revision ea1068c292e9b341af6d6b563cd8988a96be20a9
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or
* See the License for the specific language governing permissions
* and limitations under the License.
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS.
* Unit test to test the proxy bind functionality.
package org.opends.server.authorization.dseecompat;
import java.util.Hashtable;
import javax.naming.Context;
import org.opends.server.TestCaseUtils;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
* This test tests the proxy bind access control support added to allow
* authzid's in Sasl Binds.
public class ProxyBindTestCase extends AciTestCase {
private static final String factory = "com.sun.jndi.ldap.LdapCtxFactory";
private static final String aciEntry = "o=test";
private static final String proxyUser="uid=proxyUser,ou=People,o=test";
private static final String proxyUserID="proxyUser";
private static final String proxyUserIDu="u:proxyUser";
private static final String proxyUserURL="\"ldap:///" + proxyUser + "\"";
private static final String aciUser="uid=aciUser,ou=People,o=test";
private static final String aciUserID="aciUser";
private static final String aciUserIDu="u:aciUser";
private static final String aciUserURL = "\"ldap:///" +
aciUser + "\"";
private static final String regUser="uid=regUser,ou=People,o=test";
private static final String bypassAccessUser="uid=bypassAcl,ou=People,o=test";
private static final String bypassAccessUserID="bypassAcl";
private static final String bypassAccessUserIDu="u:bypassAcl";
private static final String pwdPolicy = "Aci Temp Policy";
private static final
String aci = "(targetattr=\"*\")" +
"(target=" + proxyUserURL + ")" +
"(version 3.0; acl \"bypass aci\";" +
"allow(proxy,write) userdn=" + aciUserURL + ";)";
public void setupClass() throws Exception {
"--handler-name", "DIGEST-MD5",
"--set", "server-fqdn:localhost");
"--type", "password-policy",
"--policy-name", pwdPolicy,
"--set", "password-attribute:userPassword",
"--set", "default-password-storage-scheme: Clear"
String addLDIF = makeAddLDIF("aci", aciEntry, aci);
"dn: uid=proxyUser,ou=People,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: proxyUser",
"givenName: proxyUser",
"sn: proxyUser",
"cn: proxyUser",
"userPassword: password",
"ds-pwp-password-policy-dn:" +
"cn=Aci Temp Policy,cn=Password Policies,cn=config",
"dn: uid=aciUser,ou=People,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: aciUser",
"givenName: aciUser",
"sn: aciUser",
"cn: aciUser",
"userPassword: password",
"ds-privilege-name: proxied-auth",
"ds-pwp-password-policy-dn:" +
"cn=Aci Temp Policy,cn=Password Policies,cn=config",
"dn: uid=bypassAcl,ou=People,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: bypassAcl",
"givenName: bypassAcl",
"sn: bypassAcl",
"cn: bypassAcl",
"userPassword: password",
"ds-privilege-name: bypass-acl",
"ds-privilege-name: proxied-auth",
"ds-pwp-password-policy-dn:" + "" +
"cn=Aci Temp Policy,cn=Password Policies,cn=config",
"dn: uid=regUser,ou=People,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: regUser",
"givenName: regUser",
"sn: regUser",
"cn: regUser",
"userPassword: password",
"ds-pwp-password-policy-dn:" +
"cn=Aci Temp Policy,cn=Password Policies,cn=config");
@BeforeMethod(alwaysRun = true)
public void methodSetup() throws Exception {
deleteAttrFromAdminEntry(proxyUser, "description");
@AfterClass(alwaysRun = true)
public void tearDown() throws Exception {
deleteAttrFromEntry(aciEntry, "aci");
"--handler-name", "DIGEST-MD5",
"--reset", "server-fqdn",
"--reset", "quality-of-protection");
* Test DIGEST-MD5 SASL binds using various combinations of authID and
* authZIDs. The user binding is allowed because of an aci added.
* @throws Exception If an error occurs.
public void testAci() throws Exception {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, factory);
int port = TestCaseUtils.getServerLdapPort();
String url = "ldap://localhost:" + Integer.valueOf(port);
env.put(Context.PROVIDER_URL, url);
String authID = "dn:" + aciUser;
String authZID = "dn:" + proxyUser;
env.put("", authZID);
env.put(Context.SECURITY_PRINCIPAL, authID);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
deleteAttrFromAdminEntry(proxyUser, "description");
env.put("", proxyUserID);
env.put(Context.SECURITY_PRINCIPAL, aciUserID);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
deleteAttrFromAdminEntry(proxyUser, "description");
env.put("", proxyUserIDu);
env.put(Context.SECURITY_PRINCIPAL, aciUserIDu);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
deleteAttrFromAdminEntry(proxyUser, "description");
env.put("", proxyUserID);
env.put(Context.SECURITY_PRINCIPAL, "dn:" + regUser);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
* Test DIGEST-MD5 SASL binds using various combinations of authID and
* authZIDs. The user binding is allowed because it has bypass-acl
* privileges.
* @throws Exception If an error occurs.
public void testBypass() throws Exception {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, factory);
int port = TestCaseUtils.getServerLdapPort();
String url = "ldap://localhost:" + Integer.valueOf(port);
env.put(Context.PROVIDER_URL, url);
String authID = "dn:" + bypassAccessUser;
String authZID = "dn:" + proxyUser;
env.put("", authZID);
env.put(Context.SECURITY_PRINCIPAL, authID);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
deleteAttrFromAdminEntry(proxyUser, "description");
env.put("", bypassAccessUserID);
env.put(Context.SECURITY_PRINCIPAL, authID);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",
deleteAttrFromAdminEntry(proxyUser, "description");
env.put("", bypassAccessUserIDu);
env.put(Context.SECURITY_PRINCIPAL, authID);
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put("", "auth");
JNDIModify(env, proxyUser, "description", "a description",