Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
*
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2013-2016 ForgeRock AS.
* Portions Copyright 2026 3A Systems, LLC
*/
package org.opends.server.authorization.dseecompat;

Expand All @@ -29,7 +30,7 @@

/** This class tests ACI behavior using alternate root bind DNs. */
@SuppressWarnings("javadoc")
public class AlternateRootDN extends AciTestCase {
public class AlternateRootDNTestCase extends AciTestCase {

private static final String user1="uid=user.1,ou=People,o=test";
private static final String user3="uid=user.3,ou=People,o=test";
Expand All @@ -43,6 +44,17 @@ public class AlternateRootDN extends AciTestCase {
"(version 3.0; acl \"proxy" + user3 + "\";" +
"allow (proxy) userdn=\"ldap:///" + user3 + "\";)";

/**
* The proxy right for a proxied authorization control is evaluated against
* the entry being authorized as - here the root DN entries under cn=config -
* so it must be granted through a global ACI.
*/
private static final
String globalProxyACI = "(target = \"ldap:///cn=Root DNs,cn=config\")" +
"(targetattr = \"*\")" +
"(version 3.0; acl \"global proxy " + user3 + "\";" +
"allow (proxy) userdn=\"ldap:///" + user3 + "\";)";

/** Need an ACI to allow proxy control. */
private static final
String controlACI = "(targetcontrol=\"" + OID_PROXIED_AUTH_V2 + "\")" +
Expand All @@ -64,6 +76,7 @@ public void setupClass() throws Exception {
@BeforeMethod
public void clearBackend() throws Exception {
deleteAttrFromEntry(user1, "aci");
deleteAttrFromEntry(user3, "aci");
deleteAttrFromAdminEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
}

Expand Down Expand Up @@ -113,8 +126,15 @@ public void testAlternateDNs() throws Exception {
*/
@Test
public void testAlternateProxyDNs() throws Exception {
String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI, controlACI);
String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
// The targetcontrol ACI for the proxied authorization control is
// evaluated against the entry of the authenticated user (user3), not
// against the search target, so it must be placed on that entry.
String controlAciLdif=makeAddLDIF("aci", user3, controlACI);
LDIFModify(controlAciLdif, DIR_MGR_DN, PWD);
String globalAciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN, globalProxyACI);
LDIFAdminModify(globalAciLdif, DIR_MGR_DN, PWD);
String adminDNResults =
LDAPSearchParams(user3, PWD, adminDN, null, null,
user1, pwdFilter, ATTR_USER_PASSWORD);
Expand All @@ -128,11 +148,12 @@ public void testAlternateProxyDNs() throws Exception {
Map<String, String> attrMap1 = getAttrMap(adminRootDNResults);
assertTrue(attrMap1.containsKey(ATTR_USER_PASSWORD));
String rootDNResults =
LDAPSearchParams(user3, PWD, adminDN, null, null,
LDAPSearchParams(user3, PWD, rootDN, null, null,
user1, pwdFilter, ATTR_USER_PASSWORD);
assertNotEquals(rootDNResults, "");
Map<String, String> attrMap2 = getAttrMap(rootDNResults);
assertTrue(attrMap2.containsKey(ATTR_USER_PASSWORD));
deleteAttrFromEntry(user1, "aci");
deleteAttrFromEntry(user3, "aci");
}
}