From 15e511ea220975c60e43ba2d6bcbf3ebecbc8e37 Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Sun, 5 Jul 2026 10:36:09 +0300 Subject: [PATCH] Fix and enable the AlternateRootDN ACI test The test class name never matched the failsafe include patterns, so it has not run since the Maven migration, and it rotted against two changes in the proxied authorization ACI semantics: - the targetcontrol ACI for the proxied authorization control is evaluated against the entry of the authenticated user, not against the search target, so it must be placed on that entry; - the proxy right is evaluated against the entry being authorized as - here the root DN entries under cn=config - so it must be granted through a global ACI targeting cn=Root DNs,cn=config. Also fix a copy-paste error (the third search proxied as the admin alternate DN instead of the root one) and rename the class to AlternateRootDNTestCase so that the failsafe include patterns pick it up (2/2 green, ~14s). --- ...otDN.java => AlternateRootDNTestCase.java} | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) rename opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/{AlternateRootDN.java => AlternateRootDNTestCase.java} (83%) diff --git a/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java b/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java similarity index 83% rename from opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java rename to opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java index 3cc6833a49..5a2298686f 100644 --- a/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java +++ b/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java @@ -13,6 +13,7 @@ * * Copyright 2008-2009 Sun Microsystems, Inc. * Portions Copyright 2013-2016 ForgeRock AS. + * Portions Copyright 2026 3A Systems, LLC */ package org.opends.server.authorization.dseecompat; @@ -29,7 +30,7 @@ /** This class tests ACI behavior using alternate root bind DNs. */ @SuppressWarnings("javadoc") -public class AlternateRootDN extends AciTestCase { +public class AlternateRootDNTestCase extends AciTestCase { private static final String user1="uid=user.1,ou=People,o=test"; private static final String user3="uid=user.3,ou=People,o=test"; @@ -43,6 +44,17 @@ public class AlternateRootDN extends AciTestCase { "(version 3.0; acl \"proxy" + user3 + "\";" + "allow (proxy) userdn=\"ldap:///" + user3 + "\";)"; + /** + * The proxy right for a proxied authorization control is evaluated against + * the entry being authorized as - here the root DN entries under cn=config - + * so it must be granted through a global ACI. + */ + private static final + String globalProxyACI = "(target = \"ldap:///cn=Root DNs,cn=config\")" + + "(targetattr = \"*\")" + + "(version 3.0; acl \"global proxy " + user3 + "\";" + + "allow (proxy) userdn=\"ldap:///" + user3 + "\";)"; + /** Need an ACI to allow proxy control. */ private static final String controlACI = "(targetcontrol=\"" + OID_PROXIED_AUTH_V2 + "\")" + @@ -64,6 +76,7 @@ public void setupClass() throws Exception { @BeforeMethod public void clearBackend() throws Exception { deleteAttrFromEntry(user1, "aci"); + deleteAttrFromEntry(user3, "aci"); deleteAttrFromAdminEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI); } @@ -113,8 +126,15 @@ public void testAlternateDNs() throws Exception { */ @Test public void testAlternateProxyDNs() throws Exception { - String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI, controlACI); + String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI); LDIFModify(aciLdif, DIR_MGR_DN, PWD); + // The targetcontrol ACI for the proxied authorization control is + // evaluated against the entry of the authenticated user (user3), not + // against the search target, so it must be placed on that entry. + String controlAciLdif=makeAddLDIF("aci", user3, controlACI); + LDIFModify(controlAciLdif, DIR_MGR_DN, PWD); + String globalAciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN, globalProxyACI); + LDIFAdminModify(globalAciLdif, DIR_MGR_DN, PWD); String adminDNResults = LDAPSearchParams(user3, PWD, adminDN, null, null, user1, pwdFilter, ATTR_USER_PASSWORD); @@ -128,11 +148,12 @@ public void testAlternateProxyDNs() throws Exception { Map attrMap1 = getAttrMap(adminRootDNResults); assertTrue(attrMap1.containsKey(ATTR_USER_PASSWORD)); String rootDNResults = - LDAPSearchParams(user3, PWD, adminDN, null, null, + LDAPSearchParams(user3, PWD, rootDN, null, null, user1, pwdFilter, ATTR_USER_PASSWORD); assertNotEquals(rootDNResults, ""); Map attrMap2 = getAttrMap(rootDNResults); assertTrue(attrMap2.containsKey(ATTR_USER_PASSWORD)); deleteAttrFromEntry(user1, "aci"); + deleteAttrFromEntry(user3, "aci"); } }