclprecedence.ldif \
ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \
ldap/admin/src/scripts/50contentsync.ldif \
ldap/admin/src/scripts/60upgradeschemafiles.pl \
ldap/admin/src/scripts/60upgradeconfigfiles.pl \
ldap/admin/src/scripts/70upgradefromldif.pl \
ldap/admin/src/scripts/80upgradednformat.pl \
ldap/admin/src/scripts/81changelog.pl \
ldap/admin/src/scripts/82targetuniqueidindex.pl \
ldap/admin/src/scripts/90subtreerename.pl \
ldap/admin/src/scripts/91subtreereindex.pl \
ldap/admin/src/scripts/50AES-pbe-plugin.ldif\
ldap/admin/src/scripts/50updateconfig.ldif \
ldap/admin/src/scripts/52updateAESplugin.pl \
ldap/admin/src/scripts/dnaplugindepends.ldif \
ldap/admin/src/scripts/91reindex.pl

update_SCRIPTS = ldap/admin/src/scripts/exampleupdate.sh
endif

#////////////////////////////////////////////////////////////////
#
@@ -2172,16 +1858,6 @@ dbscan_SOURCES = ldap/servers/slapd/tools/dbscan.c
dbscan_CPPFLAGS = @db_inc@ $(NSPR_INCLUDES) $(AM_CPPFLAGS)
dbscan_LDADD = $(NSPR_LINK) $(DB_LINK)

#------------------------
# infadd
#------------------------
infadd_SOURCES = ldap/servers/slapd/tools/rsearch/addthread.c \
ldap/servers/slapd/tools/rsearch/infadd.c \
ldap/servers/slapd/tools/rsearch/nametable.c

infadd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
infadd_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBSOCKET)

#------------------------
# ldap-agent
#------------------------
@@ -2212,32 +1888,6 @@ ldclt_SOURCES = ldap/servers/slapd/tools/ldaptool-sasl.c \
ldclt_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/ldap/servers/slapd/tools $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS)
ldclt_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) $(THREADLIB)

#------------------------
# ldif
#------------------------
ldif_SOURCES = ldap/servers/slapd/tools/ldif.c

ldif_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
ldif_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK)

#------------------------
# migratecred
#------------------------
migratecred_SOURCES = ldap/servers/slapd/tools/migratecred.c

migratecred_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
migratecred_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK)
migratecred_DEPENDENCIES = libslapd.la

#------------------------
# mmldif
#------------------------
mmldif_SOURCES = ldap/servers/slapd/tools/mmldif.c

mmldif_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
mmldif_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK)
mmldif_DEPENDENCIES = libslapd.la

#------------------------
# ns-slapd
#------------------------
@@ -2311,17 +1961,6 @@ pwdhash_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
pwdhash_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK)
pwdhash_DEPENDENCIES = libslapd.la

#------------------------
# rsearch
#------------------------
rsearch_SOURCES = ldap/servers/slapd/tools/rsearch/nametable.c \
ldap/servers/slapd/tools/rsearch/rsearch.c \
ldap/servers/slapd/tools/rsearch/sdattable.c \
ldap/servers/slapd/tools/rsearch/searchthread.c

rsearch_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
rsearch_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBSOCKET)

#-------------------------
# CMOCKA TEST PROGRAMS
#-------------------------


+ 9
- 1
dirsrvtests/tests/suites/acl/acl_deny_test.py View File

@@ -1,3 +1,11 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
#
import logging
import pytest
import os
@@ -5,7 +13,7 @@ import ldap
import time
from lib389._constants import *
from lib389.topologies import topology_st as topo
from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES
from lib389.idm.domain import Domain

pytestmark = pytest.mark.tier1


+ 16
- 7
dirsrvtests/tests/suites/acl/acl_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -14,9 +14,8 @@ from lib389.schema import Schema
from lib389.idm.domain import Domain
from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
from lib389.idm.organizationalrole import OrganizationalRole, OrganizationalRoles

from lib389.topologies import topology_m2
from lib389._constants import SUFFIX, DN_SCHEMA, DN_DM, DEFAULT_SUFFIX, PASSWORD
from lib389._constants import SUFFIX, DN_DM, DEFAULT_SUFFIX, PASSWORD

pytestmark = pytest.mark.tier1

@@ -243,6 +242,14 @@ def moddn_setup(topology_m2):
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)

# Add anonymous read aci
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(m1, SUFFIX)
suffix.add('aci', ACI_BODY)

# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
@@ -1062,10 +1069,12 @@ def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
@pytest.fixture(scope="module")
def rdn_write_setup(topology_m2):
topology_m2.ms["master1"].log.info("\n\n######## Add entry tuser ########\n")
topology_m2.ms["master1"].add_s(Entry((SRC_ENTRY_DN, {
'objectclass': "top person".split(),
'sn': SRC_ENTRY_CN,
'cn': SRC_ENTRY_CN})))
user = UserAccount(topology_m2.ms["master1"], SRC_ENTRY_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': SRC_ENTRY_CN,
'cn': SRC_ENTRY_CN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)


def test_rdn_write_get_ger(topology_m2, rdn_write_setup):


+ 3
- 3
dirsrvtests/tests/suites/acl/deladd_test.py View File

@@ -361,7 +361,7 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user, req

# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
f'(version 3.0; acl "{request.node.name}"; '
f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

@@ -401,7 +401,7 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user,
# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr=uid)(version 3.0; acl "{request.node.name}"; '
f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '
f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

# create connection with USER_WITH_ACI_DELADD
@@ -439,7 +439,7 @@ def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user,
# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr=*)(version 3.0; acl "{request.node.name}"; '
f'(targetattr="*")(version 3.0; acl "{request.node.name}"; '
f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')

# create connection with USER_WITH_ACI_DELADD


+ 3
- 5
dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -31,15 +31,13 @@ def env_setup(topology_st):

log.info("Add a container: %s" % CONTAINER_1)
topology_st.standalone.add_s(Entry((CONTAINER_1,
{'objectclass': 'top',
'objectclass': 'organizationalunit',
{'objectclass': ['top','organizationalunit'],
'ou': CONTAINER_1_OU,
})))

log.info("Add a container: %s" % CONTAINER_2)
topology_st.standalone.add_s(Entry((CONTAINER_2,
{'objectclass': 'top',
'objectclass': 'organizationalunit',
{'objectclass': ['top', 'organizationalunit'],
'ou': CONTAINER_2_OU,
})))



+ 22
- 14
dirsrvtests/tests/suites/acl/globalgroup_part2_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -70,6 +70,14 @@ def test_user(request, topo):
'userPassword': PW_DM
})

# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)

uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
for demo1 in ['c1', 'CHILD1_GLOBAL']:
uas.create(properties={
@@ -112,7 +120,7 @@ def test_undefined_in_group_eval_five(topo, test_user, aci_of_user):
5. Operation should succeed
"""

Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
# This aci should NOT allow access
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -140,7 +148,7 @@ def test_undefined_in_group_eval_six(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -168,7 +176,7 @@ def test_undefined_in_group_eval_seven(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -196,7 +204,7 @@ def test_undefined_in_group_eval_eight(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -224,7 +232,7 @@ def test_undefined_in_group_eval_nine(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -252,7 +260,7 @@ def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -281,7 +289,7 @@ def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -312,7 +320,7 @@ def test_undefined_in_group_eval_twelve(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -341,7 +349,7 @@ def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
@@ -372,7 +380,7 @@ def test_undefined_in_group_eval_fifteen(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
UserAccount(topo.standalone, NESTEDGROUP_OU_GLOBAL).add("description", DEEPUSER_GLOBAL)
# Here do the same tests for userattr with the parent keyword.
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -399,7 +407,7 @@ def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user):
5. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
domain.add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
domain.add("description", DEEPUSER_GLOBAL)
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test with parent keyword with not key
@@ -427,7 +435,7 @@ def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
# Test with the parent keyord
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
@@ -455,7 +463,7 @@ def test_undefined_in_group_eval_eighteen(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
# Test with parent keyword with not key
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])


+ 12
- 4
dirsrvtests/tests/suites/acl/globalgroup_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -72,6 +72,14 @@ def test_user(request, topo):
'userPassword': PW_DM
})

# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)

uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
for demo1 in ['DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER1_GLOBAL',
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild']:
@@ -361,7 +369,7 @@ def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# This aci should allow access
@@ -389,7 +397,7 @@ def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# test UNDEFINED in group
@@ -417,7 +425,7 @@ def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)


+ 20
- 22
dirsrvtests/tests/suites/acl/keywords_part2_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -64,24 +64,23 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
# Wait till Access Log is generated
topo.standalone.restart()

ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]

# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "::1" ;)')

# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
org.replace("seeAlso", "cn=1")

# remove the aci
domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
f'ip = "{ip_ip}" ;)')
f'ip = "::1" ;)')
# Now add aci with new ip
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')

# After changing the ip user cant access data
@@ -104,14 +103,13 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
2. Operation should succeed
3. Operation should succeed
"""
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]

# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "IP aci"; '
f'(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
f'and ip != "{ip_ip}" ;)')
f'and ip != "::1" ;)')

# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
@@ -122,9 +120,9 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
# Remove the ACI
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
# Add new ACI
domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "::1" ;)')

# now user can access data
org.replace("seeAlso", "cn=1")
@@ -148,7 +146,7 @@ def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')

# Create a new connection for this test.
@@ -177,7 +175,7 @@ def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
f'(timeofday >= "0000" and timeofday <= "2359") ;)')

@@ -206,7 +204,7 @@ def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_use
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
f'and timeofday < "1200" ;)')

@@ -239,7 +237,7 @@ def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_u
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
f'and timeofday > \'1200\' ;)')

@@ -275,7 +273,7 @@ def test_timeofday_keyword(topo, add_user, aci_of_user):
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
f'and timeofday = \'{now_1}\' ;)')

@@ -312,7 +310,7 @@ def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user)
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')

@@ -342,7 +340,7 @@ def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = \'{today_1}\' ;)')

@@ -371,7 +369,7 @@ def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = "$NEW_DATE" ;)')



+ 11
- 11
dirsrvtests/tests/suites/acl/keywords_test.py View File

@@ -39,11 +39,11 @@ NONE_2_KEY = "uid=NONE_2_KEY,{}".format(AUTHMETHOD_OU_KEY)


NONE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
f'allow(all) userdn = "ldap:///{NONE_1_KEY}" and authmethod = "none" ;)'

SIMPLE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
f'allow(all) userdn = "ldap:///{SIMPLE_1_KEY}" and authmethod = "simple" ;)'


@@ -236,7 +236,7 @@ def test_user_can_access_the_data_when_connecting_from_any_machine(
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')

# Create a new connection for this test.
@@ -265,9 +265,9 @@ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; '
f'(targetattr="*")(version 3.0; aci "DNS aci"; '
f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])

@@ -297,7 +297,7 @@ def test_user_can_access_the_data_when_connecting_from_some_network_only(
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dns = "{dns_name}" ;)')

@@ -324,7 +324,7 @@ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" and dns != "red.iplanet.com" ;)')

# Create a new connection for this test.
@@ -351,7 +351,7 @@ def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_networ
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dnsalias != "www.redhat.com" ;)')

@@ -377,7 +377,7 @@ def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" '
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
@@ -406,7 +406,7 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" and '
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
@@ -438,7 +438,7 @@ def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user,
"""
# Add ACI that contains both IPv4 and IPv6
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*) '
add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") '
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)')



+ 26
- 17
dirsrvtests/tests/suites/acl/misc_test.py View File

@@ -1,6 +1,6 @@
"""
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 RED Hat, Inc.
# Copyright (C) 2020 RED Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -8,6 +8,7 @@
# --- END COPYRIGHT BLOCK ----
"""

import ldap
import os
import pytest

@@ -21,8 +22,6 @@ from lib389.topologies import topology_st as topo
from lib389.idm.domain import Domain
from lib389.plugins import ACLPlugin

import ldap

pytestmark = pytest.mark.tier1

PEOPLE = "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)
@@ -37,7 +36,19 @@ def aci_of_user(request, topo):
:param request:
:param topo:
"""
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass

aci_list = suffix.get_attr_vals('aci')

def finofaci():
"""
@@ -96,7 +107,7 @@ def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
for i in [('mail', 'anujborah@okok.com'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]:
user.set(i[0], i[1])

aci_target = "(targetattr=givenname)"
aci_target = '(targetattr="givenname")'
aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)')
aci_subject = 'userdn="ldap:///anyone";)'
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
@@ -132,7 +143,7 @@ def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
user = uas.create_test_user()

aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD)
aci_target = '(target ="ldap:///{}")(targetattr!="userPassword")'.format(CONTAINER_1_DELADD)
# more_then_40_acl_will not crash_slapd
for i in range(40):
aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i)
@@ -163,7 +174,7 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
"""
assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci')
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")'
.replace("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr != "userPassword")'
'(version 3.0;acl "anonymous access";allow (search)'
'(userdn = "ldap:///anyone");)',
f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; '
@@ -176,7 +187,7 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
conn = Anonymous(topo.standalone).bind()
# search_access_should_not_include_read_access
suffix = Domain(conn, DEFAULT_SUFFIX)
with pytest.raises(AssertionError):
with pytest.raises(Exception):
assert suffix.present('aci')


@@ -211,9 +222,9 @@ def test_only_allow_some_targetattr(topo, clean, aci_of_user):
# aci will allow only mail targetattr
assert len(accounts.filter('(mail=*)')) == 2
# aci will allow only mail targetattr
assert not accounts.filter('(cn=*)')
assert not accounts.filter('(cn=*)', scope=1)
# with root no , blockage
assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) == 2
assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)', scope=1)) == 2

for i in uas.list():
i.delete()
@@ -251,8 +262,8 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
conn = UserAccount(topo.standalone, user.dn).bind(PW_DM)
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
assert len(account.filter('(mail=*)', scope=1)) == 5
assert not account.filter('(cn=*)', scope=1)

for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com'
@@ -261,8 +272,8 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
conn = Anonymous(topo.standalone).bind()
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
assert len(account.filter('(mail=*)', scope=1)) == 5
assert not account.filter('(cn=*)', scope=1)

for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com'
@@ -274,7 +285,6 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
i.delete()



@pytest.mark.bz326000
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""Non-regression test for BUG 326000: MemberURL needs to be normalized
@@ -291,7 +301,7 @@ def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set('aci', '(targetattr= *)'
ou_ou.set('aci', '(targetattr="*")'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(DEFAULT_SUFFIX))

@@ -407,7 +417,6 @@ def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user):
for i in range(len(uas.list())):
uas.list()[i].bind(PW_DM)


if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)

+ 15
- 5
dirsrvtests/tests/suites/acl/modify_test.py View File

@@ -42,7 +42,18 @@ def cleanup_tree(request, topo):

@pytest.fixture(scope="function")
def aci_of_user(request, topo):
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass

aci_list = suffix.get_attr_vals('aci')

def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
@@ -262,7 +273,7 @@ def test_allow_write_access_to_userdn_with_multiple_dns(topo, aci_of_user, clean
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')

def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user, cleanup_tree):
"""Modify Test 6 Allow write access to target with wildcards
@@ -324,7 +335,7 @@ def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree, reque
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name)
ACI_BODY = '(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

for i in ['Product Development', 'Accounting']:
@@ -393,8 +404,7 @@ def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
groups.list()[1].add_member(USER_DELADD)


def test_uniquemember_should_also_be_the_owner(topo, aci_of_user):


+ 4
- 4
dirsrvtests/tests/suites/acl/modrdn_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -102,7 +102,7 @@ def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user, request):
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",
'(target ="ldap:///{}")(targetattr=*)(version 3.0;acl "{}";allow '
'(target ="ldap:///{}")(targetattr="*")(version 3.0;acl "{}";allow '
'(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX, request.node.name))
conn = Anonymous(topo.standalone).bind()
# Allow write privilege to anyone
@@ -130,7 +130,7 @@ def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_u
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
useraccount = UserAccount(conn, USER_DELADD)
@@ -281,7 +281,7 @@ def test_renaming_target_entry(topo, _add_user, aci_of_user):
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set('aci', '(targetattr=*)(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
ou.set('aci', '(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry


+ 6
- 6
dirsrvtests/tests/suites/acl/repeated_ldap_add_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -454,12 +454,12 @@ def test_repeated_ldap_add(topology_st):
log.info('Inactivate %s' % BINDDN)
if ds_paths.version < '1.3':
nsinactivate = '%s/ns-inactivate.pl' % inst_dir
nsinactivate_cmd = [nsinactivate, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
cli_cmd = [nsinactivate, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
else:
nsinactivate = '%s/ns-inactivate.pl' % ds_paths.sbin_dir
nsinactivate_cmd = [nsinactivate, '-Z', SERVERID_STANDALONE, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
log.info(nsinactivate_cmd)
p = Popen(nsinactivate_cmd)
dsidm = '%s/dsidm' % ds_paths.sbin_dir
cli_cmd = [dsidm, SERVERID_STANDALONE, '-b', DEFAULT_SUFFIX, 'account', 'lock', BINDDN]
log.info(cli_cmd)
p = Popen(cli_cmd)
assert (p.wait() == 0)

log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, BUID, ldap.UNWILLING_TO_PERFORM.__name__))


+ 2
- 2
dirsrvtests/tests/suites/acl/roledn_test.py View File

@@ -78,10 +78,10 @@ def _add_user(request, topo):
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "or role aci"; allow(all) '
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
f'(target="ldap:///{ALL_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "anyone role aci"; allow(all) '
f'roledn = "ldap:///anyone";)',
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "not role aci"; allow(all)'
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'])



+ 38
- 26
dirsrvtests/tests/suites/acl/search_real_part2_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -24,6 +24,17 @@ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)

@pytest.fixture(scope="function")
def aci_of_user(request, topo):
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass

aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

def finofaci():
@@ -31,9 +42,10 @@ def aci_of_user(request, topo):
domain.set('aci', None)
for i in aci_list:
domain.add("aci", i)
pass

request.addfinalizer(finofaci)

@pytest.fixture(scope="module")
def test_uer(request, topo):
@@ -84,7 +96,7 @@ def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_use
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format(CONTAINER_2_DELADD)
ACI_TARGET = "(target != ldap:///{})(targetattr=\"*\")".format(CONTAINER_2_DELADD)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -96,7 +108,7 @@ def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_use
# After binding with USER_ANUJ , aci will limit the search to itself
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# After binding with root , the actual number of users will be given
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
@@ -119,7 +131,7 @@ def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=*)".format(
ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=\"*\")".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -132,7 +144,7 @@ def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
# aci will limit the search to ou=Product it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root , aci will give actual no of users , without any limit.
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with__target_set_on_wildcard_leaf(
@@ -155,7 +167,7 @@ def test_deny_all_access_with__target_set_on_wildcard_leaf(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format(
ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=\"*\")".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -168,7 +180,7 @@ def test_deny_all_access_with__target_set_on_wildcard_leaf(
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with_targetfilter_using_equality_search(
@@ -191,7 +203,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr="*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -227,7 +239,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search_two(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter !="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
ACI_TARGET = '(targetfilter !="(uid=Anuj Borah)")(target = ldap:///{})(targetattr="*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -240,7 +252,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search_two(
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with_targetfilter_using_substring_search(
@@ -263,7 +275,7 @@ def test_deny_all_access_with_targetfilter_using_substring_search(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter ="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
ACI_TARGET = '(targetfilter ="(uid=Anu*)")(target = ldap:///{})(targetattr="*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -299,10 +311,10 @@ def test_deny_all_access_with_targetfilter_using_substring_search_two(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr="*")'.format(
DEFAULT_SUFFIX
)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
@@ -313,7 +325,7 @@ def test_deny_all_access_with_targetfilter_using_substring_search_two(
# aci allow anything cn=j*, it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))


def test_deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search(
@@ -374,19 +386,19 @@ def test_deny_all_access_to__userdn_two(topo, test_uer, aci_of_user):
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_TARGET = "(target = ldap:///{})(targetattr=\"*\")".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn!="ldap:///{}";)'.format(USER_ANANDA)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will not block anything for USER_ANANDA , it block other users
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will not block anything for USER_ANANDA , it block other users
# aci will block everything for other users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root thers is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
@@ -407,8 +419,8 @@ def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_TARGET = "(target = ldap:///{})(targetattr=\"*\")".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (all)'
ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
@@ -416,10 +428,10 @@ def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
# aci will block anything for USER_ANANDA , it not block other users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block anything for USER_ANANDA , it not block other users
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# aci will block anything for other users
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root thers is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_all_access_with_targetfilter_using_presence_search(
@@ -445,7 +457,7 @@ def test_deny_all_access_with_targetfilter_using_presence_search(
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX).create_test_user()
user.set('userPassword', PW_DM)

ACI_TARGET = '(targetfilter ="(cn=*)")(target = ldap:///{})(targetattr=*)'.format(
ACI_TARGET = '(targetfilter ="(cn=*)")(target = ldap:///{})(targetattr="*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'


+ 28
- 17
dirsrvtests/tests/suites/acl/search_real_part3_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# Copyright (C) 2020 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
@@ -27,7 +27,18 @@ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)

@pytest.fixture(scope="function")
def aci_of_user(request, topo):
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass

aci_list = suffix.get_attr_vals('aci')

def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
@@ -36,7 +47,7 @@ def aci_of_user(request, topo):
domain.add("aci", i)

request.addfinalizer(finofaci)

@pytest.fixture(scope="module")
def test_uer(request, topo):
@@ -86,7 +97,7 @@ def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user)
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = (
'userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)
@@ -99,7 +110,7 @@ def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')

@@ -122,7 +133,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_two(topo, test_uer, aci_of_u
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = (
'userdn != "ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)
@@ -132,7 +143,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_two(topo, test_uer, aci_of_u
UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will not block all users having roomnumber=3445 , it will block others
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will not block all users having roomnumber=3445 , it will block others
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
@@ -160,7 +171,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -172,7 +183,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
@@ -210,7 +221,7 @@ def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# USER_ANUJ is not a member
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()


@@ -251,7 +262,7 @@ def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(
# aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()


@@ -290,7 +301,7 @@ def test_deny_read_access_to_dynamic_group_with_scope_set_to_one_in_ldap_url(
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
@@ -335,7 +346,7 @@ def test_deny_read_access_to_dynamic_group_two(topo, test_uer, aci_of_user):
# aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()


@@ -381,7 +392,7 @@ def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
'uniquemember': [USER_ANANDA, USER_ANUJ]
})

Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target = ldap:///{})(targetattr=*)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target = ldap:///{})(targetattr="*")'
'(version 3.0; acl "{}"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )'.format(DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX))
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# deny_access_to_group_should_deny_access_to_all_uniquemember
@@ -390,7 +401,7 @@ def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
# deny_access_to_group_should_deny_access_to_all_uniquemember
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))


def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):
@@ -417,10 +428,10 @@ def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):
# no aci no blockage
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj*)'))
# no aci no blockage
assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
assert 103 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = Anonymous(topo.standalone).bind()
# anonymous_search_on_monitor_entry
assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
assert 103 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))


@pytest.mark.bz301798


+ 26
- 15
dirsrvtests/tests/suites/acl/search_real_test.py View File

@@ -1,5 +1,5 @@
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.