external-software/github_OpenIdentityPlatform_OpenDJ.git

Support alternate root DN in userdn bind rule keyword. Issue 1578.

dugan

21.06.2007 d8c50b65f285ddc2aec2ee76a9bba7ba4702e4ce

 opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java

@@ -32,6 +32,7 @@

import java.util.*;
import org.opends.server.types.*;
import org.opends.server.core.DirectoryServer;

/**
 * This class represents the userdn keyword in a bind rule.
@@ -250,6 +251,20 @@
                    DN dn = url.getBaseDN();
                    if (clientDN.equals(dn))
                        matched = EnumEvalResult.TRUE;
                    else {
                        //This code handles the case where a root dn entry does
                        //not have bypass-acl privilege and the ACI bind rule
                        //userdn DN possible is an alternate root DN.
                        DN actualDN=DirectoryServer.getActualRootBindDN(dn);
                        DN clientActualDN=
                                DirectoryServer.getActualRootBindDN(clientDN);
                        if(actualDN != null)
                            dn=actualDN;
                        if(clientActualDN != null)
                            clientDN=clientActualDN;
                        if(clientDN.equals(dn))
                            matched=EnumEvalResult.TRUE;
                    }
                } catch (DirectoryException ex) {
                    //TODO add message
                }

 opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java

@@ -134,7 +134,7 @@
    return oStream.toString();
  }

  protected void modEntries(String ldif, String bindDn, String bindPassword)
  protected void LDIFModify(String ldif, String bindDn, String bindPassword)
          throws Exception {
    File tempFile = getTemporaryLdifFile();
    TestCaseUtils.writeFile(tempFile, ldif);
@@ -165,10 +165,22 @@
            "dn: "  + dn,
            "changetype: modify",
            "delete: " + attr));
    modEntries(ldif.toString(), DIR_MGR_DN, PWD);
    LDIFModify(ldif.toString(), DIR_MGR_DN, PWD);
  }

  protected static String makeAddAciLdif(String attr, String dn, String... acis) {
  protected static String makeDelLDIF(String attr, String dn, String... acis) {
    StringBuilder ldif = new StringBuilder();
    ldif.append("dn: ").append(dn).append(EOL);
    ldif.append("changetype: modify").append(EOL);
    ldif.append("delete: ").append(attr).append(EOL);
    for(String aci : acis)
      ldif.append(attr).append(":").append(aci).append(EOL);
    ldif.append(EOL);
    return ldif.toString();
  }


  protected static String makeAddLDIF(String attr, String dn, String... acis) {
    StringBuilder ldif = new StringBuilder();
    ldif.append("dn: ").append(dn).append(EOL);
    ldif.append("changetype: modify").append(EOL);
@@ -194,6 +206,29 @@
    return tempFile;
  }


  protected void addRootEntry() throws Exception {
    TestCaseUtils.addEntries(
      "dn: cn=Admin Root,cn=Root DNs,cn=config",
      "objectClass: top",
      "objectClass: person",
      "objectClass: organizationalPerson",
      "objectClass: inetOrgPerson",
      "objectClass: ds-cfg-root-dn",
      "cn: Admin Root",
      "givenName: Administrator",
      "sn: Admin",
      "uid: admin.root",
      "userPassword: password",
      "ds-privilege-name: -bypass-acl",
      "ds-cfg-alternate-bind-dn: cn=root",
      "ds-cfg-alternate-bind-dn: cn=admin",
      "ds-cfg-alternate-bind-dn: cn=admin root"
    );

  }


  protected void addEntries() throws Exception {
    TestCaseUtils.initializeTestBackend(true);
    TestCaseUtils.addEntries(
@@ -273,7 +308,8 @@
            "description: user.3 description",
            "cn: User 3",
            "l: Austin",
            "userPassword: password");
            "userPassword: password",
            "ds-privilege-name: proxied-auth");
  }

  protected HashMap<String, String>

 opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java

@@ -172,8 +172,8 @@
   */
  @Test()
  public void testAnonEntryLevelParams() throws Exception {
    String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAnonAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAnonAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(DIR_MGR_DN, PWD, null, "dn:", null,
                    base, filter, "aclRights");
@@ -190,42 +190,42 @@
   */
  @Test()
  public void testSuEntryLevelParams() throws Exception {
    String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights");
    Assert.assertFalse(userResults.equals(""));
    HashMap<String, String> attrMap=getAttrMap(userResults);
    checkEntryLevel(attrMap, rRights);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", addAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights");
    Assert.assertFalse(userResults.equals(""));
    attrMap=getAttrMap(userResults);
    checkEntryLevel(attrMap, arRights);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", delAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights");
    Assert.assertFalse(userResults.equals(""));
    attrMap=getAttrMap(userResults);
    checkEntryLevel(attrMap, adrRights);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights");
    Assert.assertFalse(userResults.equals(""));
    attrMap=getAttrMap(userResults);
    checkEntryLevel(attrMap, adrwRights);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", proxyAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights");
@@ -242,42 +242,42 @@
   */
  @Test()
   public void testSuEntryLevelCtrl() throws Exception {
     String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     String userResults =
            LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
                    base, filter, "aclRights");
     Assert.assertFalse(userResults.equals(""));
     HashMap<String, String> attrMap=getAttrMap(userResults);
     checkEntryLevel(attrMap, rRights);
     aciLdif=makeAddAciLdif("aci", "ou=People,o=test", addAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     userResults =
            LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
                    base, filter, "aclRights");
     Assert.assertFalse(userResults.equals(""));
     attrMap=getAttrMap(userResults);
     checkEntryLevel(attrMap, arRights);
     aciLdif=makeAddAciLdif("aci", "ou=People,o=test", delAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     userResults =
            LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
                    base, filter, "aclRights");
     Assert.assertFalse(userResults.equals(""));
     attrMap=getAttrMap(userResults);
     checkEntryLevel(attrMap, adrRights);
     aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     userResults =
            LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
                    base, filter, "aclRights");
     Assert.assertFalse(userResults.equals(""));
     attrMap=getAttrMap(userResults);
     checkEntryLevel(attrMap, adrwRights);
     aciLdif=makeAddAciLdif("aci", "ou=People,o=test", proxyAci);
     modEntries(aciLdif, DIR_MGR_DN, PWD);
     aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
     LDIFModify(aciLdif, DIR_MGR_DN, PWD);
     userResults =
             LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
                     base, filter, "aclRights");
@@ -311,12 +311,12 @@
   */
  @Test()
  public void testSuAttrLevelParams() throws Exception {
    String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeMailAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
                    base, filter, "aclRights mail description");
@@ -337,16 +337,16 @@
 */
@Test()
public void testSuAttrLevelParams2() throws Exception {
  String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeMailAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", faxTargAttrAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", pagerTargAttrAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", faxTargAttrAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", pagerTargAttrAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  String userResults =
          LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, attrList,
                  base, filter, "aclRights mail description");
@@ -369,12 +369,12 @@
 */
@Test()
public void testSuAttrLevelParams3() throws Exception {
  String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddAciLdif("aci", "ou=People,o=test", selfWriteAci);
  modEntries(aciLdif, DIR_MGR_DN, PWD);
  String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  aciLdif=makeAddLDIF("aci", "ou=People,o=test", selfWriteAci);
  LDIFModify(aciLdif, DIR_MGR_DN, PWD);
  String userResults =
          LDAPSearchParams(superUser, PWD, null, "dn: " + user1, memberAttrList,
                  base, filter, "aclRights");

 opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetAttrTestCase.java

@@ -132,8 +132,8 @@
   */
  @Test()
  public void testTargetAttrUserAttr() throws Exception {
    String aciLdif=makeAddAciLdif("aci", user1, userAttrAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, userAttrAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, attrList);
@@ -150,8 +150,8 @@
    checkAttributeVal(attrMap1, "sn", "1");
    checkAttributeVal(attrMap1, "uid", "user.1");
    deleteAttrFromEntry(user1, "aci");
    String aciLdif2=makeAddAciLdif("aci", user1, userAttrAci1);
    modEntries(aciLdif2, DIR_MGR_DN, PWD);
    String aciLdif2=makeAddLDIF("aci", user1, userAttrAci1);
    LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
    String userResults2 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, attrList);
@@ -171,8 +171,8 @@
  @Test()
  public void testTargetAttrOpAttr() throws Exception {
    //Add aci that only allows non-operational attributes search/read.
    String aciLdif=makeAddAciLdif("aci", user1, nonOpAttrAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, nonOpAttrAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -186,8 +186,8 @@
    deleteAttrFromEntry(user1, "aci");
    //Add aci that allows both non-operational attributes and the operational
    //attribute "aci" search/read.
    String aciLdif1=makeAddAciLdif("aci", user1, nonOpAttrAci, opAttrAci);
    modEntries(aciLdif1, DIR_MGR_DN, PWD);
    String aciLdif1=makeAddLDIF("aci", user1, nonOpAttrAci, opAttrAci);
    LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
    String userResults1 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -199,8 +199,8 @@
    Assert.assertTrue(attrMap1.containsKey("uid"));
    deleteAttrFromEntry(user1, "aci");
    //Add ACI that only allows only aci operational attribute search/read.
    String aciLdif2=makeAddAciLdif("aci", user1, opAttrAci);
    modEntries(aciLdif2, DIR_MGR_DN, PWD);
    String aciLdif2=makeAddLDIF("aci", user1, opAttrAci);
    LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
    String userResults2 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, aciFilter, opAttrList);
@@ -223,8 +223,8 @@
  @Test()
  public void testTargetAttrAllAttr() throws Exception {
    //Add aci with: (targetattr = "+ || *")
    String aciLdif=makeAddAciLdif("aci", user1, allAttrs);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, allAttrs);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -247,8 +247,8 @@
  @Test()
  public void testTargetAttrOpPlusAttr() throws Exception {
    //Add aci with: (targetattr = "objectclass|| +")
    String aciLdif=makeAddAciLdif("aci", user1, ocOpAttrs);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, ocOpAttrs);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -271,8 +271,8 @@
  @Test()
  public void testTargetAttrUserStarAttr() throws Exception {
    //Add aci with: (targetattr = "*|| aci")
    String aciLdif=makeAddAciLdif("aci", user1, starAciAttrs);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, starAciAttrs);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -296,8 +296,8 @@
  public void testTargetAttrSrchShorthand() throws Exception {
    //Aci: (targetattrs="sn || uid || +) and search with an
    //operational attr (aci).
    String aciLdif=makeAddAciLdif("aci", user1, OpSrchAttrs);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, OpSrchAttrs);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, aciFilter, opAttrList);
@@ -309,8 +309,8 @@
    Assert.assertTrue(attrMap.containsKey("uid"));
    deleteAttrFromEntry(user1, "aci");
    //Add two ACIs, one with '+' and the other with '*'.
    String aciLdif1=makeAddAciLdif("aci", user1, allOpAttrAci1, userAttrAci);
    modEntries(aciLdif1, DIR_MGR_DN, PWD);
    String aciLdif1=makeAddLDIF("aci", user1, allOpAttrAci1, userAttrAci);
    LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
    String userResults1 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, aciFilter, opAttrList);
@@ -322,8 +322,8 @@
    Assert.assertTrue(attrMap1.containsKey("uid"));
    deleteAttrFromEntry(user1, "aci");
        //Add two ACIs, one with '+' and the other with '*'.
    String aciLdif2=makeAddAciLdif("aci", user1, notAllOpAttrAci1, userAttrAci);
    modEntries(aciLdif2, DIR_MGR_DN, PWD);
    String aciLdif2=makeAddLDIF("aci", user1, notAllOpAttrAci1, userAttrAci);
    LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
    String userResults2 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, opAttrList);
@@ -343,8 +343,8 @@
   */
  @Test()
  public void testTargetAttrGrpDN() throws Exception {
    String aciLdif=makeAddAciLdif("aci", user1, grpAttrAci);
    modEntries(aciLdif, DIR_MGR_DN, PWD);
    String aciLdif=makeAddLDIF("aci", user1, grpAttrAci);
    LDIFModify(aciLdif, DIR_MGR_DN, PWD);
    String userResults =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, attrList);
@@ -354,8 +354,8 @@
    Assert.assertTrue(attrMap.containsKey("sn"));
    Assert.assertTrue(attrMap.containsKey("uid"));
    deleteAttrFromEntry(user1, "aci");
    String aciLdif1=makeAddAciLdif("aci", user1, grp1AttrAci);
    modEntries(aciLdif1, DIR_MGR_DN, PWD);
    String aciLdif1=makeAddLDIF("aci", user1, grp1AttrAci);
    LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
    String userResults1 =
            LDAPSearchParams(user3, PWD, null, null, null,
                    user1, filter, attrList);

			@@ -32,6 +32,7 @@

			import java.util.*;
			import org.opends.server.types.*;
			import org.opends.server.core.DirectoryServer;

			/**
			* This class represents the userdn keyword in a bind rule.
			@@ -250,6 +251,20 @@
			DN dn = url.getBaseDN();
			if (clientDN.equals(dn))
			matched = EnumEvalResult.TRUE;
			else {
			//This code handles the case where a root dn entry does
			//not have bypass-acl privilege and the ACI bind rule
			//userdn DN possible is an alternate root DN.
			DN actualDN=DirectoryServer.getActualRootBindDN(dn);
			DN clientActualDN=
			DirectoryServer.getActualRootBindDN(clientDN);
			if(actualDN != null)
			dn=actualDN;
			if(clientActualDN != null)
			clientDN=clientActualDN;
			if(clientDN.equals(dn))
			matched=EnumEvalResult.TRUE;
			}
			} catch (DirectoryException ex) {
			//TODO add message
			}

			@@ -134,7 +134,7 @@
			return oStream.toString();
			}

			protected void modEntries(String ldif, String bindDn, String bindPassword)
			protected void LDIFModify(String ldif, String bindDn, String bindPassword)
			throws Exception {
			File tempFile = getTemporaryLdifFile();
			TestCaseUtils.writeFile(tempFile, ldif);
			@@ -165,10 +165,22 @@
			"dn: " + dn,
			"changetype: modify",
			"delete: " + attr));
			modEntries(ldif.toString(), DIR_MGR_DN, PWD);
			LDIFModify(ldif.toString(), DIR_MGR_DN, PWD);
			}

			protected static String makeAddAciLdif(String attr, String dn, String... acis) {
			protected static String makeDelLDIF(String attr, String dn, String... acis) {
			StringBuilder ldif = new StringBuilder();
			ldif.append("dn: ").append(dn).append(EOL);
			ldif.append("changetype: modify").append(EOL);
			ldif.append("delete: ").append(attr).append(EOL);
			for(String aci : acis)
			ldif.append(attr).append(":").append(aci).append(EOL);
			ldif.append(EOL);
			return ldif.toString();
			}


			protected static String makeAddLDIF(String attr, String dn, String... acis) {
			StringBuilder ldif = new StringBuilder();
			ldif.append("dn: ").append(dn).append(EOL);
			ldif.append("changetype: modify").append(EOL);
			@@ -194,6 +206,29 @@
			return tempFile;
			}


			protected void addRootEntry() throws Exception {
			TestCaseUtils.addEntries(
			"dn: cn=Admin Root,cn=Root DNs,cn=config",
			"objectClass: top",
			"objectClass: person",
			"objectClass: organizationalPerson",
			"objectClass: inetOrgPerson",
			"objectClass: ds-cfg-root-dn",
			"cn: Admin Root",
			"givenName: Administrator",
			"sn: Admin",
			"uid: admin.root",
			"userPassword: password",
			"ds-privilege-name: -bypass-acl",
			"ds-cfg-alternate-bind-dn: cn=root",
			"ds-cfg-alternate-bind-dn: cn=admin",
			"ds-cfg-alternate-bind-dn: cn=admin root"
			);

			}


			protected void addEntries() throws Exception {
			TestCaseUtils.initializeTestBackend(true);
			TestCaseUtils.addEntries(
			@@ -273,7 +308,8 @@
			"description: user.3 description",
			"cn: User 3",
			"l: Austin",
			"userPassword: password");
			"userPassword: password",
			"ds-privilege-name: proxied-auth");
			}

			protected HashMap<String, String>

			@@ -172,8 +172,8 @@
			*/
			@Test()
			public void testAnonEntryLevelParams() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAnonAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAnonAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(DIR_MGR_DN, PWD, null, "dn:", null,
			base, filter, "aclRights");
			@@ -190,42 +190,42 @@
			*/
			@Test()
			public void testSuEntryLevelParams() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			HashMap<String, String> attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, rRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", addAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, arRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", delAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, adrRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, adrwRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", proxyAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights");
			@@ -242,42 +242,42 @@
			*/
			@Test()
			public void testSuEntryLevelCtrl() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			HashMap<String, String> attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, rRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", addAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, arRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", delAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, adrRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
			base, filter, "aclRights");
			Assert.assertFalse(userResults.equals(""));
			attrMap=getAttrMap(userResults);
			checkEntryLevel(attrMap, adrwRights);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", proxyAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			userResults =
			LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
			base, filter, "aclRights");
			@@ -311,12 +311,12 @@
			*/
			@Test()
			public void testSuAttrLevelParams() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeMailAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
			base, filter, "aclRights mail description");
			@@ -337,16 +337,16 @@
			*/
			@Test()
			public void testSuAttrLevelParams2() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", writeMailAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", faxTargAttrAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", pagerTargAttrAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", faxTargAttrAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", pagerTargAttrAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, attrList,
			base, filter, "aclRights mail description");
			@@ -369,12 +369,12 @@
			*/
			@Test()
			public void testSuAttrLevelParams3() throws Exception {
			String aciLdif=makeAddAciLdif("aci", "ou=People,o=test", aclRightsAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", readSearchAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddAciLdif("aci", "ou=People,o=test", selfWriteAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			aciLdif=makeAddLDIF("aci", "ou=People,o=test", selfWriteAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(superUser, PWD, null, "dn: " + user1, memberAttrList,
			base, filter, "aclRights");

			@@ -132,8 +132,8 @@
			*/
			@Test()
			public void testTargetAttrUserAttr() throws Exception {
			String aciLdif=makeAddAciLdif("aci", user1, userAttrAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, userAttrAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, attrList);
			@@ -150,8 +150,8 @@
			checkAttributeVal(attrMap1, "sn", "1");
			checkAttributeVal(attrMap1, "uid", "user.1");
			deleteAttrFromEntry(user1, "aci");
			String aciLdif2=makeAddAciLdif("aci", user1, userAttrAci1);
			modEntries(aciLdif2, DIR_MGR_DN, PWD);
			String aciLdif2=makeAddLDIF("aci", user1, userAttrAci1);
			LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
			String userResults2 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, attrList);
			@@ -171,8 +171,8 @@
			@Test()
			public void testTargetAttrOpAttr() throws Exception {
			//Add aci that only allows non-operational attributes search/read.
			String aciLdif=makeAddAciLdif("aci", user1, nonOpAttrAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, nonOpAttrAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -186,8 +186,8 @@
			deleteAttrFromEntry(user1, "aci");
			//Add aci that allows both non-operational attributes and the operational
			//attribute "aci" search/read.
			String aciLdif1=makeAddAciLdif("aci", user1, nonOpAttrAci, opAttrAci);
			modEntries(aciLdif1, DIR_MGR_DN, PWD);
			String aciLdif1=makeAddLDIF("aci", user1, nonOpAttrAci, opAttrAci);
			LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
			String userResults1 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -199,8 +199,8 @@
			Assert.assertTrue(attrMap1.containsKey("uid"));
			deleteAttrFromEntry(user1, "aci");
			//Add ACI that only allows only aci operational attribute search/read.
			String aciLdif2=makeAddAciLdif("aci", user1, opAttrAci);
			modEntries(aciLdif2, DIR_MGR_DN, PWD);
			String aciLdif2=makeAddLDIF("aci", user1, opAttrAci);
			LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
			String userResults2 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, aciFilter, opAttrList);
			@@ -223,8 +223,8 @@
			@Test()
			public void testTargetAttrAllAttr() throws Exception {
			//Add aci with: (targetattr = "+ \|\| *")
			String aciLdif=makeAddAciLdif("aci", user1, allAttrs);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, allAttrs);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -247,8 +247,8 @@
			@Test()
			public void testTargetAttrOpPlusAttr() throws Exception {
			//Add aci with: (targetattr = "objectclass\|\| +")
			String aciLdif=makeAddAciLdif("aci", user1, ocOpAttrs);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, ocOpAttrs);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -271,8 +271,8 @@
			@Test()
			public void testTargetAttrUserStarAttr() throws Exception {
			//Add aci with: (targetattr = "*\|\| aci")
			String aciLdif=makeAddAciLdif("aci", user1, starAciAttrs);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, starAciAttrs);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -296,8 +296,8 @@
			public void testTargetAttrSrchShorthand() throws Exception {
			//Aci: (targetattrs="sn \|\| uid \|\| +) and search with an
			//operational attr (aci).
			String aciLdif=makeAddAciLdif("aci", user1, OpSrchAttrs);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, OpSrchAttrs);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, aciFilter, opAttrList);
			@@ -309,8 +309,8 @@
			Assert.assertTrue(attrMap.containsKey("uid"));
			deleteAttrFromEntry(user1, "aci");
			//Add two ACIs, one with '+' and the other with '*'.
			String aciLdif1=makeAddAciLdif("aci", user1, allOpAttrAci1, userAttrAci);
			modEntries(aciLdif1, DIR_MGR_DN, PWD);
			String aciLdif1=makeAddLDIF("aci", user1, allOpAttrAci1, userAttrAci);
			LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
			String userResults1 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, aciFilter, opAttrList);
			@@ -322,8 +322,8 @@
			Assert.assertTrue(attrMap1.containsKey("uid"));
			deleteAttrFromEntry(user1, "aci");
			//Add two ACIs, one with '+' and the other with '*'.
			String aciLdif2=makeAddAciLdif("aci", user1, notAllOpAttrAci1, userAttrAci);
			modEntries(aciLdif2, DIR_MGR_DN, PWD);
			String aciLdif2=makeAddLDIF("aci", user1, notAllOpAttrAci1, userAttrAci);
			LDIFModify(aciLdif2, DIR_MGR_DN, PWD);
			String userResults2 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, opAttrList);
			@@ -343,8 +343,8 @@
			*/
			@Test()
			public void testTargetAttrGrpDN() throws Exception {
			String aciLdif=makeAddAciLdif("aci", user1, grpAttrAci);
			modEntries(aciLdif, DIR_MGR_DN, PWD);
			String aciLdif=makeAddLDIF("aci", user1, grpAttrAci);
			LDIFModify(aciLdif, DIR_MGR_DN, PWD);
			String userResults =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, attrList);
			@@ -354,8 +354,8 @@
			Assert.assertTrue(attrMap.containsKey("sn"));
			Assert.assertTrue(attrMap.containsKey("uid"));
			deleteAttrFromEntry(user1, "aci");
			String aciLdif1=makeAddAciLdif("aci", user1, grp1AttrAci);
			modEntries(aciLdif1, DIR_MGR_DN, PWD);
			String aciLdif1=makeAddLDIF("aci", user1, grp1AttrAci);
			LDIFModify(aciLdif1, DIR_MGR_DN, PWD);
			String userResults1 =
			LDAPSearchParams(user3, PWD, null, null, null,
			user1, filter, attrList);