mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-02-18 10:07:56 -05:00
honor 'disclose' ACL on searchBase/compare/referral/matched (ITS#3472 and comments on -devel)
This commit is contained in:
Pierangelo Masarati
parent
98212b7e08
commit
cbb883e5e5
3 changed files with 17 additions and 8 deletions
|
|
@ -1,3 +1,8 @@
|
|||
# Try to read an entry inside the Alumni Association container.
|
||||
# It should give us noSuchObject if we're not bound...
|
||||
No such object (32)
|
||||
# ... and should return all attributes if we're bound as anyone
|
||||
# under Example.
|
||||
dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
|
||||
objectClass: OpenLDAPperson
|
||||
cn: James A Jones 1
|
||||
|
|
@ -16,6 +21,7 @@ mail: jaj@mail.alumni.example.com
|
|||
facsimileTelephoneNumber: +1 313 555 4332
|
||||
telephoneNumber: +1 313 555 0895
|
||||
|
||||
# Using ldapsearch to retrieve all the entries...
|
||||
dn: cn=All Staff,ou=Groups,dc=example,dc=com
|
||||
member: cn=Manager,dc=example,dc=com
|
||||
member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ access to filter="(objectclass=person)" attr=userpassword
|
|||
access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
|
||||
by dn.regex=".+,dc=example,dc=com" +c continue
|
||||
by dn.subtree="dc=example,dc=com" +rs continue
|
||||
by dn.children="dc=example,dc=com" +d continue
|
||||
by * stop
|
||||
|
||||
#access to attr=member,uniquemember dn.subtree="dc=example,dc=com"
|
||||
|
|
|
|||
|
|
@ -56,16 +56,17 @@ fi
|
|||
|
||||
cat /dev/null > $SEARCHOUT
|
||||
|
||||
#
|
||||
# Try to read an entry inside the Alumni Association container. It should
|
||||
# give us nothing if we're not bound, and should return all attributes
|
||||
# if we're bound as anyone under UM.
|
||||
#
|
||||
$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "objectclass=*" \
|
||||
echo "# Try to read an entry inside the Alumni Association container.
|
||||
# It should give us noSuchObject if we're not bound..." \
|
||||
>> $SEARCHOUT
|
||||
$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 "(objectclass=*)" \
|
||||
>> $SEARCHOUT 2>&1
|
||||
|
||||
echo "# ... and should return all attributes if we're bound as anyone
|
||||
# under Example." \
|
||||
>> $SEARCHOUT
|
||||
$LDAPSEARCH -b "$JAJDN" -h $LOCALHOST -p $PORT1 \
|
||||
-D "$BABSDN" -w bjensen "objectclass=*" >> $SEARCHOUT 2>&1
|
||||
-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1
|
||||
|
||||
#
|
||||
# Check group access. Try to modify Babs' entry. Two attempts:
|
||||
|
|
@ -170,6 +171,7 @@ description: added by bjensen (should fail)
|
|||
EOMODS6
|
||||
|
||||
echo "Using ldapsearch to retrieve all the entries..."
|
||||
echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
|
||||
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
|
||||
'objectClass=*' >> $SEARCHOUT 2>&1
|
||||
RC=$?
|
||||
|
|
@ -189,7 +191,7 @@ echo "Comparing filter output..."
|
|||
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
|
||||
|
||||
if test $? != 0 ; then
|
||||
echo "comparison failed - modify operations did not complete correctly"
|
||||
echo "comparison failed - operations did not complete correctly"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue