1313 *
1414 * Copyright 2008-2009 Sun Microsystems, Inc.
1515 * Portions Copyright 2013-2016 ForgeRock AS.
16+ * Portions Copyright 2026 3A Systems, LLC
1617 */
1718package org .opends .server .authorization .dseecompat ;
1819
2930
3031/** This class tests ACI behavior using alternate root bind DNs. */
3132@ SuppressWarnings ("javadoc" )
32- public class AlternateRootDN extends AciTestCase {
33+ public class AlternateRootDNTestCase extends AciTestCase {
3334
3435 private static final String user1 ="uid=user.1,ou=People,o=test" ;
3536 private static final String user3 ="uid=user.3,ou=People,o=test" ;
@@ -43,6 +44,17 @@ public class AlternateRootDN extends AciTestCase {
4344 "(version 3.0; acl \" proxy" + user3 + "\" ;" +
4445 "allow (proxy) userdn=\" ldap:///" + user3 + "\" ;)" ;
4546
47+ /**
48+ * The proxy right for a proxied authorization control is evaluated against
49+ * the entry being authorized as - here the root DN entries under cn=config -
50+ * so it must be granted through a global ACI.
51+ */
52+ private static final
53+ String globalProxyACI = "(target = \" ldap:///cn=Root DNs,cn=config\" )" +
54+ "(targetattr = \" *\" )" +
55+ "(version 3.0; acl \" global proxy " + user3 + "\" ;" +
56+ "allow (proxy) userdn=\" ldap:///" + user3 + "\" ;)" ;
57+
4658 /** Need an ACI to allow proxy control. */
4759 private static final
4860 String controlACI = "(targetcontrol=\" " + OID_PROXIED_AUTH_V2 + "\" )" +
@@ -64,6 +76,7 @@ public void setupClass() throws Exception {
6476 @ BeforeMethod
6577 public void clearBackend () throws Exception {
6678 deleteAttrFromEntry (user1 , "aci" );
79+ deleteAttrFromEntry (user3 , "aci" );
6780 deleteAttrFromAdminEntry (ACCESS_HANDLER_DN , ATTR_AUTHZ_GLOBAL_ACI );
6881 }
6982
@@ -113,8 +126,15 @@ public void testAlternateDNs() throws Exception {
113126 */
114127 @ Test
115128 public void testAlternateProxyDNs () throws Exception {
116- String aciLdif =makeAddLDIF ("aci" , user1 , rootDNACI , proxyACI , controlACI );
129+ String aciLdif =makeAddLDIF ("aci" , user1 , rootDNACI , proxyACI );
117130 LDIFModify (aciLdif , DIR_MGR_DN , PWD );
131+ // The targetcontrol ACI for the proxied authorization control is
132+ // evaluated against the entry of the authenticated user (user3), not
133+ // against the search target, so it must be placed on that entry.
134+ String controlAciLdif =makeAddLDIF ("aci" , user3 , controlACI );
135+ LDIFModify (controlAciLdif , DIR_MGR_DN , PWD );
136+ String globalAciLdif =makeAddLDIF (ATTR_AUTHZ_GLOBAL_ACI , ACCESS_HANDLER_DN , globalProxyACI );
137+ LDIFAdminModify (globalAciLdif , DIR_MGR_DN , PWD );
118138 String adminDNResults =
119139 LDAPSearchParams (user3 , PWD , adminDN , null , null ,
120140 user1 , pwdFilter , ATTR_USER_PASSWORD );
@@ -128,11 +148,12 @@ public void testAlternateProxyDNs() throws Exception {
128148 Map <String , String > attrMap1 = getAttrMap (adminRootDNResults );
129149 assertTrue (attrMap1 .containsKey (ATTR_USER_PASSWORD ));
130150 String rootDNResults =
131- LDAPSearchParams (user3 , PWD , adminDN , null , null ,
151+ LDAPSearchParams (user3 , PWD , rootDN , null , null ,
132152 user1 , pwdFilter , ATTR_USER_PASSWORD );
133153 assertNotEquals (rootDNResults , "" );
134154 Map <String , String > attrMap2 = getAttrMap (rootDNResults );
135155 assertTrue (attrMap2 .containsKey (ATTR_USER_PASSWORD ));
136156 deleteAttrFromEntry (user1 , "aci" );
157+ deleteAttrFromEntry (user3 , "aci" );
137158 }
138159}
0 commit comments