Skip to content

Commit 65ea66b

Browse files
authored
Fix and enable the AlternateRootDN ACI test (#706)
1 parent 878917f commit 65ea66b

1 file changed

Lines changed: 24 additions & 3 deletions

File tree

opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java renamed to opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
*
1414
* Copyright 2008-2009 Sun Microsystems, Inc.
1515
* Portions Copyright 2013-2016 ForgeRock AS.
16+
* Portions Copyright 2026 3A Systems, LLC
1617
*/
1718
package org.opends.server.authorization.dseecompat;
1819

@@ -29,7 +30,7 @@
2930

3031
/** This class tests ACI behavior using alternate root bind DNs. */
3132
@SuppressWarnings("javadoc")
32-
public class AlternateRootDN extends AciTestCase {
33+
public class AlternateRootDNTestCase extends AciTestCase {
3334

3435
private static final String user1="uid=user.1,ou=People,o=test";
3536
private static final String user3="uid=user.3,ou=People,o=test";
@@ -43,6 +44,17 @@ public class AlternateRootDN extends AciTestCase {
4344
"(version 3.0; acl \"proxy" + user3 + "\";" +
4445
"allow (proxy) userdn=\"ldap:///" + user3 + "\";)";
4546

47+
/**
48+
* The proxy right for a proxied authorization control is evaluated against
49+
* the entry being authorized as - here the root DN entries under cn=config -
50+
* so it must be granted through a global ACI.
51+
*/
52+
private static final
53+
String globalProxyACI = "(target = \"ldap:///cn=Root DNs,cn=config\")" +
54+
"(targetattr = \"*\")" +
55+
"(version 3.0; acl \"global proxy " + user3 + "\";" +
56+
"allow (proxy) userdn=\"ldap:///" + user3 + "\";)";
57+
4658
/** Need an ACI to allow proxy control. */
4759
private static final
4860
String controlACI = "(targetcontrol=\"" + OID_PROXIED_AUTH_V2 + "\")" +
@@ -64,6 +76,7 @@ public void setupClass() throws Exception {
6476
@BeforeMethod
6577
public void clearBackend() throws Exception {
6678
deleteAttrFromEntry(user1, "aci");
79+
deleteAttrFromEntry(user3, "aci");
6780
deleteAttrFromAdminEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
6881
}
6982

@@ -113,8 +126,15 @@ public void testAlternateDNs() throws Exception {
113126
*/
114127
@Test
115128
public void testAlternateProxyDNs() throws Exception {
116-
String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI, controlACI);
129+
String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI);
117130
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
131+
// The targetcontrol ACI for the proxied authorization control is
132+
// evaluated against the entry of the authenticated user (user3), not
133+
// against the search target, so it must be placed on that entry.
134+
String controlAciLdif=makeAddLDIF("aci", user3, controlACI);
135+
LDIFModify(controlAciLdif, DIR_MGR_DN, PWD);
136+
String globalAciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN, globalProxyACI);
137+
LDIFAdminModify(globalAciLdif, DIR_MGR_DN, PWD);
118138
String adminDNResults =
119139
LDAPSearchParams(user3, PWD, adminDN, null, null,
120140
user1, pwdFilter, ATTR_USER_PASSWORD);
@@ -128,11 +148,12 @@ public void testAlternateProxyDNs() throws Exception {
128148
Map<String, String> attrMap1 = getAttrMap(adminRootDNResults);
129149
assertTrue(attrMap1.containsKey(ATTR_USER_PASSWORD));
130150
String rootDNResults =
131-
LDAPSearchParams(user3, PWD, adminDN, null, null,
151+
LDAPSearchParams(user3, PWD, rootDN, null, null,
132152
user1, pwdFilter, ATTR_USER_PASSWORD);
133153
assertNotEquals(rootDNResults, "");
134154
Map<String, String> attrMap2 = getAttrMap(rootDNResults);
135155
assertTrue(attrMap2.containsKey(ATTR_USER_PASSWORD));
136156
deleteAttrFromEntry(user1, "aci");
157+
deleteAttrFromEntry(user3, "aci");
137158
}
138159
}

0 commit comments

Comments
 (0)