aci.xml revision 945930ece8ea73e5184836bf0bf3efad2e3e6c36
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
! add the following below this CDDL HEADER, with the fields enclosed
! by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
! Copyright 2010 Sun Microsystems, Inc.
! Portions Copyright 2011 ForgeRock AS.
! -->
<stax>
<defaultcall function="replication_aci"/>
<function name="replication_aci">
<sequence>
<block name="'aci'">
<sequence>
<script>
if not CurrentTestPath.has_key('group'):
CurrentTestPath['group']='aci'
CurrentTestPath['suite']=STAXCurrentBlock
</script>
<call function="'testSuite_Preamble'"/>
<!--- Test Suite information
#@TestSuiteName Replication ACI Tests
#@TestSuitePurpose Verify that updates on ACIs are replicated all
right and are applied accordingly across the
topology.
#@TestSuiteID ACI Tests
#@TestSuiteGroup ACI
#@TestGroup Replication
#@TestScript replication_aci.xml
#@TestHTMLLink http://opends.dev.java.net/
-->
<import machine="STAF_LOCAL_HOSTNAME"
file="'%s/testcases/replication/replication_setup.xml'
% (TESTS_DIR)"/>
<call function="'replication_setup'">
{ 'dataFile' : 'Short_Example.ldif' }
</call>
<script>
class Entry:
def __init__(self, rdn, suffix):
self.userDn = '%s,ou=People,%s' \
% (rdn, suffix)
self.suffix = suffix
self.listAttr = []
self.listAttr.append('objectclass:top')
self.listAttr.append('objectclass:organizationalperson')
self.listAttr.append('objectclass:inetorgperson')
self.listAttr.append('objectclass:person')
def getDn(self):
return self.userDn
def getSuffix(self):
return self.suffix
def getAttrList(self):
return self.listAttr
def addAttr(self, attrType, attrValue):
self.listAttr.append('%s:%s' % (attrType, attrValue))
</script>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Add entry with ACI
#@TestID Add entry with ACI
#@TestPurpose Check ACI replication over an entry add
#@TestPreamble
#@TestSteps Add entry with ACI: deny self description write
#@TestSteps Binding as entry, add givenname to entry
(expect SUCCESS)
#@TestSteps Binding as entry, add description to entry
(expect ERROR 50)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Add entry with ACI')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Add entry with ACI. Check ACI replication \
over an entry add.'
</message>
<script>
myAci = "(targetattr=\"description\")(version 3.0; acl \"Deny Self Description Write\"; deny (write) userdn=\"ldap:///self\";)"
myUserpassword = 'entryPwd'
myEntry = Entry('cn=ACI entry', synchroSuffix)
myEntry.addAttr('sn', 'ACI repl tests')
myEntry.addAttr('aci', myAci)
myEntry.addAttr('userpassword', myUserpassword)
</script>
<!-- Add entry to "master" server with aci:
! (targetattr="description")(version 3.0; acl
! "Deny Self Description Write"; deny (write)
! userdn="ldap:///self";)
-->
<message>
'Add entry %s with ACI: \n%s' % (myEntry.getDn(), myAci)
</message>
<call function="'addAnEntry'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToAdd' : myEntry.getDn(),
'listAttributes' : myEntry.getAttrList()
}
</call>
<message>
'+++ New ACI +++\nDeny "%s" the access to write its own \
description attribute.' % myEntry.getDn()
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
myGivenname = 'My own GIVENNAME value %s' % i
myDescription = 'My own DESCRIPTION value %s' % i
</script>
<message>
'Binding as "%s", add givenname %s to entry %s on server \
%s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myGivenname, myEntry.getDn(),
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myEntry.getDn(),
'attributeName' : 'givenname',
'newAttributeValue' : myGivenname,
'changetype' : 'add'
}
</call>
<message>
'Binding as "%s", add description %s to entry %s on \
server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
Rights)' % \
(myEntry.getDn(), myDescription, myEntry.getDn(),
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myEntry.getDn(),
'attributeName' : 'description',
'newAttributeValue' : myDescription,
'changetype' : 'add',
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Modify_add ACI
#@TestID Modify_add ACI
#@TestPurpose Check ACI replication over a modify_add
#@TestPreamble Add a user entry to suffix
#@TestSteps Binding as user, add description to child entry
(expect ERROR 50)
#@TestSteps Add ACI to parent entry: allow user full access
to all description attributes
#@TestSteps Binding as user, add description to child entry
(expect SUCCESS)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Modify_add ACI')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Modify_add ACI. Check ACI replication \
over a modify_add.'
</message>
<script>
myAci = "(targetattr=\"description\")(version 3.0; acl \"Allow ACI-user access to description\"; allow (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
mySn = 'ACI repl user'
myUserpassword = 'userPwd'
myEntry = Entry('cn=ACI user', synchroSuffix)
myEntry.addAttr('sn', mySn)
myEntry.addAttr('userpassword', myUserpassword)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
</script>
<!-- Add user entry to "master" server -->
<message>
'Add user entry %s' % myEntry.getDn()
</message>
<call function="'addAnEntry'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToAdd' : myEntry.getDn(),
'listAttributes' : myEntry.getAttrList()
}
</call>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
myDescription = 'He was a serious opium adict - %s' % i
</script>
<message>
'Binding as "%s", add description %s to entry %s on \
server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
Rights)' % \
(myEntry.getDn(), myDescription, myTargetEntryDn,
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myTargetEntryDn,
'attributeName' : 'description',
'newAttributeValue' : myDescription,
'changetype' : 'add',
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Add aci to entry ou=People,o=example on "master" server:
! (targetattr="description")(version 3.0; acl
! "Allow ACI-user access to description"; allow (all)
! userdn="ldap:///cn=ACI user,ou=People,o=example";)
-->
<message>
'Add ACI to entry ou=People,%s: \n%s' % (synchroSuffix, myAci)
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : 'ou=People,%s' % synchroSuffix,
'attributeName' : 'aci',
'newAttributeValue' : myAci,
'changetype' : 'add'
}
</call>
<message>
'+++ New ACI +++\nAllow "%s" full access to all description \
attributes under ou=People,%s.' % \
(myEntry.getDn(), synchroSuffix)
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
myDescription = 'He was a serious opium adict - %s' % i
</script>
<message>
'Binding as "%s", add description %s to entry %s on \
server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myDescription, myTargetEntryDn,
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myTargetEntryDn,
'attributeName' : 'description',
'newAttributeValue' : myDescription,
'changetype' : 'add'
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Modify_replace ACI target
#@TestID Modify_replace ACI target
#@TestPurpose Check ACI replication over a modify_replace of
the ACI target
#@TestPreamble
#@TestSteps Binding as user, add telephonenumber to child
entry (expect ERROR 50)
#@TestSteps Replace ACI on parent entry: allow user full
access to all telephonenumber attributes
#@TestSteps Binding as user, add telephonenumber to child
entry (expect SUCCESS)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Modify_replace ACI target')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Modify_replace ACI target. Check ACI \
replication over a modify_replace of the ACI target.'
</message>
<script>
myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Allow ACI-user access to telephonenumber\"; allow (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
myUserpassword = 'userPwd'
myEntry = Entry('cn=ACI user', synchroSuffix)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
</script>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
myTelephonenumber = '221-221-221-%s' % i
</script>
<message>
'Binding as "%s", add telephonenumber %s to entry %s on \
server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
Rights)' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myTargetEntryDn,
'attributeName' : 'telephonenumber',
'newAttributeValue' : myTelephonenumber,
'changetype' : 'add',
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Replace aci on entry ou=People,o=example on "master" server:
! (targetattr="telephonenumber")(version 3.0; acl
! "Allow ACI-user access to telephonenumber"; allow (all)
! userdn="ldap:///cn=ACI user,ou=People,o=example";)
-->
<message>
'Replace ACI on entry ou=People,%s: \n%s' % \
(synchroSuffix, myAci)
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : 'ou=People,%s' % synchroSuffix,
'attributeName' : 'aci',
'newAttributeValue' : myAci,
'changetype' : 'replace'
}
</call>
<message>
'+++ New ACI +++\nAllow "%s" full access to all telephonenumber\
attributes under ou=People,%s.' % \
(myEntry.getDn(), synchroSuffix)
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
myTelephonenumber = '221-221-221-%s' % i
</script>
<message>
'Binding as "%s", add description %s to entry %s on \
server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Modify entry on one of the servers -->
<call function="'modifyAnAttribute'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'DNToModify' : myTargetEntryDn,
'attributeName' : 'telephonenumber',
'newAttributeValue' : myTelephonenumber,
'changetype' : 'add'
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Modify_replace ACI permission
#@TestID Modify_replace ACI permission
#@TestPurpose Check ACI replication over a modify_replace of
the ACI permission
#@TestPreamble
#@TestSteps Binding as user, compare telephonenumber value
to child entry (expect SUCCESS)
#@TestSteps Replace ACI on parent entry: deny user access to
telephonenumber attributes
#@TestSteps Binding as user, compare telephonenumber value
to child entry (expect ERROR 50)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Modify_replace ACI permission')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Modify_replace ACI permission. Check ACI \
replication over a modify_replace of the ACI permission.'
</message>
<script>
myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI-user access to telephonenumber\"; deny (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
myUserpassword = 'userPwd'
myEntry = Entry('cn=ACI user', synchroSuffix)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
myTelephonenumber = '+1 408 555 6789'
</script>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 0
}
</call>
</sequence>
</iterate>
<!-- Replace aci on entry ou=People,o=example on "master" server:
! (targetattr="telephonenumber")(version 3.0; acl
! "Deny ACI-user access to telephonenumber"; deny (all)
! userdn="ldap:///cn=ACI user,ou=People,o=example";)
-->
<message>
'Replace ACI on entry ou=People,%s: \n%s' % \
(synchroSuffix, myAci)
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : 'ou=People,%s' % synchroSuffix,
'attributeName' : 'aci',
'newAttributeValue' : myAci,
'changetype' : 'replace'
}
</call>
<message>
'+++ New ACI +++\nDeny "%s" access to all telephonenumber \
attributes under ou=People,%s.' % \
(myEntry.getDn(), synchroSuffix)
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: ERROR 50 \
(Insufficient Access Rights)' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Modify_replace ACI bind rule
#@TestID Modify_replace ACI bind rule
#@TestPurpose Check ACI replication over a modify_replace of
the ACI bind rule
#@TestPreamble Add new user entry
#@TestSteps Binding as new user, compare telephonenumber
value to child entry (expect SUCCESS)
#@TestSteps Replace ACI on parent entry: deny users with
a given sn access to telephonenumber attributes
#@TestSteps Binding as new user, compare telephonenumber
value to child entry (expect ERROR 50)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Modify_replace ACI bind rule')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Modify_replace ACI bind rule. Check ACI \
replication over a modify_replace of the ACI bind rule.'
</message>
<script>
mySn = 'ACI repl user'
myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
myUserpassword = 'secondUserPwd'
myEntry = Entry('cn=Second ACI user', synchroSuffix)
myEntry.addAttr('sn', mySn)
myEntry.addAttr('userpassword', myUserpassword)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
myTelephonenumber = '+1 408 555 6789'
</script>
<!-- Add user entry to "master" server -->
<message>
'Add user entry %s' % myEntry.getDn()
</message>
<call function="'addAnEntry'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToAdd' : myEntry.getDn(),
'listAttributes' : myEntry.getAttrList()
}
</call>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 0
}
</call>
</sequence>
</iterate>
<!-- Replace aci on entry ou=People,o=example on "master" server:
! (targetattr="telephonenumber")(version 3.0; acl
! "Deny ACI repl users access to telephonenumber"; deny (all)
! userdn="ldap:///o=example??sub?(sn=ACI repl user)";)
-->
<message>
'Replace ACI on entry ou=People,%s: \n%s' % \
(synchroSuffix, myAci)
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : 'ou=People,%s' % synchroSuffix,
'attributeName' : 'aci',
'newAttributeValue' : myAci,
'changetype' : 'replace'
}
</call>
<message>
'+++ New ACI +++\nDeny users with (sn=%s) access to all \
telephonenumber attributes under ou=People,%s.' % \
(mySn, synchroSuffix)
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: ERROR 50 \
(Insufficient Access Rights)' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Bypass-acl privilege
#@TestID Bypass-acl privilege
#@TestPurpose Check the bypass-acl privilege is replicated and
successfully applied over the topology
#@TestPreamble
#@TestSteps Binding as new user, compare telephonenumber
value to child entry (expect ERROR 50)
#@TestSteps Add ds-privilege-name:bypass-acl to new user
#@TestSteps Binding as new user, compare telephonenumber
value to child entry (expect SUCCESS)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Bypass-acl privilege')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Bypass-acl privilege. Check the bypass-acl \
privilege is replicated and successfully applied over the \
topology'
</message>
<script>
myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
myUserpassword = 'secondUserPwd'
myPrivilege = 'bypass-acl'
myEntry = Entry('cn=Second ACI user', synchroSuffix)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
myTelephonenumber = '+1 408 555 6789'
</script>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: ERROR 50 \
(Insufficient Access Rights)' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Add bypass-acl privilege to new user entry -->
<message>
'Add %s privilege to entry %s: \n' % \
(myPrivilege, myEntry.getDn())
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : myEntry.getDn(),
'attributeName' : 'ds-privilege-name',
'newAttributeValue' : myPrivilege,
'changetype' : 'add'
}
</call>
<message>
'+++ Active ACI +++\nDeny users with (sn=%s) access to all \
telephonenumber attributes under ou=People,%s.' % \
(mySn, synchroSuffix)
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 0
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker Replication ACI Tests
#@TestName Replication: ACI: Modify_delete ACI
#@TestID Modify_delete ACI
#@TestPurpose Check ACI replication over a modify_delete
#@TestPreamble
#@TestSteps Binding as user, compare telephonenumber value
to child entry (expect ERROR 50)
#@TestSteps Delete ACI on parent entry
#@TestSteps Binding as user, compare telephonenumber value
to child entry (expect SUCCESS)
#@TestPostamble
#@TestResult Success if the servers synchronised and the aci
correctly applied after replication
-->
<testcase name="getTestCaseName('Modify_delete ACI')">
<sequence>
<call function="'testCase_Preamble'"/>
<message>
'Replication: ACI: Modify_delete ACI. Check ACI \
replication over a modify_delete.'
</message>
<script>
myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
myUserpassword = 'userPwd'
myEntry = Entry('cn=ACI user', synchroSuffix)
myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
myTelephonenumber = '+1 408 555 6789'
</script>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: ERROR 50 \
(Insufficient Access Rights)' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 50
}
</call>
</sequence>
</iterate>
<!-- Delete aci on entry ou=People,o=example on "master" server:
! (targetattr="telephonenumber")(version 3.0; acl
! "Deny ACI repl users access to telephonenumber"; deny (all)
! userdn="ldap:///o=example??sub?(sn=ACI repl user)";)
-->
<message>
'Delete ACI on entry ou=People,%s: \n%s' % \
(synchroSuffix, myAci)
</message>
<call function="'modifyAnAttribute'">
{ 'location' : masterHost,
'dsPath' : masterPath,
'dsInstanceHost' : masterHost,
'dsInstancePort' : master.getPort(),
'dsInstanceDn' : master.getRootDn(),
'dsInstancePswd' : master.getRootPwd(),
'DNToModify' : 'ou=People,%s' % synchroSuffix,
'attributeName' : 'aci',
'newAttributeValue' : myAci,
'changetype' : 'delete'
}
</call>
<message>
'+++ New ACI +++\nNo aci in ou=People,%s.' % synchroSuffix
</message>
<iterate var="server" in="_topologyServerList" indexvar="i">
<sequence>
<script>
serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
</script>
<message>
'Binding as "%s", compare telephonenumber:%s value to \
entry %s on server %s:%s. -- Expect: SUCCESS' % \
(myEntry.getDn(), myTelephonenumber, myTargetEntryDn,
</message>
<!-- Compare 'telephonenumber:+1 408 555 6789' value to entry
! uid=sholmes,ou=People,o=example -->
<call function="'ldapCompareWithScript'">
{ 'location' : server.getHostname(),
'dsPath' : serverPath,
'dsInstanceHost' : server.getHostname(),
'dsInstancePort' : server.getPort(),
'dsInstanceDn' : myEntry.getDn(),
'dsInstancePswd' : myUserpassword,
'dsDn' : ['telephonenumber:%s' % \
myTelephonenumber, myTargetEntryDn],
'expectedRC' : 0
}
</call>
</sequence>
</iterate>
<!-- Verify the synchronization of the trees among the servers in
the topology -->
<call function="'verifyTrees'">
[ clientHost, clientPath, master, consumerList, synchroSuffix ]
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<import machine="STAF_LOCAL_HOSTNAME"
file="'%s/testcases/replication/replication_cleanup.xml'
% (TESTS_DIR)"/>
<call function="'replication_cleanup'" />
<call function="'testSuite_Postamble'"/>
</sequence>
</block>
</sequence>
</function>
</stax>