Last batch of changes for this week. This adds support for the IETF based P...

ludovicp

29.35.2010 7c30dbb5403772b323df3ad907d9ed15d23b5aee

Last batch of changes for this week.
This adds support for the IETF based Password Policy for LDAP as SubEntry.
Also resolves the following issues :
- 4544 :  initializeBackend() should not set JE env config params directly.
- 4478 : ECL in draft compat mode / search lastchangenumber can be very long
- 4538 : Virtual attributes not retrieved when entry cache configured
- 4547 : Search Filter Matching differ for cn=Directory Manager and plain user.
- 4514 : Logs shows unexpected message with replication monitoring data missing (Partial fix)
- 4534 : Replication using security does not work after server restart
- 4516 : SEVERE_ERROR: servers (...) have the same ServerId
In addition, they also improve reliability and performance in various areas including CollectiveAttributes, Virtual Attributes and Subentries management, Schema loading, Replication...

 opends/resource/bin/stop-ds.bat

@@ -23,7 +23,7 @@
rem CDDL HEADER END
rem
rem
rem      Copyright 2006-2009 Sun Microsystems, Inc.
rem      Copyright 2006-2010 Sun Microsystems, Inc.

setlocal

@@ -74,12 +74,12 @@
if %errorlevel% == 103 goto stopAsWindowsService
if %errorlevel% == 104 goto restartAsWindowsService
rem An error or we display usage
goto end
goto writeLastLine

:serverAlreadyStopped
echo %SCRIPT%: server already stopped >> %LOG%
if exist "%INSTANCE_ROOT%\logs\server.pid" erase "%INSTANCE_ROOT%\logs\server.pid"
goto end
goto writeLastLine

:startUsingSystemCall
echo %SCRIPT%: start using system call >> %LOG%
@@ -90,7 +90,7 @@
set OPENDS_JAVA_HOME=%ORIGINAL_JAVA_HOME%
set OPENDS_JAVA_BIN=%ORIGINAL_JAVA_BIN%
"%INSTALL_ROOT%\bat\start-ds.bat"
goto end
goto writeLastLine

:stopUsingSystemCall
echo %SCRIPT%: stop using system call >> %LOG%
@@ -125,6 +125,8 @@
if exist "%INSTANCE_ROOT%\logs\winservice.out" erase "%INSTANCE_ROOT%\logs\winservice.out"
goto end

:end

:writeLastLine
echo %SCRIPT%: finished >> %LOG%
goto end

:end

 opends/resource/config/config.ldif

@@ -2470,6 +2470,16 @@
ds-cfg-attribute-type: collectiveAttributeSubentries
ds-cfg-conflict-behavior: virtual-overrides-real

dn: cn=Password Policy Subentry,cn=Virtual Attributes,cn=config
objectClass: top
objectClass: ds-cfg-virtual-attribute
objectClass: ds-cfg-password-policy-subentry-virtual-attribute
cn: Password Policy Subentry
ds-cfg-java-class: org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
ds-cfg-enabled: true
ds-cfg-attribute-type: pwdPolicySubentry
ds-cfg-conflict-behavior: virtual-overrides-real

dn: cn=Work Queue,cn=config
objectClass: top
objectClass: ds-cfg-work-queue

 opends/resource/schema/01-pwpolicy.ldif

@@ -21,7 +21,7 @@
# CDDL HEADER END
#
#
#      Copyright 2006-2008 Sun Microsystems, Inc.
#      Copyright 2006-2010 Sun Microsystems, Inc.
#
#
# This file contains schema definitions from draft-behera-ldap-password-policy,

 opends/resource/schema/02-config.ldif

@@ -21,7 +21,7 @@
# CDDL HEADER END
#
#
#      Copyright 2006-2009 Sun Microsystems, Inc.
#      Copyright 2006-2010 Sun Microsystems, Inc.
#
#
# This file contains the attribute type and objectclass definitions for use
@@ -4156,4 +4156,9 @@
  SUP ds-cfg-virtual-attribute
  STRUCTURAL
  X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.236
  NAME 'ds-cfg-password-policy-subentry-virtual-attribute'
  SUP ds-cfg-virtual-attribute
  STRUCTURAL
  X-ORIGIN 'OpenDS Directory Server' )


 opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicySubentryVirtualAttributeConfiguration.xml

New file
@@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
  ! CDDL HEADER START
  !
  ! The contents of this file are subject to the terms of the
  ! Common Development and Distribution License, Version 1.0 only
  ! (the "License").  You may not use this file except in compliance
  ! with the License.
  !
  ! You can obtain a copy of the license at
  ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
  ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
  ! See the License for the specific language governing permissions
  ! and limitations under the License.
  !
  ! When distributing Covered Code, include this CDDL HEADER in each
  ! file and include the License file at
  ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
  ! add the following below this CDDL HEADER, with the fields enclosed
  ! by brackets "[]" replaced with your own identifying information:
  !      Portions Copyright [yyyy] [name of copyright owner]
  !
  ! CDDL HEADER END
  !
  !
  !      Copyright 2010 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="password-policy-subentry-virtual-attribute"
  plural-name="password-policy-subentry-virtual-attributes"
  package="org.opends.server.admin.std" extends="virtual-attribute"
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    generates a virtual attribute that points to the Password Policy
    subentry in effect for the entry.
  </adm:synopsis>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>
        ds-cfg-password-policy-subentry-virtual-attribute
      </ldap:name>
      <ldap:superior>ds-cfg-virtual-attribute</ldap:superior>
    </ldap:object-class>
  </adm:profile>
  <adm:property-override name="java-class" advanced="true">
    <adm:default-behavior>
      <adm:defined>
        <adm:value>
          org.opends.server.extensions.PasswordPolicySubentryVirtualAttributeProvider
        </adm:value>
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
  <adm:property-override name="conflict-behavior" advanced="true">
    <adm:default-behavior>
      <adm:defined>
        <adm:value>virtual-overrides-real</adm:value>
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
  <adm:property-override name="attribute-type">
    <adm:default-behavior>
      <adm:defined>
        <adm:value>pwdPolicySubentry</adm:value>
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
</adm:managed-object>

 opends/src/admin/messages/PasswordPolicySubentryVirtualAttributeCfgDefn.properties

New file
@@ -0,0 +1,19 @@
user-friendly-name=Password Policy Subentry Virtual Attribute
user-friendly-plural-name=Password Policy Subentry Virtual Attributes
synopsis=The Password Policy Subentry Virtual Attribute generates a virtual attribute that points to the Password Policy subentry in effect for the entry.
property.attribute-type.synopsis=Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
property.base-dn.synopsis=Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.
property.base-dn.description=If no values are given, then the server generates virtual attributes anywhere in the server.
property.base-dn.default-behavior.alias.synopsis=The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
property.conflict-behavior.synopsis=Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
property.conflict-behavior.syntax.enumeration.value.merge-real-and-virtual.synopsis=Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.
property.conflict-behavior.syntax.enumeration.value.real-overrides-virtual.synopsis=Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.
property.conflict-behavior.syntax.enumeration.value.virtual-overrides-real.synopsis=Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.
property.enabled.synopsis=Indicates whether the Password Policy Subentry Virtual Attribute is enabled for use.
property.filter.synopsis=Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.
property.filter.description=If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
property.filter.syntax.string.pattern.synopsis=Any valid search filter string.
property.group-dn.synopsis=Specifies the DNs of the groups whose members can be eligible to use this virtual attribute.
property.group-dn.description=If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
property.group-dn.default-behavior.alias.synopsis=Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
property.java-class.synopsis=Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.

 opends/src/messages/messages/core.properties

@@ -1829,4 +1829,6 @@
 subentry manager is not indexed in backend %s.  Backend initialization \
 for subentry manager processing might take a very long time to complete
INFO_RESULT_UNDEFINED_725=Undefined
SEVERE_ERR_PWPOLICY_NO_PWDPOLICY_OC_726=The entry %s does not contain the \
 pwdPolicy objectclass, which is required for Directory Server password policy


 opends/src/messages/messages/extension.properties

@@ -20,7 +20,7 @@
#
# CDDL HEADER END
#
#      Copyright 2006-2008 Sun Microsystems, Inc.
#      Copyright 2006-2010 Sun Microsystems, Inc.



@@ -1425,3 +1425,6 @@
MILD_ERR_COLLECTIVEATTRIBUTESUBENTRIES_VATTR_NOT_SEARCHABLE_576=The %s \
 attribute is not searchable and should not be included in otherwise \
 unindexed search filters
MILD_ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE_577=The %s \
 attribute is not searchable and should not be included in otherwise \
 unindexed search filters

 opends/src/messages/messages/tools.properties

@@ -498,6 +498,10 @@
 successfully
SEVERE_ERR_CANNOT_INITIALIZE_CRYPTO_MANAGER_284=An error occurred while \
 attempting to initialize the crypto manager:  %s
SEVERE_ERR_CANNOT_INITIALIZE_SUBENTRY_MANAGER_285=An error occurred while \
 attempting to initialize the subentry manager:  %s
SEVERE_ERR_CANNOT_INITIALIZE_ROOTDN_MANAGER_286=An error occurred while \
 attempting to initialize the root DN manager:  %s
INFO_BACKUPDB_DESCRIPTION_INCREMENTAL_BASE_ID_287=Backup ID of the source \
 archive for an incremental backup
SEVERE_ERR_BACKUPDB_INCREMENTAL_BASE_REQUIRES_INCREMENTAL_288=The use of the \

 opends/src/quicksetup/org/opends/quicksetup/installer/InstallerHelper.java

@@ -1205,7 +1205,12 @@
    }
  }

  private String getJavaArgPropertyForScript(String scriptName)
  /**
   * Returns the java argument property for a given script.
   * @param scriptName the script name.
   * @return the java argument property for a given script.
   */
  private static String getJavaArgPropertyForScript(String scriptName)
  {
    return scriptName+".java-args";
  }

 opends/src/quicksetup/org/opends/quicksetup/installer/ui/InstallReviewPanel.java

@@ -868,13 +868,13 @@

    if (!defaultServer)
    {
      linesToAdd.add(UserData.SERVER_SCRIPT_NAME+": "+
          serverArguments.getStringArguments());
      linesToAdd.add(getJavaArgPropertyForScript(UserData.SERVER_SCRIPT_NAME)
          +": "+serverArguments.getStringArguments());
    }
    if (!defaultImport)
    {
      linesToAdd.add(UserData.IMPORT_SCRIPT_NAME+": "+
          importArguments.getStringArguments());
      linesToAdd.add(getJavaArgPropertyForScript(UserData.IMPORT_SCRIPT_NAME)+
          ": "+importArguments.getStringArguments());
    }

    if (linesToAdd.size() == 1)
@@ -896,11 +896,29 @@
    return sb.toString();
  }

  /**
   * Returns the java argument property for a given script.
   * @param scriptName the script name.
   * @return the java argument property for a given script.
   */
  private static String getJavaArgPropertyForScript(String scriptName)
  {
    return scriptName+".java-args";
  }

  private String getJavaPropertiesFilePath(UserData userData)
  {
    String configDir = Utils.getPath(Utils
        .getInstancePathFromInstallPath(userData.getServerLocation()),
        Installation.CONFIG_PATH_RELATIVE);
    String path;
    if (isWebStart())
    {
      path = userData.getServerLocation();
    }
    else
    {
      path = Utils.getInstallPathFromClasspath();
      path = Utils.getInstancePathFromInstallPath(path);
    }
    String configDir = Utils.getPath(path, Installation.CONFIG_PATH_RELATIVE);
    String propertiesFile = Utils.getPath(
        configDir, Installation.DEFAULT_JAVA_PROPERTIES_FILE);
    return propertiesFile;

 opends/src/server/org/opends/server/api/SubentryChangeListener.java

New file
@@ -0,0 +1,147 @@
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2010 Sun Microsystems, Inc.
 */
package org.opends.server.api;



import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;



/**
 * This interface defines a mechanism that Directory Server components
 * may use if they need to be notified of changes that are being made
 * to subentries in the Directory Server.
 * <BR><BR>
 * Each change listener will be notified whenever an update is being
 * made to subentry in the server, so the listener should use a very
 * efficient mechanism for determining whether or not any action is
 * required for the associated operation and quickly return for cases
 * in which the update is not applicable.
 * <BR><BR>
 * The interface consists of two separate classes of methods. Check
 * methods are invoked to verify that a specific operation performed
 * on subentry is acceptable and if so the server may proceed with
 * that operation further. Handle methods are invoked to notify that
 * specific operation has occured on subentry thus serving purely as
 * notification mechanism. While Check methods can affect the outcome
 * of given operation Handle methods cannot affect the operation out-
 * come in any way. Also note that Handle methods are invoked before
 * any actual operation response to the client is sent.
 * <BR><BR>
 * This interface is intended for the server components that either
 * require to track changes to subentries within the server or need
 * to evaluate and take actions on specific changes being made to
 * subentries within the server. Eg server components implementing
 * their configuration objects as administrative subentries.
 */
@org.opends.server.types.PublicAPI(
     stability=org.opends.server.types.StabilityLevel.VOLATILE,
     mayInstantiate=false,
     mayExtend=true,
     mayInvoke=false)
public interface SubentryChangeListener
{
  /**
   * Performs any checking that may be required before
   * subentry add operation.
   * @param entry subentry being added to the server.
   * @throws DirectoryException if operation is not
   *         acceptable for this subentry.
   */
  public void checkSubentryAddAcceptable(Entry entry)
          throws DirectoryException;

  /**
   * Performs any checking that may be required before
   * subentry delete operation.
   * @param entry subentry being deleted in the server.
   * @throws DirectoryException if operation is not
   *         acceptable for this subentry.
   */
  public void checkSubentryDeleteAcceptable(Entry entry)
          throws DirectoryException;

  /**
   * Performs any checking that may be required before
   * subentry modify operation.
   * @param oldEntry subentry being modified in the server.
   * @param newEntry subentry with modifications applied.
   * @throws DirectoryException if operation is not
   *         acceptable for this subentry.
   */
  public void checkSubentryModifyAcceptable(Entry oldEntry,
          Entry newEntry) throws DirectoryException;

  /**
   * Performs any checking that may be required before
   * subentry modify DN operation.
   * @param oldEntry subentry being modified in the server.
   * @param newEntry subentry with modifications applied.
   * @throws DirectoryException if operation is not
   *         acceptable for this subentry.
   */
  public void checkSubentryModifyDNAcceptable(Entry oldEntry,
          Entry newEntry) throws DirectoryException;

  /**
   * Performs any processing that may be required after a
   * subentry add operation.
   *
   * @param entry The subentry that was added to the
   *              server.
   */
  public void handleSubentryAdd(Entry entry);

  /**
   * Performs any processing that may be required after a
   * subentry delete operation.
   *
   * @param entry The subentry that was removed from the
   *              server.
   */
  public void handleSubentryDelete(Entry entry);

  /**
   * Performs any processing that may be required after a
   * subentry modify operation.
   *
   * @param oldEntry The subentry before it was updated.
   * @param newEntry The subentry after it was updated.
   */
  public void handleSubentryModify(Entry oldEntry, Entry newEntry);

  /**
   * Performs any processing that may be required after a
   * subentry modify DN operation.
   *
   * @param oldEntry The subentry before it was updated.
   * @param newEntry The subentry after it was updated.
   */
  public void handleSubentryModifyDN(Entry oldEntry, Entry newEntry);
}

 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2008-2009 Sun Microsystems, Inc.
 *      Copyright 2008-2010 Sun Microsystems, Inc.
 */
package org.opends.server.authorization.dseecompat;

@@ -1556,17 +1556,8 @@
    }
    case NOT:
    {
      ret = false;
      SearchFilter f = filter.getNotComponent();
      if (f.matchesEntry(container.getResourceEntry()))
      {
        ret = true;
      }
      if (ret)
      {
        ret = testFilter(container, f);
      }
      ret = !ret;
      ret = testFilter(container, f);
      break;
    }
    default:

 opends/src/server/org/opends/server/backends/jeb/ApproximateIndexer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.backends.jeb;

@@ -160,6 +160,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try
@@ -196,6 +200,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try

 opends/src/server/org/opends/server/backends/jeb/BackendImpl.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2007-2009 Sun Microsystems, Inc.
 *      Copyright 2007-2010 Sun Microsystems, Inc.
 */
package org.opends.server.backends.jeb;
import org.opends.messages.Message;
@@ -42,7 +42,6 @@
import com.sleepycat.je.EnvironmentConfig;
import com.sleepycat.je.EnvironmentFailureException;

import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import org.opends.server.backends.jeb.importLDIF.*;
import org.opends.server.admin.std.meta.LocalDBIndexCfgDefn;
@@ -314,7 +313,6 @@
    {
      EnvironmentConfig envConfig =
          ConfigurableEnvironment.parseConfigEntry(cfg);
      envConfig.setLockTimeout(0, TimeUnit.MICROSECONDS);
      rootContainer = initializeRootContainer(envConfig);
    }


 opends/src/server/org/opends/server/backends/jeb/ConfigurableEnvironment.java

@@ -43,6 +43,7 @@
import java.util.StringTokenizer;
import java.util.List;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@@ -435,6 +436,11 @@
          .valueOf(4 * 1024));
    }

    // Disable lock timeouts, meaning that no lock wait
    // timelimit is enforced and a deadlocked operation
    // will block indefinitely.
    envConfig.setLockTimeout(0, TimeUnit.MICROSECONDS);

    return envConfig;
  }


 opends/src/server/org/opends/server/backends/jeb/EqualityIndexer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.backends.jeb;

@@ -168,6 +168,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try
@@ -203,6 +207,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try

 opends/src/server/org/opends/server/backends/jeb/JEExtensibleIndexer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2009 Sun Microsystems, Inc.
 *      Copyright 2009-2010 Sun Microsystems, Inc.
 */


@@ -180,6 +180,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        extensibleIndexer.getKeys(value, keys);
@@ -205,10 +209,14 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        extensibleIndexer.getKeys(value,modifiedKeys,insert);
      }
    }
  }
}
}

 opends/src/server/org/opends/server/backends/jeb/OrderingIndexer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.backends.jeb;

@@ -165,6 +165,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try
@@ -202,6 +206,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try

 opends/src/server/org/opends/server/backends/jeb/SubstringIndexer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.backends.jeb;

@@ -164,6 +164,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try
@@ -241,6 +245,10 @@

    for (Attribute attr : attrList)
    {
      if (attr.isVirtual())
      {
        continue;
      }
      for (AttributeValue value : attr)
      {
        try

 opends/src/server/org/opends/server/config/ConfigConstants.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009ds Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.config;


 opends/src/server/org/opends/server/core/DirectoryServer.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;

@@ -1424,11 +1424,7 @@


      // Initialize the subentry manager.
      subentryManager = new SubentryManager();
      // The configuration backend has already been registered at this point
      // so we need to handle it explicitly.
      subentryManager.performBackendInitializationProcessing(configHandler);

      initializeSubentryManager();

      // Initialize the group manager.
      initializeGroupManager();
@@ -2867,6 +2863,41 @@


  /**
   * Initializes the subentry manager for the Directory Server.
   * Note that the subentry manager initialization should be
   * done before any dependent components initialization and
   * before bringing any backends online. Configuration backend
   * is a special case and therefore is exception to this rule.
   *
   * @throws InitializationException If a problem occurs while
   *                                 initializing the subentry
   *                                 manager.
   */
  public void initializeSubentryManager()
          throws InitializationException
  {
    try
    {
      subentryManager = new SubentryManager();
      // The configuration backend should already be registered
      // at this point so we need to handle it explicitly here.
      subentryManager.performBackendInitializationProcessing(
              configHandler);
    }
    catch (DirectoryException de)
    {
      if (debugEnabled())
      {
        TRACER.debugCaught(DebugLogLevel.ERROR, de);
      }

      throw new InitializationException(de.getMessageObject());
    }
  }



  /**
   * Initializes the set of password policy components for use by the Directory
   * Server.
   *
@@ -8291,6 +8322,12 @@
      DirectoryServer.deregisterPasswordPolicy(configEntryDN);
    }

    // Finalize password policies and their config manager.
    if (directoryServer.passwordPolicyConfigManager != null)
    {
      directoryServer.passwordPolicyConfigManager.finalizePasswordPolicies();
    }

    // Finalize the access control handler
    AccessControlHandler accessControlHandler =
        AccessControlConfigManager.getInstance().getAccessControlHandler();
@@ -8305,6 +8342,11 @@
      directoryServer.groupManager.finalizeGroupManager();
    }

    // Finalize the subentry manager.
    if (directoryServer.subentryManager != null)
    {
      directoryServer.subentryManager.finalizeSubentryManager();
    }

    // Shut down all the other components that may need special handling.
    // NYI

 opends/src/server/org/opends/server/core/PasswordPolicy.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;

@@ -36,6 +36,7 @@
import java.util.LinkedList;
import java.util.SortedSet;
import java.util.TimeZone;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CopyOnWriteArraySet;
@@ -154,11 +155,17 @@
    if (defaultScheme != null) defaultStorageSchemes.add(defaultScheme);
  }

  // DNs of password storage schemes for this password policy.
  private SortedSet<DN> storageSchemeDNs = new TreeSet<DN>();

  // The names of the deprecated password storage schemes for this password
  // policy.
  private CopyOnWriteArraySet<String> deprecatedStorageSchemes =
       new CopyOnWriteArraySet<String>();

  // DNs of deprecated password storage schemes for this password policy.
  private SortedSet<DN> deprecatedStorageSchemeDNs = new TreeSet<DN>();

  // The DN of the password validator for this password policy.
  private DN passwordGeneratorDN = null;

@@ -285,7 +292,7 @@

    // Get the default storage schemes.  They must all reference valid storage
    // schemes that support the syntax for the specified password attribute.
    SortedSet<DN> storageSchemeDNs =
    storageSchemeDNs =
      configuration.getDefaultPasswordStorageSchemeDNs();
    try
    {
@@ -329,7 +336,7 @@


    // Get the names of the deprecated storage schemes.
    SortedSet<DN> deprecatedStorageSchemeDNs =
    deprecatedStorageSchemeDNs =
      configuration.getDeprecatedPasswordStorageSchemeDNs();
    try
    {
@@ -750,6 +757,21 @@


  /**
   * Retrieves the default set of password storage scheme DNs that will
   * be used for this password policy.  The returned set should not be
   * modified by the caller.
   *
   * @return  The default set of password storage scheme DNs that will
   *          be used for this password policy.
   */
  public SortedSet<DN> getDefaultStorageSchemeDNs()
  {
    return storageSchemeDNs;
  }



  /**
   * Indicates whether the specified storage scheme is a default scheme for this
   * password policy.
   *
@@ -810,6 +832,24 @@


  /**
   * Retrieves DNs of the password storage schemes that have been
   * deprecated.  If an authenticating user has one or more of
   * these deprecated storage schemes in use in their entry, then
   * they will be removed and replaced with the passwords encoded
   * in the default storage scheme(s).  The returned set should
   * not be altered by the caller.
   *
   * @return  DNs of the password storage schemes that have been
   *          deprecated.
   */
  public SortedSet<DN> getDeprecatedStorageSchemeDNs()
  {
    return deprecatedStorageSchemeDNs;
  }



  /**
   * Indicates whether the specified storage scheme is deprecated.
   *
   * @param  name  The name of the password storage scheme for which to make the

 opends/src/server/org/opends/server/core/PasswordPolicyConfigManager.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;
import org.opends.messages.Message;
@@ -37,15 +37,20 @@
import org.opends.server.admin.server.ServerManagementContext;
import org.opends.server.admin.std.server.PasswordPolicyCfg;
import org.opends.server.admin.std.server.RootCfg;
import org.opends.server.api.SubentryChangeListener;
import org.opends.server.config.ConfigException;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SubEntry;

import static org.opends.messages.ConfigMessages.*;

import static org.opends.server.util.StaticUtils.*;
import static org.opends.server.loggers.debug.DebugLogger.*;



@@ -56,9 +61,14 @@
 * the server is running.
 */
public class PasswordPolicyConfigManager
       implements ConfigurationAddListener<PasswordPolicyCfg>,
       implements SubentryChangeListener,
       ConfigurationAddListener<PasswordPolicyCfg>,
       ConfigurationDeleteListener<PasswordPolicyCfg>
{
  /**
   * The tracer object for the debug logger.
   */
  private static final DebugTracer TRACER = getTracer();



@@ -72,6 +82,39 @@


  /**
   * Creates a password policy configuration object
   * from password policy subentry.
   * @param  subEntry password policy subentry.
   * @return password policy configuration.
   * @throws InitializationException if an error
   *         occurs while parsing subentry into
   *         password policy configuration.
   */
  private PasswordPolicyConfig createPasswordPolicyConfig(
          SubEntry subEntry) throws InitializationException
  {
    try
    {
      SubentryPasswordPolicy subentryPolicy =
              new SubentryPasswordPolicy(subEntry);
      PasswordPolicy passwordPolicy =
              new PasswordPolicy(subentryPolicy);
      PasswordPolicyConfig config =
              new PasswordPolicyConfig(passwordPolicy);
      return config;
    }
    catch (Exception e)
    {
      Message message = ERR_CONFIG_PWPOLICY_INVALID_POLICY_CONFIG.
            get(String.valueOf(subEntry.getDN()),
                stackTraceToSingleLineString(e));
      throw new InitializationException(message, e);
    }
  }



  /**
   * Initializes all password policies currently defined in the Directory
   * Server configuration.  This should only be called at Directory Server
   * startup.
@@ -163,6 +206,39 @@
              String.valueOf(defaultPolicyDN));
      throw new ConfigException(message);
    }

    // Process and register any password policy subentries.
    List<SubEntry> pwpSubEntries =
            DirectoryServer.getSubentryManager().getSubentries();
    if ((pwpSubEntries != null) && (!pwpSubEntries.isEmpty()))
    {
      for (SubEntry subentry : pwpSubEntries)
      {
        if (subentry.getEntry().isPasswordPolicySubentry())
        {
          PasswordPolicyConfig config =
                  createPasswordPolicyConfig(subentry);
          DirectoryServer.registerPasswordPolicy(
              subentry.getDN(), config);
        }
      }
    }

    // Register this as subentry change listener with SubentryManager.
    DirectoryServer.getSubentryManager().registerChangeListener(this);
  }



  /**
   * Perform any required finalization tasks for all password policies
   * currently defined. This should only be called at Directory Server
   * shutdown.
   */
  public void finalizePasswordPolicies()
  {
    // Deregister this as subentry change listener with SubentryManager.
    DirectoryServer.getSubentryManager().deregisterChangeListener(this);
  }


@@ -323,4 +399,191 @@

    return new ConfigChangeResult(ResultCode.SUCCESS, false, messages);
  }



  /**
   * Attempts to parse an entry as password policy
   * subentry to create a password policy object.
   * @param entry subentry to parse.
   * @throws DirectoryException if a problem occurs
   *         while creating a password policy from
   *         given subentry.
   */
  private void checkSubentryAcceptable(Entry entry)
          throws DirectoryException
  {
    SubEntry subentry = new SubEntry(entry);
    SubentryPasswordPolicy subentryPolicy =
            new SubentryPasswordPolicy(subentry);
    try
    {
      new PasswordPolicy(subentryPolicy);
    }
    catch (ConfigException ex)
    {
      throw new DirectoryException(
              ResultCode.UNWILLING_TO_PERFORM,
              ex.getMessageObject());
    }
    catch (InitializationException ex)
    {
      throw new DirectoryException(
              ResultCode.UNWILLING_TO_PERFORM,
              ex.getMessageObject());
    }
  }



  /**
   * {@inheritDoc}
   */
  public void checkSubentryAddAcceptable(Entry entry)
          throws DirectoryException
  {
    if (entry.isPasswordPolicySubentry())
    {
      checkSubentryAcceptable(entry);
    }
  }

  /**
   * {@inheritDoc}
   */
  public void checkSubentryDeleteAcceptable(Entry entry)
          throws DirectoryException
  {
    // FIXME: something like a referential integrity check is needed to
    // ensure a policy is not removed when referenced by a user entry (
    // either directly or via a virtual attribute).
  }

  /**
   * {@inheritDoc}
   */
  public void checkSubentryModifyAcceptable(Entry oldEntry, Entry newEntry)
          throws DirectoryException
  {
    if (newEntry.isPasswordPolicySubentry())
    {
      checkSubentryAcceptable(newEntry);
    }
  }

  /**
   * {@inheritDoc}
   */
  public void checkSubentryModifyDNAcceptable(Entry oldEntry, Entry newEntry)
          throws DirectoryException
  {
    // FIXME: something like a referential integrity check is needed to
    // ensure a policy is not removed when referenced by a user entry (
    // either directly or via a virtual attribute).
  }

  /**
   * {@inheritDoc}
   */
  public void handleSubentryAdd(Entry entry)
  {
    if (entry.isPasswordPolicySubentry())
    {
      try
      {
        SubEntry subentry = new SubEntry(entry);
        PasswordPolicyConfig config =
                  createPasswordPolicyConfig(subentry);
        DirectoryServer.registerPasswordPolicy(
            subentry.getDN(), config);
      }
      catch (Exception e)
      {
        if (debugEnabled())
        {
          TRACER.debugError("Could not create password policy subentry "
                  + "DN %s: %s",
                  entry.getDN().toString(),
                  stackTraceToSingleLineString(e));
        }
      }
    }
  }

  /**
   * {@inheritDoc}
   */
  public void handleSubentryDelete(Entry entry)
  {
    if (entry.isPasswordPolicySubentry())
    {
      DirectoryServer.deregisterPasswordPolicy(entry.getDN());
    }
  }

  /**
   * {@inheritDoc}
   */
  public void handleSubentryModify(Entry oldEntry, Entry newEntry)
  {
    if (oldEntry.isPasswordPolicySubentry())
    {
      DirectoryServer.deregisterPasswordPolicy(oldEntry.getDN());
    }

    if (newEntry.isPasswordPolicySubentry())
    {
      try
      {
        SubEntry subentry = new SubEntry(newEntry);
        PasswordPolicyConfig config =
                  createPasswordPolicyConfig(subentry);
        DirectoryServer.registerPasswordPolicy(
            subentry.getDN(), config);
      }
      catch (Exception e)
      {
        if (debugEnabled())
        {
          TRACER.debugError("Could not create password policy subentry "
                  + "DN %s: %s",
                  newEntry.getDN().toString(),
                  stackTraceToSingleLineString(e));
        }
      }
    }
  }

  /**
   * {@inheritDoc}
   */
  public void handleSubentryModifyDN(Entry oldEntry, Entry newEntry)
  {
    if (oldEntry.isPasswordPolicySubentry())
    {
      DirectoryServer.deregisterPasswordPolicy(oldEntry.getDN());
    }

    if (newEntry.isPasswordPolicySubentry())
    {
      try
      {
        SubEntry subentry = new SubEntry(newEntry);
        PasswordPolicyConfig config =
                  createPasswordPolicyConfig(subentry);
        DirectoryServer.registerPasswordPolicy(
            subentry.getDN(), config);
      }
      catch (Exception e)
      {
        if (debugEnabled())
        {
          TRACER.debugError("Could not create password policy subentry "
                  + "DN %s: %s",
                  newEntry.getDN().toString(),
                  stackTraceToSingleLineString(e));
        }
      }
    }
  }
}

 opends/src/server/org/opends/server/core/PasswordPolicyState.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;

@@ -210,8 +210,8 @@
    this.currentTime = currentTime;

    userDNString     = userEntry.getDN().toString();
    passwordPolicy   = getPasswordPolicyInternal(this.userEntry,
                                                 useDefaultOnError);
    passwordPolicy   = getPasswordPolicy(this.userEntry,
                                         useDefaultOnError);

    // Get the password changed time for the user.
    AttributeType type
@@ -253,8 +253,9 @@
  /**
   * Retrieves the password policy for the user. If the user entry contains the
   * ds-pwp-password-policy-dn attribute (whether real or virtual), that
   * password policy is returned, otherwise the default password policy is
   * returned.
   * password policy is returned, otherwise applicable to the user entry
   * subentry password policy is returned, if any, otherwise the default
   * password policy is returned.
   *
   * @param  userEntry          The user entry.
   * @param  useDefaultOnError  Indicates whether the server should fall back to
@@ -266,15 +267,15 @@
   * @throws  DirectoryException  If a problem occurs while attempting to
   *                              determine the password policy for the user.
   */
  private static PasswordPolicy getPasswordPolicyInternal(Entry userEntry,
  public static PasswordPolicy getPasswordPolicy(Entry userEntry,
                                     boolean useDefaultOnError)
       throws DirectoryException
  {
    String userDNString = userEntry.getDN().toString();
    AttributeType type =
         DirectoryServer.getAttributeType(OP_ATTR_PWPOLICY_POLICY_DN, true);

    AttributeType type = DirectoryServer.getAttributeType(
            OP_ATTR_PWPOLICY_POLICY_DN, true);
    List<Attribute> attrList = userEntry.getAttribute(type);

    if (attrList != null)
    {
      for (Attribute a : attrList)
@@ -350,6 +351,49 @@
      }
    }

    // No attribute defined password policy: try locating and using the
    // closest to this entry password policy subentry defined, if any.
    List<SubEntry> pwpSubEntries =
            DirectoryServer.getSubentryManager().getSubentries(userEntry);
    if ((pwpSubEntries != null) && (!pwpSubEntries.isEmpty()))
    {
      for (SubEntry subentry : pwpSubEntries)
      {
        try
        {
          if (subentry.getEntry().isPasswordPolicySubentry())
          {
            PasswordPolicy policy = DirectoryServer.getPasswordPolicy(
                    subentry.getDN());
            if (policy == null)
            {
              // This shouldnt happen but if it does debug log
              // this problem and fall back to default policy.
              if (debugEnabled())
              {
                TRACER.debugError(
                        "Found unknown password policy subentry "
                        + "DN %s for user %s",
                        subentry.getDN().toString(), userDNString);
              }
              break;
            }
            return policy;
          }
        }
        catch (Exception e)
        {
          if (debugEnabled())
          {
            TRACER.debugError("Could not parse password policy subentry "
                    + "DN %s for user %s: %s",
                    subentry.getDN().toString(), userDNString,
                    stackTraceToSingleLineString(e));
          }
        }
      }
    }

    // There is no policy subentry defined: use the default.
    if (debugEnabled())
    {

 opends/src/server/org/opends/server/core/SchemaConfigManager.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;
import org.opends.messages.Message;
@@ -30,6 +30,7 @@


import java.io.File;
import java.io.FilenameFilter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedList;
@@ -187,6 +188,26 @@


  /**
   * Filter implementation that accepts only ldif files.
   */
  private class SchemaFileFilter implements FilenameFilter
  {
    /**
     * {@inheritDoc}
     */
    public boolean accept(File directory, String filename)
    {
      if (filename.endsWith(".ldif"))
      {
        return true;
      }
      return false;
    }
  }



  /**
   * Initializes all the attribute type, object class, name form, DIT content
   * rule, DIT structure rule, and matching rule use definitions by reading the
   * server schema files.  These files will be located in a single directory and
@@ -253,12 +274,15 @@
        schemaInstanceDir = null;
      }

      File[] schemaInstallDirFiles  = schemaInstallDir.listFiles() ;
      FilenameFilter filter = new SchemaFileFilter();
      File[] schemaInstallDirFiles =
              schemaInstallDir.listFiles(filter);
      int fileNumber = schemaInstallDirFiles.length;
      File[] schemaInstanceDirFiles = null ;
      if (schemaInstanceDir != null)
      {
        schemaInstanceDirFiles = schemaInstanceDir.listFiles();
        schemaInstanceDirFiles =
                schemaInstanceDir.listFiles(filter);
        fileNumber =+ schemaInstanceDirFiles.length ;
      }


 opends/src/server/org/opends/server/core/SubentryManager.java

@@ -22,18 +22,24 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2009 Sun Microsystems, Inc.
 *      Copyright 2009-2010 Sun Microsystems, Inc.
 */
package org.opends.server.core;



import java.util.*;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.locks.ReentrantReadWriteLock;

import org.opends.server.api.Backend;
import org.opends.server.api.BackendInitializationListener;
import org.opends.server.api.ChangeNotificationListener;
import org.opends.server.api.SubentryChangeListener;
import org.opends.server.api.plugin.InternalDirectoryServerPlugin;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.api.plugin.PluginResult.PostOperation;
import org.opends.server.api.plugin.PluginResult.PreOperation;
import org.opends.server.api.plugin.PluginType;
import org.opends.server.controls.SubentriesControl;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
@@ -48,10 +54,14 @@
import org.opends.server.types.SearchScope;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SubEntry;
import org.opends.server.types.operation.PostResponseAddOperation;
import org.opends.server.types.operation.PostResponseDeleteOperation;
import org.opends.server.types.operation.PostResponseModifyOperation;
import org.opends.server.types.operation.PostResponseModifyDNOperation;
import org.opends.server.types.operation.PostOperationAddOperation;
import org.opends.server.types.operation.PostOperationDeleteOperation;
import org.opends.server.types.operation.PostOperationModifyDNOperation;
import org.opends.server.types.operation.PostOperationModifyOperation;
import org.opends.server.types.operation.PreOperationAddOperation;
import org.opends.server.types.operation.PreOperationDeleteOperation;
import org.opends.server.types.operation.PreOperationModifyDNOperation;
import org.opends.server.types.operation.PreOperationModifyOperation;
import org.opends.server.workflowelement.localbackend.
            LocalBackendSearchOperation;

@@ -73,8 +83,8 @@
 * memory.  If it is determined that this approach is not workable
 * in all cases, then we will need an alternate strategy.
 */
public class SubentryManager
        implements BackendInitializationListener, ChangeNotificationListener
public class SubentryManager extends InternalDirectoryServerPlugin
        implements BackendInitializationListener
{
  /**
   * The tracer object for the debug logger.
@@ -93,22 +103,87 @@
  // Lock to protect internal data structures.
  private final ReentrantReadWriteLock lock;

  // The set of change notification listeners.
  private CopyOnWriteArrayList<SubentryChangeListener>
               changeListeners;

  // Dummy configuration DN for Subentry Manager.
  private static final String CONFIG_DN = "cn=Subentry Manager,cn=config";

  /**
   * Creates a new instance of this group manager.
   * Creates a new instance of this subentry manager.
   *
   * @throws DirectoryException If a problem occurs while
   *                            creating an instance of
   *                            the subentry manager.
   */
  public SubentryManager()
  public SubentryManager() throws DirectoryException
  {
    super(DN.decode(CONFIG_DN), EnumSet.of(
          PluginType.PRE_OPERATION_ADD,
          PluginType.PRE_OPERATION_DELETE,
          PluginType.PRE_OPERATION_MODIFY,
          PluginType.PRE_OPERATION_MODIFY_DN,
          PluginType.POST_OPERATION_ADD,
          PluginType.POST_OPERATION_DELETE,
          PluginType.POST_OPERATION_MODIFY,
          PluginType.POST_OPERATION_MODIFY_DN),
          true);

    lock = new ReentrantReadWriteLock();

    dn2SubEntry = new HashMap<DN,List<SubEntry>>();
    dn2CollectiveSubEntry = new HashMap<DN,List<SubEntry>>();

    requestAttrs = new LinkedHashSet<String>();
    requestAttrs.add("subtreespecification");
    requestAttrs.add("*");
    changeListeners =
            new CopyOnWriteArrayList<SubentryChangeListener>();

    requestAttrs = new LinkedHashSet<String>();
    requestAttrs.add("*");
    requestAttrs.add("+");

    DirectoryServer.registerInternalPlugin(this);
    DirectoryServer.registerBackendInitializationListener(this);
    DirectoryServer.registerChangeNotificationListener(this);
  }

  /**
   * Perform any required finalization tasks for Subentry Manager.
   * This should only be called at Directory Server shutdown.
   */
  public void finalizeSubentryManager()
  {
    // Deregister as internal plugin and
    // backend initialization listener.
    DirectoryServer.deregisterInternalPlugin(this);
    DirectoryServer.deregisterBackendInitializationListener(this);
  }

  /**
   * Registers the provided change notification listener with this manager
   * so that it will be notified of any add, delete, modify, or modify DN
   * operations that are performed.
   *
   * @param  changeListener  The change notification listener to register
   *                         with this manager.
   */
  public void registerChangeListener(
                          SubentryChangeListener changeListener)
  {
    changeListeners.add(changeListener);
  }

  /**
   * Deregisters the provided change notification listener with this manager
   * so that it will no longer be notified of any add, delete, modify, or
   * modify DN operations that are performed.
   *
   * @param  changeListener  The change notification listener to deregister
   *                         with this manager.
   */
  public void deregisterChangeListener(
                          SubentryChangeListener changeListener)
  {
    changeListeners.remove(changeListener);
  }

  /**
@@ -163,45 +238,51 @@
    try
    {
      boolean removed = false;
      Iterator<Map.Entry<DN, List<SubEntry>>> iterator =
      Iterator<Map.Entry<DN, List<SubEntry>>> setIterator =
              dn2SubEntry.entrySet().iterator();
      while (iterator.hasNext())
      while (setIterator.hasNext())
      {
        Map.Entry<DN, List<SubEntry>> mapEntry = iterator.next();
        Map.Entry<DN, List<SubEntry>> mapEntry = setIterator.next();
        List<SubEntry> subList = mapEntry.getValue();
        for (SubEntry subEntry : subList)
        Iterator<SubEntry> listIterator = subList.iterator();
        while (listIterator.hasNext())
        {
          SubEntry subEntry = listIterator.next();
          if (subEntry.getDN().equals(entry.getDN()))
          {
            removed = subList.remove(subEntry);
            listIterator.remove();
            removed = true;
            break;
          }
        }
        if (subList.isEmpty())
        {
          iterator.remove();
          setIterator.remove();
        }
        if (removed)
        {
          return;
        }
      }
      iterator = dn2CollectiveSubEntry.entrySet().iterator();
      while (iterator.hasNext())
      setIterator = dn2CollectiveSubEntry.entrySet().iterator();
      while (setIterator.hasNext())
      {
        Map.Entry<DN, List<SubEntry>> mapEntry = iterator.next();
        Map.Entry<DN, List<SubEntry>> mapEntry = setIterator.next();
        List<SubEntry> subList = mapEntry.getValue();
        for (SubEntry subEntry : subList)
        Iterator<SubEntry> listIterator = subList.iterator();
        while (listIterator.hasNext())
        {
          SubEntry subEntry = listIterator.next();
          if (subEntry.getDN().equals(entry.getDN()))
          {
            removed = subList.remove(subEntry);
            listIterator.remove();
            removed = true;
            break;
          }
        }
        if (subList.isEmpty())
        {
          iterator.remove();
          setIterator.remove();
        }
        if (removed)
        {
@@ -230,8 +311,10 @@
    SearchFilter filter = null;
    try
    {
      filter = SearchFilter.createFilterFromString("(" +
            ATTR_OBJECTCLASS + "=" + OC_SUBENTRY + ")");
      filter = SearchFilter.createFilterFromString("(|" +
            "(" + ATTR_OBJECTCLASS + "=" + OC_SUBENTRY + ")" +
            "(" + ATTR_OBJECTCLASS + "=" + OC_LDAP_SUBENTRY + ")" +
            ")");
      if (backend.getEntryCount() > 0 && ! backend.isIndexed(filter))
      {
        logError(WARN_SUBENTRY_FILTER_NOT_INDEXED.get(
@@ -292,7 +375,7 @@

      for (SearchResultEntry entry : internalSearch.getSearchEntries())
      {
        if (entry.isSubentry())
        if (entry.isSubentry() || entry.isLDAPSubentry())
        {
          try
          {
@@ -314,6 +397,37 @@
  }

  /**
   * Return all subentries for this manager.
   * Note that this getter will skip any collective subentries,
   * returning only applicable regular subentries.
   * @return all subentries for this manager.
   */
  public List<SubEntry> getSubentries()
  {
    if (dn2SubEntry.isEmpty())
    {
      return Collections.emptyList();
    }

    List<SubEntry> subentries = new ArrayList<SubEntry>();

    lock.readLock().lock();
    try
    {
      for (List<SubEntry> subList : dn2SubEntry.values())
      {
        subentries.addAll(subList);
      }
    }
    finally
    {
      lock.readLock().unlock();
    }

    return subentries;
  }

  /**
   * Return subentries applicable to specific DN.
   * Note that this getter will skip any collective subentries,
   * returning only applicable regular subentries.
@@ -506,39 +620,43 @@
    lock.writeLock().lock();
    try
    {
      Iterator<Map.Entry<DN, List<SubEntry>>> iterator =
      Iterator<Map.Entry<DN, List<SubEntry>>> setIterator =
              dn2SubEntry.entrySet().iterator();
      while (iterator.hasNext())
      while (setIterator.hasNext())
      {
        Map.Entry<DN, List<SubEntry>> mapEntry = iterator.next();
        Map.Entry<DN, List<SubEntry>> mapEntry = setIterator.next();
        List<SubEntry> subList = mapEntry.getValue();
        for (SubEntry subEntry : subList)
        Iterator<SubEntry> listIterator = subList.iterator();
        while (listIterator.hasNext())
        {
          SubEntry subEntry = listIterator.next();
          if (backend.handlesEntry(subEntry.getDN()))
          {
            subList.remove(subEntry);
            listIterator.remove();
          }
        }
        if (subList.isEmpty())
        {
          iterator.remove();
          setIterator.remove();
        }
      }
      iterator = dn2CollectiveSubEntry.entrySet().iterator();
      while (iterator.hasNext())
      setIterator = dn2CollectiveSubEntry.entrySet().iterator();
      while (setIterator.hasNext())
      {
        Map.Entry<DN, List<SubEntry>> mapEntry = iterator.next();
        Map.Entry<DN, List<SubEntry>> mapEntry = setIterator.next();
        List<SubEntry> subList = mapEntry.getValue();
        for (SubEntry subEntry : subList)
        Iterator<SubEntry> listIterator = subList.iterator();
        while (listIterator.hasNext())
        {
          SubEntry subEntry = listIterator.next();
          if (backend.handlesEntry(subEntry.getDN()))
          {
            subList.remove(subEntry);
            listIterator.remove();
          }
        }
        if (subList.isEmpty())
        {
          iterator.remove();
          setIterator.remove();
        }
      }
    }
@@ -549,17 +667,177 @@
  }

  /**
   * {@inheritDoc}  In this case, each entry is checked to see if it is
   * a subentry, and if so it will be registered with this manager.
   * {@inheritDoc}
   */
  public void handleAddOperation(PostResponseAddOperation addOperation,
                                 Entry entry)
  @Override
  public PreOperation doPreOperation(
          PreOperationAddOperation addOperation)
  {
    if (entry.isSubentry())
    Entry entry = addOperation.getEntryToAdd();

    if (entry.isSubentry() || entry.isLDAPSubentry())
    {
      for (SubentryChangeListener changeListener :
              changeListeners)
      {
        try
        {
          changeListener.checkSubentryAddAcceptable(entry);
        }
        catch (DirectoryException de)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, de);
          }

          return PluginResult.PreOperation.stopProcessing(
                  de.getResultCode(), de.getMessageObject());
        }
      }
    }

    return PluginResult.PreOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}
   */
  @Override
  public PreOperation doPreOperation(
          PreOperationDeleteOperation deleteOperation)
  {
    Entry entry = deleteOperation.getEntryToDelete();

    if (entry.isSubentry() || entry.isLDAPSubentry())
    {
      for (SubentryChangeListener changeListener :
              changeListeners)
      {
        try
        {
          changeListener.checkSubentryDeleteAcceptable(entry);
        }
        catch (DirectoryException de)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, de);
          }

          return PluginResult.PreOperation.stopProcessing(
                  de.getResultCode(), de.getMessageObject());
        }
      }
    }

    return PluginResult.PreOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}
   */
  @Override
  public PreOperation doPreOperation(
          PreOperationModifyOperation modifyOperation)
  {
    Entry oldEntry = modifyOperation.getCurrentEntry();
    Entry newEntry = modifyOperation.getModifiedEntry();

    if ((newEntry.isSubentry() || newEntry.isLDAPSubentry()) ||
        (oldEntry.isSubentry() || oldEntry.isLDAPSubentry()))
    {
      for (SubentryChangeListener changeListener :
              changeListeners)
      {
        try
        {
          changeListener.checkSubentryModifyAcceptable(
                  oldEntry, newEntry);
        }
        catch (DirectoryException de)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, de);
          }

          return PluginResult.PreOperation.stopProcessing(
                  de.getResultCode(), de.getMessageObject());
        }
      }
    }

    return PluginResult.PreOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}
   */
  @Override
  public PreOperation doPreOperation(
          PreOperationModifyDNOperation modifyDNOperation)
  {
    Entry oldEntry = modifyDNOperation.getOriginalEntry();
    Entry newEntry = modifyDNOperation.getUpdatedEntry();

    if (oldEntry.isSubentry() || oldEntry.isLDAPSubentry())
    {
      for (SubentryChangeListener changeListener :
              changeListeners)
      {
        try
        {
          changeListener.checkSubentryModifyAcceptable(
                  oldEntry, newEntry);
        }
        catch (DirectoryException de)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, de);
          }

          return PluginResult.PreOperation.stopProcessing(
                  de.getResultCode(), de.getMessageObject());
        }
      }
    }

    return PluginResult.PreOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}
   */
  @Override
  public PostOperation doPostOperation(
          PostOperationAddOperation addOperation)
  {
    Entry entry = addOperation.getEntryToAdd();

    if (entry.isSubentry() || entry.isLDAPSubentry())
    {
      try
      {
        addSubEntry(entry);

        // Notify change listeners.
        for (SubentryChangeListener changeListener :
          changeListeners)
        {
          try
          {
            changeListener.handleSubentryAdd(entry);
          }
          catch (Exception e)
          {
            if (debugEnabled())
            {
              TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
          }
        }
      }
      catch (Exception e)
      {
@@ -571,38 +849,67 @@
        // FIXME -- Handle this.
      }
    }

    return PluginResult.PostOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}  In this case, each entry is checked to see if it is
   * a subentry, and if so it will be deregistered with this manager.
   * {@inheritDoc}
   */
  public void handleDeleteOperation(PostResponseDeleteOperation deleteOperation,
                                    Entry entry)
  @Override
  public PostOperation doPostOperation(
          PostOperationDeleteOperation deleteOperation)
  {
    if (entry.isSubentry())
    Entry entry = deleteOperation.getEntryToDelete();

    if (entry.isSubentry() || entry.isLDAPSubentry())
    {
      removeSubEntry(entry);

      // Notify change listeners.
      for (SubentryChangeListener changeListener :
        changeListeners)
      {
        try
        {
          changeListener.handleSubentryDelete(entry);
        }
        catch (Exception e)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, e);
          }
        }
      }
    }

    return PluginResult.PostOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}  In this case, if the entry is a registered subentry
   * then it will be recreated from the contents of the provided entry
   * and re-registered with this manager.
   * {@inheritDoc}
   */
  public void handleModifyOperation(PostResponseModifyOperation modifyOperation,
                                    Entry oldEntry, Entry newEntry)
  @Override
  public PostOperation doPostOperation(
          PostOperationModifyOperation modifyOperation)
  {
    if (oldEntry.isSubentry())
    Entry oldEntry = modifyOperation.getCurrentEntry();
    Entry newEntry = modifyOperation.getModifiedEntry();

    boolean notify = false;

    if (oldEntry.isSubentry() || oldEntry.isLDAPSubentry())
    {
      removeSubEntry(oldEntry);
      notify = true;
    }
    if (newEntry.isSubentry())
    if (newEntry.isSubentry() || newEntry.isLDAPSubentry())
    {
      try
      {
        addSubEntry(newEntry);
        notify = true;
      }
      catch (Exception e)
      {
@@ -614,19 +921,42 @@
        // FIXME -- Handle this.
      }
    }

    if (notify)
    {
      // Notify change listeners.
      for (SubentryChangeListener changeListener :
        changeListeners)
      {
        try
        {
          changeListener.handleSubentryModify(
                  oldEntry, newEntry);
        }
        catch (Exception e)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, e);
          }
        }
      }
    }

    return PluginResult.PostOperation.continueOperationProcessing();
  }

  /**
   * {@inheritDoc}  In this case, if the subentry is registered then it
   * will be recreated from the contents of the provided entry and re-
   * registered with this manager under the new DN and the old instance
   * will be deregistered.
   * {@inheritDoc}
   */
  public void handleModifyDNOperation(
                   PostResponseModifyDNOperation modifyDNOperation,
                   Entry oldEntry, Entry newEntry)
  @Override
  public PostOperation doPostOperation(
          PostOperationModifyDNOperation modifyDNOperation)
  {
    if (oldEntry.isSubentry())
    Entry oldEntry = modifyDNOperation.getOriginalEntry();
    Entry newEntry = modifyDNOperation.getUpdatedEntry();

    if (oldEntry.isSubentry() || oldEntry.isLDAPSubentry())
    {
      removeSubEntry(oldEntry);
      try
@@ -642,6 +972,26 @@

        // FIXME -- Handle this.
      }

      // Notify change listeners.
      for (SubentryChangeListener changeListener :
        changeListeners)
      {
        try
        {
          changeListener.handleSubentryModify(
                  oldEntry, newEntry);
        }
        catch (Exception e)
        {
          if (debugEnabled())
          {
            TRACER.debugCaught(DebugLogLevel.ERROR, e);
          }
        }
      }
    }

    return PluginResult.PostOperation.continueOperationProcessing();
  }
}

 opends/src/server/org/opends/server/core/SubentryPasswordPolicy.java

New file
@@ -0,0 +1,946 @@
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2010 Sun Microsystems, Inc.
 */

package org.opends.server.core;

import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import org.opends.messages.Message;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.
       StateUpdateFailurePolicy;
import org.opends.server.admin.std.server.PasswordPolicyCfg;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.ObjectClass;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SubEntry;

import static org.opends.messages.CoreMessages.*;
import static org.opends.messages.ConfigMessages.*;
import static org.opends.server.loggers.debug.DebugLogger.*;

/**
 * This class represents subentry password policy based on
 * Password Policy for LDAP Directories Internet-Draft. In
 * order to represent subentry password policies as OpenDS
 * password policies it performs a mapping of Draft defined
 * attributes to OpenDS implementation specific attributes.
 * Any missing attributes are inherited from server default
 * password policy. This class is also reponsible for any
 * Draft attributes validation ie making sure that provided
 * values are acceptable and within the predefined range.
 */
public class SubentryPasswordPolicy implements PasswordPolicyCfg
{
  /**
   * The tracer object for the debug logger.
   */
  private static final DebugTracer TRACER = getTracer();

  // Password Policy Subentry draft attributes.
  private final String PWD_OC_POLICY = "pwdpolicy";
  private final String PWD_ATTR_ATTRIBUTE = "pwdattribute";
  private final String PWD_ATTR_MINAGE = "pwdminage";
  private final String PWD_ATTR_MAXAGE = "pwdmaxage";
  private final String PWD_ATTR_INHISTORY = "pwdinhistory";
  private final String PWD_ATTR_CHECKQUALITY = "pwdcheckquality";
  private final String PWD_ATTR_MINLENGTH = "pwdminlength";
  private final String PWD_ATTR_EXPIREWARNING = "pwdexpirewarning";
  private final String PWD_ATTR_GRACEAUTHNLIMIT = "pwdgraceauthnlimit";
  private final String PWD_ATTR_LOCKOUT = "pwdlockout";
  private final String PWD_ATTR_LOCKOUTDURATION = "pwdlockoutduration";
  private final String PWD_ATTR_MAXFAILURE = "pwdmaxfailure";
  private final String PWD_ATTR_MUSTCHANGE = "pwdmustchange";
  private final String PWD_ATTR_ALLOWUSERCHANGE = "pwdallowuserchange";
  private final String PWD_ATTR_SAFEMODIFY = "pwdsafemodify";
  private final String PWD_ATTR_FAILURECOUNTINTERVAL =
          "pwdfailurecountinterval";

  // Password Policy Subentry DN.
  private final DN passwordPolicySubentryDN;
  // The value of the "account-status-notification-handler" property.
  private final SortedSet<String> pAccountStatusNotificationHandler;
  // The value of the "allow-expired-password-changes" property.
  private final boolean pAllowExpiredPasswordChanges;
  // The value of the "allow-multiple-password-values" property.
  private final boolean pAllowMultiplePasswordValues;
  // The value of the "allow-pre-encoded-passwords" property.
  private final boolean pAllowPreEncodedPasswords;
  // The value of the "allow-user-password-changes" property.
  private final boolean pAllowUserPasswordChanges;
  // The value of the "default-password-storage-scheme" property.
  private final SortedSet<String> pDefaultPasswordStorageScheme;
  // The value of the "deprecated-password-storage-scheme" property.
  private final SortedSet<String> pDeprecatedPasswordStorageScheme;
  // The value of the "expire-passwords-without-warning" property.
  private final boolean pExpirePasswordsWithoutWarning;
  // The value of the "force-change-on-add" property.
  private final boolean pForceChangeOnAdd;
  // The value of the "force-change-on-reset" property.
  private final boolean pForceChangeOnReset;
  // The value of the "grace-login-count" property.
  private final int pGraceLoginCount;
  // The value of the "idle-lockout-interval" property.
  private final long pIdleLockoutInterval;
  // The value of the "last-login-time-attribute" property.
  private final AttributeType pLastLoginTimeAttribute;
  // The value of the "last-login-time-format" property.
  private final String pLastLoginTimeFormat;
  // The value of the "lockout-duration" property.
  private final long pLockoutDuration;
  // The value of the "lockout-failure-count" property.
  private final int pLockoutFailureCount;
  // The value of the "lockout-failure-expiration-interval" property.
  private final long pLockoutFailureExpirationInterval;
  // The value of the "max-password-age" property.
  private final long pMaxPasswordAge;
  // The value of the "max-password-reset-age" property.
  private final long pMaxPasswordResetAge;
  // The value of the "min-password-age" property.
  private final long pMinPasswordAge;
  // The value of the "password-attribute" property.
  private final AttributeType pPasswordAttribute;
  // The value of the "password-change-requires-current-password" property.
  private final boolean pPasswordChangeRequiresCurrentPassword;
  // The value of the "password-expiration-warning-interval" property.
  private final long pPasswordExpirationWarningInterval;
  // The value of the "password-generator" property.
  private final String pPasswordGenerator;
  // The value of the "password-history-count" property.
  private final int pPasswordHistoryCount;
  // The value of the "password-history-duration" property.
  private final long pPasswordHistoryDuration;
  // The value of the "password-validator" property.
  private final SortedSet<String> pPasswordValidator;
  // The value of the "previous-last-login-time-format" property.
  private final SortedSet<String> pPreviousLastLoginTimeFormat;
  // The value of the "require-change-by-time" property.
  private final String pRequireChangeByTime;
  // The value of the "require-secure-authentication" property.
  private final boolean pRequireSecureAuthentication;
  // The value of the "require-secure-password-changes" property.
  private final boolean pRequireSecurePasswordChanges;
  // The value of the "skip-validation-for-administrators" property.
  private final boolean pSkipValidationForAdministrators;
  // The value of the "state-update-failure-policy" property.
  private final StateUpdateFailurePolicy pStateUpdateFailurePolicy;

  /**
   * Creates subentry password policy object from the subentry,
   * parsing and evaluating subentry password policy attributes.
   *
   * @param  subentry password policy subentry.
   * @throws DirectoryException If a problem occurs while creating
   *                            subentry password policy instance
   *                            from given subentry.
   */
  public SubentryPasswordPolicy(SubEntry subentry)
          throws DirectoryException
  {
    // Determine if this is a password policy subentry.
    ObjectClass pwdPolicyOC =
         DirectoryServer.getObjectClass(PWD_OC_POLICY);
    Entry entry = subentry.getEntry();
    Map<ObjectClass, String> objectClasses =
            entry.getObjectClasses();
    if (pwdPolicyOC == null) {
      // This should not happen -- The server doesn't
      // have a pwdPolicy objectclass defined.
      if (debugEnabled()) {
        TRACER.debugWarning(
                "No %s objectclass is defined in the server schema.",
                PWD_OC_POLICY);
      }
      for (String ocName : objectClasses.values()) {
        if (ocName.equalsIgnoreCase(PWD_OC_POLICY)) {
          break;
        }
      }
      Message message = ERR_PWPOLICY_NO_PWDPOLICY_OC.get(
              subentry.getDN().toString());
      throw new DirectoryException(
              ResultCode.CONSTRAINT_VIOLATION, message);
    } else if (!objectClasses.containsKey(pwdPolicyOC)) {
      Message message = ERR_PWPOLICY_NO_PWDPOLICY_OC.get(
              subentry.getDN().toString());
      throw new DirectoryException(
              ResultCode.CONSTRAINT_VIOLATION, message);
    }

    // Get default password policy to derive default
    // policy values from.
    PasswordPolicy defaultPasswordPolicy =
            DirectoryServer.getDefaultPasswordPolicy();
    if (defaultPasswordPolicy == null) {
      throw new DirectoryException(ResultCode.OPERATIONS_ERROR,
              ERR_CONFIG_PWPOLICY_NO_DEFAULT_POLICY.get());
    }

    // Subentry DN for this password policy.
    this.passwordPolicySubentryDN = subentry.getDN();

    // Get known Password Policy draft attributes from the entry.
    // If any given attribute is missing or empty set its value
    // from default Password Policy configuration.
    AttributeValue value = getAttrValue(entry, PWD_ATTR_ATTRIBUTE);
    if ((value != null) && (value.toString().length() > 0)) {
      this.pPasswordAttribute = DirectoryServer.getAttributeType(
              value.toString().toLowerCase(), false);
      if (this.pPasswordAttribute == null) {
        throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM,
                ERR_PWPOLICY_UNDEFINED_PASSWORD_ATTRIBUTE.get(
                this.passwordPolicySubentryDN.toNormalizedString(),
                value.toString()));
      }
    } else {
      // This should not normally happen since pwdAttribute
      // declared as MUST but handle this anyway in case
      // the schema is not enforced for some reason.
      this.pPasswordAttribute =
              defaultPasswordPolicy.getPasswordAttribute();
    }

    value = getAttrValue(entry, PWD_ATTR_MINAGE);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pMinPasswordAge = Long.parseLong(value.toString());
        checkIntegerAttr(PWD_ATTR_MINAGE, this.pMinPasswordAge,
                0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pMinPasswordAge =
              defaultPasswordPolicy.getMinimumPasswordAge();
    }

    value = getAttrValue(entry, PWD_ATTR_MAXAGE);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pMaxPasswordAge = Long.parseLong(value.toString());
        checkIntegerAttr(PWD_ATTR_MAXAGE, this.pMaxPasswordAge,
                0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pMaxPasswordAge =
              defaultPasswordPolicy.getMaximumPasswordAge();
    }

    value = getAttrValue(entry, PWD_ATTR_INHISTORY);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pPasswordHistoryCount = Integer.parseInt(value.toString());
        checkIntegerAttr(PWD_ATTR_INHISTORY,
                this.pPasswordHistoryCount, 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pPasswordHistoryCount =
              defaultPasswordPolicy.getPasswordHistoryCount();
    }

    // This one is managed via the password validator
    // so only check if its value is acceptable.
    value = getAttrValue(entry, PWD_ATTR_CHECKQUALITY);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        int pwdCheckQuality = Integer.parseInt(value.toString());
        checkIntegerAttr(PWD_ATTR_CHECKQUALITY, pwdCheckQuality,
                 0, 2);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    }

    // This one is managed via the password validator
    // so only check if its value is acceptable.
    value = getAttrValue(entry, PWD_ATTR_MINLENGTH);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        int pwdMinLength = Integer.parseInt(value.toString());
        checkIntegerAttr(PWD_ATTR_MINLENGTH, pwdMinLength,
                 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    }

    // This one depends on lockout failure count value
    // so only check if its value is acceptable.
    value = getAttrValue(entry, PWD_ATTR_LOCKOUT);
    if ((value != null) && (value.toString().length() > 0)) {
      if (value.toString().equalsIgnoreCase(Boolean.TRUE.toString()) ||
          value.toString().equalsIgnoreCase(Boolean.FALSE.toString())) {
        Boolean.parseBoolean(value.toString());
      } else {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_BOOLEAN_VALUE.get(
                PWD_ATTR_MUSTCHANGE, value.toString()));
      }
    }

    value = getAttrValue(entry, PWD_ATTR_EXPIREWARNING);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pPasswordExpirationWarningInterval =
              Long.parseLong(value.toString());
        checkIntegerAttr(PWD_ATTR_EXPIREWARNING,
                this.pPasswordExpirationWarningInterval,
                 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pPasswordExpirationWarningInterval =
              defaultPasswordPolicy.getWarningInterval();
    }

    value = getAttrValue(entry, PWD_ATTR_GRACEAUTHNLIMIT);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pGraceLoginCount = Integer.parseInt(value.toString());
        checkIntegerAttr(PWD_ATTR_GRACEAUTHNLIMIT,
                this.pGraceLoginCount, 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pGraceLoginCount =
              defaultPasswordPolicy.getGraceLoginCount();
    }

    value = getAttrValue(entry, PWD_ATTR_LOCKOUTDURATION);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pLockoutDuration = Long.parseLong(value.toString());
        checkIntegerAttr(PWD_ATTR_LOCKOUTDURATION,
                this.pLockoutDuration, 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pLockoutDuration =
              defaultPasswordPolicy.getLockoutDuration();
    }

    value = getAttrValue(entry, PWD_ATTR_MAXFAILURE);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pLockoutFailureCount = Integer.parseInt(value.toString());
        checkIntegerAttr(PWD_ATTR_MAXFAILURE,
                this.pLockoutFailureCount, 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_MINAGE, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pLockoutFailureCount =
              defaultPasswordPolicy.getLockoutFailureCount();
    }

    value = getAttrValue(entry, PWD_ATTR_MUSTCHANGE);
    if ((value != null) && (value.toString().length() > 0)) {
      if (value.toString().equalsIgnoreCase(Boolean.TRUE.toString()) ||
          value.toString().equalsIgnoreCase(Boolean.FALSE.toString())) {
        this.pForceChangeOnReset =
                Boolean.parseBoolean(value.toString());
      } else {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_BOOLEAN_VALUE.get(
                PWD_ATTR_MUSTCHANGE, value.toString()));
      }
    } else {
      this.pForceChangeOnReset =
              defaultPasswordPolicy.forceChangeOnReset();
    }

    value = getAttrValue(entry, PWD_ATTR_ALLOWUSERCHANGE);
    if ((value != null) && (value.toString().length() > 0)) {
      if (value.toString().equalsIgnoreCase(Boolean.TRUE.toString()) ||
          value.toString().equalsIgnoreCase(Boolean.FALSE.toString())) {
        this.pAllowUserPasswordChanges =
                Boolean.parseBoolean(value.toString());
      } else {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_BOOLEAN_VALUE.get(
                PWD_ATTR_ALLOWUSERCHANGE, value.toString()));
      }
    } else {
      this.pAllowUserPasswordChanges =
              defaultPasswordPolicy.allowUserPasswordChanges();
    }

    value = getAttrValue(entry, PWD_ATTR_SAFEMODIFY);
    if ((value != null) && (value.toString().length() > 0)) {
      if (value.toString().equalsIgnoreCase(Boolean.TRUE.toString()) ||
          value.toString().equalsIgnoreCase(Boolean.FALSE.toString())) {
        this.pPasswordChangeRequiresCurrentPassword =
                Boolean.parseBoolean(value.toString());
      } else {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_BOOLEAN_VALUE.get(
                PWD_ATTR_SAFEMODIFY, value.toString()));
      }
    } else {
      this.pPasswordChangeRequiresCurrentPassword =
              defaultPasswordPolicy.requireCurrentPassword();
    }

    value = getAttrValue(entry, PWD_ATTR_FAILURECOUNTINTERVAL);
    if ((value != null) && (value.toString().length() > 0)) {
      try {
        this.pLockoutFailureExpirationInterval =
                Long.parseLong(value.toString());
        checkIntegerAttr(PWD_ATTR_FAILURECOUNTINTERVAL,
                this.pLockoutFailureExpirationInterval,
                 0, Integer.MAX_VALUE);
      } catch (NumberFormatException ne) {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INVALID_INT_VALUE.get(
                PWD_ATTR_FAILURECOUNTINTERVAL, value.toString(),
                ne.getLocalizedMessage()));
      }
    } else {
      this.pLockoutFailureExpirationInterval =
              defaultPasswordPolicy.getLockoutFailureExpirationInterval();
    }

    // Get the rest Password Policy attributes from default configuration.
    SortedSet<String> accountStatusNotificationHandlerSet =
            new TreeSet<String>();
    Set<DN> accountStatusNotificationHandlerDNSet =
            defaultPasswordPolicy.getAccountStatusNotificationHandlers(
            ).keySet();
    for (DN dn : accountStatusNotificationHandlerDNSet) {
      accountStatusNotificationHandlerSet.add(dn.toNormalizedString());
    }
    this.pAccountStatusNotificationHandler =
            accountStatusNotificationHandlerSet;
    this.pAllowExpiredPasswordChanges =
            defaultPasswordPolicy.allowExpiredPasswordChanges();
    this.pAllowMultiplePasswordValues =
            defaultPasswordPolicy.allowMultiplePasswordValues();
    this.pAllowPreEncodedPasswords =
            defaultPasswordPolicy.allowPreEncodedPasswords();
    SortedSet<String> passwordStorageSchemeSet =
            new TreeSet<String>();
    for (DN dn : defaultPasswordPolicy.getDefaultStorageSchemeDNs()) {
      passwordStorageSchemeSet.add(dn.toNormalizedString());
    }
    this.pDefaultPasswordStorageScheme =
            passwordStorageSchemeSet;
    SortedSet<String> deprecatedPasswordStorageSchemeSet =
            new TreeSet<String>();
    for (DN dn : defaultPasswordPolicy.getDeprecatedStorageSchemeDNs()) {
      deprecatedPasswordStorageSchemeSet.add(dn.toNormalizedString());
    }
    this.pDeprecatedPasswordStorageScheme =
            deprecatedPasswordStorageSchemeSet;
    this.pExpirePasswordsWithoutWarning =
            defaultPasswordPolicy.expirePasswordsWithoutWarning();
    this.pForceChangeOnAdd =
            defaultPasswordPolicy.forceChangeOnAdd();
    this.pIdleLockoutInterval =
            defaultPasswordPolicy.getIdleLockoutInterval();
    this.pLastLoginTimeAttribute =
            defaultPasswordPolicy.getLastLoginTimeAttribute();
    this.pLastLoginTimeFormat =
            defaultPasswordPolicy.getLastLoginTimeFormat();
    this.pMaxPasswordResetAge =
            defaultPasswordPolicy.getMaximumPasswordResetAge();
    this.pPasswordGenerator =
            defaultPasswordPolicy.getPasswordGeneratorDN(
            ).toNormalizedString();
    this.pPasswordHistoryDuration =
            defaultPasswordPolicy.getPasswordHistoryDuration();
    SortedSet<String> passwordValidatorSet =
            new TreeSet<String>();
    Set<DN> passwordValidatorDNSet =
            defaultPasswordPolicy.getPasswordValidators(
            ).keySet();
    for (DN dn : passwordValidatorDNSet) {
      passwordValidatorSet.add(dn.toNormalizedString());
    }
    this.pPasswordValidator =
            passwordValidatorSet;
    this.pPreviousLastLoginTimeFormat = new TreeSet<String>(
            defaultPasswordPolicy.getPreviousLastLoginTimeFormats());

    long requireChangeByTime =
            defaultPasswordPolicy.getRequireChangeByTime();
    if (requireChangeByTime > 0) {
      this.pRequireChangeByTime = Long.toString(requireChangeByTime);
    } else {
      this.pRequireChangeByTime = null;
    }

    this.pRequireSecureAuthentication =
            defaultPasswordPolicy.requireSecureAuthentication();
    this.pRequireSecurePasswordChanges =
            defaultPasswordPolicy.requireSecurePasswordChanges();
    this.pSkipValidationForAdministrators =
            defaultPasswordPolicy.skipValidationForAdministrators();
    this.pStateUpdateFailurePolicy =
            defaultPasswordPolicy.getStateUpdateFailurePolicy();
  }

  /**
   * Helper method to validate integer values.
   * @param attrName integer attribute name.
   * @param attrValue integer value to validate.
   * @param lowerBound lowest acceptable value.
   * @param upperBound highest acceptable value.
   * @throws DirectoryException if the value is out of bounds.
   */
  private void checkIntegerAttr(String attrName, long attrValue,
          long lowerBound, long upperBound) throws DirectoryException
  {
    if (attrValue < lowerBound) {
      throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INT_BELOW_LOWER_BOUND.get(attrName,
                attrValue, lowerBound));
    }
    if (attrValue > upperBound) {
      throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
                ERR_CONFIG_ATTR_INT_ABOVE_UPPER_BOUND.get(attrName,
                attrValue, upperBound));
    }
  }

  /**
   * Helper method to retieve an attribute value from given entry.
   * @param entry the entry to retrieve an attribute value from.
   * @param pwdAttrName attribute name to retrieve the value for.
   * @return <CODE>AttributeValue</CODE> or <CODE>null</CODE>.
   */
  private AttributeValue getAttrValue(Entry entry, String pwdAttrName) {
    AttributeType pwdAttrType = DirectoryServer.getAttributeType(
            pwdAttrName, true);
    List<Attribute> pwdAttrList = entry.getAttribute(pwdAttrType);
    if ((pwdAttrList != null) && (!pwdAttrList.isEmpty()))
    {
      for (Attribute attr : pwdAttrList)
      {
        for (AttributeValue value : attr)
        {
          return value;
        }
      }
    }
    return null;
  }

  /**
   * {@inheritDoc}
   */
  public void addChangeListener(
          ConfigurationChangeListener<PasswordPolicyCfg> listener) {
    // N/A : This is a subentry based configuration object.
  }

  /**
   * {@inheritDoc}
   */
  public void removeChangeListener(
          ConfigurationChangeListener<PasswordPolicyCfg> listener) {
    // N/A : This is a subentry based configuration object.
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<String> getAccountStatusNotificationHandler() {
    return pAccountStatusNotificationHandler;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<DN> getAccountStatusNotificationHandlerDNs() {
    SortedSet<String> values = getAccountStatusNotificationHandler();
    SortedSet<DN> dnValues = new TreeSet<DN>();
    for (String value : values) {
      try {
        dnValues.add(DN.decode(value));
      } catch (DirectoryException de) {
        if (debugEnabled()) {
          TRACER.debugCaught(DebugLogLevel.ERROR, de);
        }
      }
    }
    return dnValues;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isAllowExpiredPasswordChanges() {
    return pAllowExpiredPasswordChanges;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isAllowMultiplePasswordValues() {
    return pAllowMultiplePasswordValues;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isAllowPreEncodedPasswords() {
    return pAllowPreEncodedPasswords;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isAllowUserPasswordChanges() {
    return pAllowUserPasswordChanges;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<String> getDefaultPasswordStorageScheme() {
    return pDefaultPasswordStorageScheme;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<DN> getDefaultPasswordStorageSchemeDNs() {
    SortedSet<String> values = getDefaultPasswordStorageScheme();
    SortedSet<DN> dnValues = new TreeSet<DN>();
    for (String value : values) {
      try {
        dnValues.add(DN.decode(value));
      } catch (DirectoryException de) {
        if (debugEnabled()) {
          TRACER.debugCaught(DebugLogLevel.ERROR, de);
        }
      }
    }
    return dnValues;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<String> getDeprecatedPasswordStorageScheme() {
    return pDeprecatedPasswordStorageScheme;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs() {
    SortedSet<String> values = getDeprecatedPasswordStorageScheme();
    SortedSet<DN> dnValues = new TreeSet<DN>();
    for (String value : values) {
      try {
        dnValues.add(DN.decode(value));
      } catch (DirectoryException de) {
        if (debugEnabled()) {
          TRACER.debugCaught(DebugLogLevel.ERROR, de);
        }
      }
    }
    return dnValues;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isExpirePasswordsWithoutWarning() {
    return pExpirePasswordsWithoutWarning;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isForceChangeOnAdd() {
    return pForceChangeOnAdd;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isForceChangeOnReset() {
    return pForceChangeOnReset;
  }

  /**
   * {@inheritDoc}
   */
  public int getGraceLoginCount() {
    return pGraceLoginCount;
  }

  /**
   * {@inheritDoc}
   */
  public long getIdleLockoutInterval() {
    return pIdleLockoutInterval;
  }

  /**
   * {@inheritDoc}
   */
  public AttributeType getLastLoginTimeAttribute() {
    return pLastLoginTimeAttribute;
  }

  /**
   * {@inheritDoc}
   */
  public String getLastLoginTimeFormat() {
    return pLastLoginTimeFormat;
  }

  /**
   * {@inheritDoc}
   */
  public long getLockoutDuration() {
    return pLockoutDuration;
  }

  /**
   * {@inheritDoc}
   */
  public int getLockoutFailureCount() {
    return pLockoutFailureCount;
  }

  /**
   * {@inheritDoc}
   */
  public long getLockoutFailureExpirationInterval() {
    return pLockoutFailureExpirationInterval;
  }

  /**
   * {@inheritDoc}
   */
  public long getMaxPasswordAge() {
    return pMaxPasswordAge;
  }

  /**
   * {@inheritDoc}
   */
  public long getMaxPasswordResetAge() {
    return pMaxPasswordResetAge;
  }

  /**
   * {@inheritDoc}
   */
  public long getMinPasswordAge() {
    return pMinPasswordAge;
  }

  /**
   * {@inheritDoc}
   */
  public AttributeType getPasswordAttribute() {
    return pPasswordAttribute;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isPasswordChangeRequiresCurrentPassword() {
    return pPasswordChangeRequiresCurrentPassword;
  }

  /**
   * {@inheritDoc}
   */
  public long getPasswordExpirationWarningInterval() {
    return pPasswordExpirationWarningInterval;
  }

  /**
   * {@inheritDoc}
   */
  public String getPasswordGenerator() {
    return pPasswordGenerator;
  }

  /**
   * {@inheritDoc}
   */
  public DN getPasswordGeneratorDN() {
    String value = getPasswordGenerator();
    if (value == null) {
      return null;
    }
    try {
      return DN.decode(value);
    } catch (DirectoryException de) {
      if (debugEnabled()) {
        TRACER.debugCaught(DebugLogLevel.ERROR, de);
      }
      return null;
    }
  }

  /**
   * {@inheritDoc}
   */
  public int getPasswordHistoryCount() {
    return pPasswordHistoryCount;
  }

  /**
   * {@inheritDoc}
   */
  public long getPasswordHistoryDuration() {
    return pPasswordHistoryDuration;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<String> getPasswordValidator() {
    return pPasswordValidator;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<DN> getPasswordValidatorDNs() {
    SortedSet<String> values = getPasswordValidator();
    SortedSet<DN> dnValues = new TreeSet<DN>();
    for (String value : values) {
      try {
        dnValues.add(DN.decode(value));
      } catch (DirectoryException de) {
        if (debugEnabled()) {
          TRACER.debugCaught(DebugLogLevel.ERROR, de);
        }
      }
    }
    return dnValues;
  }

  /**
   * {@inheritDoc}
   */
  public SortedSet<String> getPreviousLastLoginTimeFormat() {
    return pPreviousLastLoginTimeFormat;
  }

  /**
   * {@inheritDoc}
   */
  public String getRequireChangeByTime() {
    return pRequireChangeByTime;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isRequireSecureAuthentication() {
    return pRequireSecureAuthentication;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isRequireSecurePasswordChanges() {
    return pRequireSecurePasswordChanges;
  }

  /**
   * {@inheritDoc}
   */
  public boolean isSkipValidationForAdministrators() {
    return pSkipValidationForAdministrators;
  }

  /**
   * {@inheritDoc}
   */
  public StateUpdateFailurePolicy getStateUpdateFailurePolicy() {
    return pStateUpdateFailurePolicy;
  }

  /**
   * {@inheritDoc}
   */
  public Class<? extends PasswordPolicyCfg> configurationClass() {
    return PasswordPolicyCfg.class;
  }

  /**
   * {@inheritDoc}
   */
  public DN dn() {
    return passwordPolicySubentryDN;
  }
}

 opends/src/server/org/opends/server/extensions/CollectiveAttributeSubentriesVirtualAttributeProvider.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2009 Sun Microsystems, Inc.
 *      Copyright 2009-2010 Sun Microsystems, Inc.
 */

package org.opends.server.extensions;
@@ -59,7 +59,8 @@
  private static final DebugTracer TRACER = getTracer();

  /**
   * Creates a new instance of this HasSubordinates virtual attribute provider.
   * Creates a new instance of this collectiveAttributeSubentries
   * virtual attribute provider.
   */
  public CollectiveAttributeSubentriesVirtualAttributeProvider()
  {
@@ -103,19 +104,24 @@
                                       VirtualAttributeRule rule)
  {
    Set<AttributeValue> valueSet = new HashSet<AttributeValue>();
    List<SubEntry> subentries =
            DirectoryServer.getSubentryManager().getCollectiveSubentries(entry);

    AttributeType dnAttrType =
            DirectoryServer.getAttributeType("2.5.4.49");
    for (SubEntry subentry : subentries)
    if (!entry.isSubentry() && !entry.isLDAPSubentry())
    {
      if (subentry.isCollective())
      List<SubEntry> subentries =
              DirectoryServer.getSubentryManager(
              ).getCollectiveSubentries(entry);

      AttributeType dnAttrType =
              DirectoryServer.getAttributeType("2.5.4.49");
      for (SubEntry subentry : subentries)
      {
        DN subentryDN = subentry.getDN();
        AttributeValue value = AttributeValues.create(
                dnAttrType, subentryDN.toString());
        valueSet.add(value);
        if (subentry.isCollective())
        {
          DN subentryDN = subentry.getDN();
          AttributeValue value = AttributeValues.create(
                  dnAttrType, subentryDN.toString());
          valueSet.add(value);
        }
      }
    }


 opends/src/server/org/opends/server/extensions/DefaultEntryCache.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2008 Sun Microsystems, Inc.
 *      Copyright 2008-2010 Sun Microsystems, Inc.
 */
package org.opends.server.extensions;
import java.lang.reflect.Method;
@@ -156,7 +156,7 @@
      cacheMisses.getAndIncrement();
    }

    return entry;
    return (entry != null ? entry.duplicate(true) : null);
  }


@@ -183,7 +183,7 @@
      cacheMisses.getAndIncrement();
    }

    return entry;
    return (entry != null ? entry.duplicate(true) : null);
  }


@@ -206,7 +206,7 @@
      cacheMisses.getAndIncrement();
    }

    return entry;
    return (entry != null ? entry.duplicate(true) : null);
  }


@@ -258,7 +258,8 @@
      // The first cache in the order which can take this entry
      // gets it.
      if (entryCache.filtersAllowCaching(entry)) {
        entryCache.putEntry(entry, backend, entryID);
        entryCache.putEntry(entry.duplicate(false),
                backend, entryID);
        break;
      }
    }
@@ -275,7 +276,8 @@
      // The first cache in the order which can take this entry
      // gets it.
      if (entryCache.filtersAllowCaching(entry)) {
        return entryCache.putEntryIfAbsent(entry, backend, entryID);
        return entryCache.putEntryIfAbsent(entry.duplicate(false),
                backend, entryID);
      }
    }


 opends/src/server/org/opends/server/extensions/FileBasedTrustManagerProvider.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.extensions;
import org.opends.messages.Message;
@@ -456,7 +456,7 @@
    String pinFile = configuration.getTrustStorePinFile();
    if (pinFile != null)
    {
      File f = new File(pinFile);
      File f = getFileForPath(pinFile);
      if (f.exists())
      {
        String pinStr = null;
@@ -464,7 +464,7 @@
        BufferedReader br = null;
        try
        {
          br = new BufferedReader(new FileReader(pinFile));
          br = new BufferedReader(new FileReader(f));
          pinStr = br.readLine();
        }
        catch (IOException ioe)

 opends/src/server/org/opends/server/extensions/PasswordPolicySubentryVirtualAttributeProvider.java

New file
@@ -0,0 +1,187 @@
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2010 Sun Microsystems, Inc.
 */

package org.opends.server.extensions;

import java.util.HashSet;
import java.util.Set;

import org.opends.messages.Message;
import org.opends.server.admin.std.server.
        PasswordPolicySubentryVirtualAttributeCfg;
import org.opends.server.api.VirtualAttributeProvider;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.SearchOperation;
import org.opends.server.config.ConfigException;
import org.opends.server.core.PasswordPolicy;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.*;

import static org.opends.messages.ExtensionMessages.*;
import static org.opends.server.loggers.debug.DebugLogger.*;
import static org.opends.server.util.StaticUtils.*;

/**
 * This class implements a virtual attribute provider to serve
 * the pwdPolicySubentry operational attribute as described in
 * Password Policy for LDAP Directories Internet-Draft.
 */
public class PasswordPolicySubentryVirtualAttributeProvider
        extends VirtualAttributeProvider<
        PasswordPolicySubentryVirtualAttributeCfg>
{
  /**
   * The tracer object for the debug logger.
   */
  private static final DebugTracer TRACER = getTracer();

  /**
   * Creates a new instance of this pwdPolicySubentry
   * virtual attribute provider.
   */
  public PasswordPolicySubentryVirtualAttributeProvider()
  {
    super();

    // All initialization should be performed in the
    // initializeVirtualAttributeProvider method.
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public void initializeVirtualAttributeProvider(
          PasswordPolicySubentryVirtualAttributeCfg configuration)
          throws ConfigException, InitializationException
  {
    // No initialization is required.
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public boolean isMultiValued()
  {
    return false;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public Set<AttributeValue> getValues(Entry entry,
                                       VirtualAttributeRule rule)
  {
    Set<AttributeValue> valueSet = new HashSet<AttributeValue>();

    if (!entry.isSubentry() && !entry.isLDAPSubentry())
    {
      PasswordPolicy policy = null;

      try
      {
        policy = PasswordPolicyState.getPasswordPolicy(
                entry, false);
      }
      catch (DirectoryException de)
      {
        // Something went wrong while trying to
        // retrieve password policy, log this.
        ErrorLogger.logError(de.getMessageObject());

        if (debugEnabled())
        {
          TRACER.debugError("Failed to retrieve password " +
                "policy for user %s: %s",
                entry.getDN().toString(),
                stackTraceToSingleLineString(de));
        }
      }

      if (policy != null)
      {
        AttributeType dnAttrType = DirectoryServer.getAttributeType(
                "1.3.6.1.4.1.42.2.27.8.1.23");
        DN policyDN = policy.getConfigEntryDN();
        AttributeValue value = AttributeValues.create(
                dnAttrType, policyDN.toString());
        valueSet.add(value);
      }
      else
      {
        // No default policy, debug log this.
        if (debugEnabled())
        {
          TRACER.debugError(
                  "No applicable password policy for user %s"
                  + entry.getDN().toString());
        }
      }
    }

    return valueSet;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public boolean isSearchable(VirtualAttributeRule rule,
                              SearchOperation searchOperation)
  {
    return false;
  }



  /**
   * {@inheritDoc}
   */
  @Override()
  public void processSearch(VirtualAttributeRule rule,
                            SearchOperation searchOperation)
  {
    searchOperation.setResultCode(ResultCode.UNWILLING_TO_PERFORM);

    Message message =
            ERR_PASSWORDPOLICYSUBENTRY_VATTR_NOT_SEARCHABLE.get(
            rule.getAttributeType().getNameOrOID());
    searchOperation.appendErrorMessage(message);
  }
}

 opends/src/server/org/opends/server/extensions/SubschemaSubentryVirtualAttributeProvider.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.extensions;

@@ -96,9 +96,14 @@
  public Set<AttributeValue> getValues(Entry entry,
                                       VirtualAttributeRule rule)
  {
    DN schemaDN = DirectoryServer.getSchemaDN();
    if (schemaDN == null)
    {
      return Collections.emptySet();
    }
    AttributeValue value =
        AttributeValues.create(rule.getAttributeType(), DirectoryServer
            .getSchemaDN().toString());
        AttributeValues.create(rule.getAttributeType(),
        schemaDN.toString());
    return Collections.singleton(value);
  }


 opends/src/server/org/opends/server/replication/server/DataServerHandler.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.replication.server;

@@ -494,18 +494,21 @@
      boolean sessionInitiatorSSLEncryption =
        processStartFromRemote(inServerStartMsg);

      /**
       * Hack to be sure that if a server disconnects and reconnect, we
       * let the reader thread see the closure and cleanup any reference
       * to old connection. This must be done before taking the domain lock so
       * that the reader thread has a chance to stop the handler.
       */
      replicationServerDomain.
      waitDisconnection(inServerStartMsg.getServerId());

      // lock with no timeout
      lockDomain(false);

      localGenerationId = replicationServerDomain.getGenerationId();
      oldGenerationId = localGenerationId;

      // Hack to be sure that if a server disconnects and reconnect, we
      // let the reader thread see the closure and cleanup any reference
      // to old connection
      replicationServerDomain.
      waitDisconnection(inServerStartMsg.getServerId());

      // Duplicate server ?
      if (!replicationServerDomain.checkForDuplicateDS(this))
      {

 opends/src/server/org/opends/server/replication/server/DbHandler.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.replication.server;
import org.opends.messages.MessageBuilder;
@@ -294,7 +294,7 @@
   * @param to   The upper (newer) change number.
   * @return The computed number of changes.
   */
  public int getCount(ChangeNumber from, ChangeNumber to)
  public int traverseAndCount(ChangeNumber from, ChangeNumber to)
  {
    int count = 0;
    flush();
@@ -312,7 +312,7 @@
      ChangeNumber curr = null;
      while ((curr = cursor.nextChangeNumber())!=null)
      {
        if (curr.newer(to))
        if (curr.newerOrEquals(to))
          break;
        count++;
      }
@@ -696,4 +696,30 @@
  {
    return this.msgQueue.size();
  }

  /**
   * Set the counter writing window size (public for unit tests only).
   * @param size Size in number of record.
   */
  public void setCounterWindowSize(int size)
  {
    db.setCounterWindowSize(size);
  }

  /**
   * Return the number of changes between 2 provided change numbers.
   * This a alternative to traverseAndCount, expected to be much more efficient
   * when there is a huge number of changes in the Db.
   * @param from The lower (older) change number.
   * @param to   The upper (newer) change number.
   * @return The computed number of changes.
   */
  public int getCount(ChangeNumber from, ChangeNumber to)
  {
    int c=0;
    flush();
    c = db.count(from, to);
    return c;
  }

}

 opends/src/server/org/opends/server/replication/server/ReplicationDB.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.replication.server;
import org.opends.messages.MessageBuilder;
@@ -37,6 +37,7 @@
import org.opends.server.replication.common.ChangeNumber;
import org.opends.server.replication.protocol.UpdateMsg;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.zip.DataFormatException;

import com.sleepycat.je.Cursor;
import com.sleepycat.je.DatabaseEntry;
@@ -67,6 +68,44 @@
  // close the db (shutdown or clear).
  private ReentrantReadWriteLock dbCloseLock;

  // Change counter management
  // The Db itself does not allow to count records between a start and an end
  // change. And we cannot rely on the replication seqnum that is part of the
  // changenumber, since there can be holes (when an operation is canceled).
  // And traversing all the records from the start one to the end one works
  // fine but can be very long (ECL:lastChangeNumber).
  //
  // So we are storing special records in the DB (called counter records),
  // that contain the number of changes since the previous counter record.
  // One special record is :
  // - a special key : changetime , serverid=0  seqnum=0
  // - a counter value : count of changes since previous counter record.
  //
  // A counter record has to follow the order of the db, so it needs to have
  // a changenumber key that follow the order.
  // A counter record must have its own chagenumber key since the Db does not
  // support duplicate key (it is a compatibility breaker character of the DB).
  //
  // We define 2 conditions to store a counter record :
  // 1/- at least 'counterWindowSize' changes have been stored in the Db
  //     since the previous counter record
  // 2/- the change to be stored has a new timestamp - so that the counter
  //     record is the first record for this timestamp.
  //


  private int  counterCurrValue = 1;
  // Current value of the counter.

  private long counterTsLimit = 0;
  // When not null,
  // the next change with a ts different from tsForNewCounterRecord will lead
  // to store a new counterRecord.

  private int  counterWindowSize = 1000;
  // The counter record will never be written to the db more often than each
  // counterWindowSize changes.

 /**
   * Creates a new database or open existing database that will be used
   * to store and retrieve changes from an LDAP server.
@@ -92,6 +131,64 @@
        true).getGenerationId());

    dbCloseLock = new ReentrantReadWriteLock(true);

    //
    Cursor cursor = null;
    Transaction txn = null;
    DatabaseEntry key = new DatabaseEntry();
    DatabaseEntry data = new DatabaseEntry();
    OperationStatus status;
    int distBackToCounterRecord = 0;

    // Initialize counter
    this.counterCurrValue = 1;
    cursor = db.openCursor(txn, null);
    status = cursor.getLast(key, data, LockMode.DEFAULT);
    while (status == OperationStatus.SUCCESS)
    {
      try
      {
        ChangeNumber cn =new ChangeNumber(new String(key.getData(), "UTF-8"));
        if (!ReplicationDB.isaCounter(cn))
        {
          status = cursor.getPrev(key, data, LockMode.DEFAULT);
          distBackToCounterRecord++;
        }
        else
        {
          // counter record
          counterCurrValue = decodeCounterValue(data.getData())+1;
          counterTsLimit = cn.getTime();
          break;
        }
      }
      catch (UnsupportedEncodingException e)
      {
        MessageBuilder mb = new MessageBuilder();
        mb.append(ERR_CHANGELOG_UNSUPPORTED_UTF8_ENCODING.get());
        mb.append(stackTraceToSingleLineString(e));
        logError(mb.toMessage());
        replicationServer.shutdown();
        if (txn != null)
        {
          try
          {
            txn.abort();
          } catch (DatabaseException e1)
          {
            // can't do much more. The ReplicationServer is shuting down.
          }
        }
        replicationServer.shutdown();
      }
      catch (DataFormatException e)
      {
        // Should never happen
      }
    }
    counterCurrValue += distBackToCounterRecord;
    cursor.close();

  }

  /**
@@ -123,9 +220,31 @@
          {
            DatabaseEntry key = new ReplicationKey(change.getChangeNumber());
            DatabaseEntry data = new ReplicationData(change);
            db.put(txn, key, data);
          }

            if ((counterCurrValue!=0) &&
                (counterCurrValue%counterWindowSize == 0))
            {
              // enough changes to generate a counter record - wait for the next
              // change fo time
              counterTsLimit = change.getChangeNumber().getTime();
            }
            if ((counterTsLimit!=0)
                && (change.getChangeNumber().getTime() != counterTsLimit))
            {
              // Write the counter record
              DatabaseEntry counterKey = new ReplicationKey(
                  new ChangeNumber(
                  change.getChangeNumber().getTime(),
                  0, 0));
              DatabaseEntry counterValue =
                encodeCounterValue(counterCurrValue-1);
              db.put(txn, counterKey, counterValue);
              counterTsLimit=0;
            }
            db.put(txn, key, data);
            counterCurrValue++;

          }
          txn.commitWriteNoSync();
          txn = null;
          done = true;
@@ -275,6 +394,7 @@
  {
    Cursor cursor = null;
    String str = null;
    ChangeNumber cn = null;

    try
    {
@@ -301,11 +421,25 @@
        try
        {
          str = new String(key.getData(), "UTF-8");
          cn = new ChangeNumber(str);
          if (ReplicationDB.isaCounter(cn))
          {
            // First record is a counter record .. go next
            status = cursor.getNext(key, data, LockMode.DEFAULT);
            if (status != OperationStatus.SUCCESS)
            {
              // DB contains only a counter record
              return null;
            }
            else
            {
              cn = new ChangeNumber(new String(key.getData(), "UTF-8"));
            }
          }
        } catch (UnsupportedEncodingException e)
        {
          // never happens
        }
        return new ChangeNumber(str);
      }
      finally
      {
@@ -320,8 +454,9 @@
      mb.append(stackTraceToSingleLineString(e));
      logError(mb.toMessage());
      replicationServer.shutdown();
      return null;
      cn = null;
    }
    return cn;
  }

  /**
@@ -331,7 +466,7 @@
  public ChangeNumber readLastChange()
  {
    Cursor cursor = null;
    String str = null;
    ChangeNumber cn = null;

    try
    {
@@ -349,13 +484,23 @@
        }
        try
        {
          str = new String(key.getData(), "UTF-8");
          String str = new String(key.getData(), "UTF-8");
          cn = new ChangeNumber(str);
          if (ReplicationDB.isaCounter(cn))
          {
            if (cursor.getPrev(key, data, LockMode.DEFAULT) !=
              OperationStatus.SUCCESS)
            {
              /* database only contain a counter record - don't know
               * how much it can be possible but ... */
              cn = null;
            }
          }
        }
        catch (UnsupportedEncodingException e)
        {
          // never happens
        }
        return new ChangeNumber(str);
      }
      finally
      {
@@ -369,8 +514,9 @@
      mb.append(stackTraceToSingleLineString(e));
      logError(mb.toMessage());
      replicationServer.shutdown();
      return null;
      cn = null;
    }
    return cn;
  }

  /**
@@ -611,7 +757,14 @@
        {
          return null;
        }
        try {
        try
        {
          ChangeNumber cn=new ChangeNumber(new String(key.getData(), "UTF-8"));
          if(ReplicationDB.isaCounter(cn))
          {
            // counter record
            continue;
          }
          currentChange = ReplicationData.generateChange(data.getData());
        } catch (Exception e) {
          /*
@@ -681,4 +834,224 @@
      dbCloseLock.writeLock().unlock();
    }
  }
  /**
   * Count the number of changes between 2 changes numbers (inclusive).
   * @param start The lower limit of the count.
   * @param stop The higher limit of the count.
   * @return The number of changes between provided start and stop changeNumber.
   * Returns -1 when an error occurs.
   */
  public int count(ChangeNumber start, ChangeNumber stop)
  {
    int counterRecord1 = 0;
    int counterRecord2 = 0;
    int distToCounterRecord1 = 0;
    int distBackToCounterRecord2 = 0;
    int count=0;
    Cursor cursor = null;
    Transaction txn = null;
    OperationStatus status;
    try
    {
      ChangeNumber cn ;

      if ((start==null)&&(stop==null))
        return (int)db.count();

      // Step 1 : from the start point, traverse db to the next counter record
      // or to the stop point.
      DatabaseEntry key = new DatabaseEntry();
      DatabaseEntry data = new DatabaseEntry();
      cursor = db.openCursor(txn, null);
      if (start != null)
      {
        key = new ReplicationKey(start);
        status = cursor.getSearchKey(key, data, LockMode.DEFAULT);
        if (status == OperationStatus.NOTFOUND)
          status = cursor.getSearchKeyRange(key, data, LockMode.DEFAULT);
      }
      else
      {
        status = cursor.getNext(key, data, LockMode.DEFAULT);
      }

      while (status == OperationStatus.SUCCESS)
      {
        // test whether the record is a regular change or a counter
        String csnString = new String(key.getData(), "UTF-8");
        cn = new ChangeNumber(csnString);
        if (cn.getServerId() != 0)
        {
          // reached a regular change record
          // test whether we reached the 'stop' target
          if (!cn.newer(stop))
          {
            // let's loop
            distToCounterRecord1++;
            status = cursor.getNext(key, data, LockMode.DEFAULT);
          }
          else
          {
            // reached the end
            break;
          }
        }
        else
        {
          // counter record
          counterRecord1 = decodeCounterValue(data.getData());
          break;
        }
      }
      cursor.close();

      // cases
      //
      if (counterRecord1==0)
        return distToCounterRecord1;

      // Step 2 : from the stop point, traverse db to the next counter record
      // or to the start point.
      txn = null;
      data = new DatabaseEntry();
      key = new ReplicationKey(stop);
      cursor = db.openCursor(txn, null);
      status = cursor.getSearchKey(key, data, LockMode.DEFAULT);
      if (status == OperationStatus.SUCCESS)
      {
        cn = new ChangeNumber(new String(key.getData(), "UTF-8"));
      }
      else
      {
        key = new DatabaseEntry();
        data = new DatabaseEntry();
        status = cursor.getLast(key, data, LockMode.DEFAULT);
        if (status != OperationStatus.SUCCESS)
        {
          /* database is empty */
          return 0;
        }
      }
      while (status == OperationStatus.SUCCESS)
      {
        cn = new ChangeNumber(new String(key.getData(), "UTF-8"));
        if (!ReplicationDB.isaCounter(cn))
        {
          // regular change record
          if (!cn.older(start))
          {
            distBackToCounterRecord2++;
            status = cursor.getPrev(key, data, LockMode.DEFAULT);
          }
          else
            break;
        }
        else
        {
          // counter record
          counterRecord2 = decodeCounterValue(data.getData());
          break;
        }
      }
      cursor.close();

      // Step 3 : Now consolidates the result
      if (counterRecord1!=0)
      {
        if (counterRecord1 == counterRecord2)
        {
          // only one cp between from and to - no need to use it
          count = distToCounterRecord1 + distBackToCounterRecord2;
        }
        else
        {
          // 2 cp between from and to
          count = distToCounterRecord1 + (counterRecord2-counterRecord1)
            + distBackToCounterRecord2;
        }
      }
    }
    catch (UnsupportedEncodingException e)
    {
      MessageBuilder mb = new MessageBuilder();
      mb.append(ERR_CHANGELOG_UNSUPPORTED_UTF8_ENCODING.get());
      mb.append(stackTraceToSingleLineString(e));
      logError(mb.toMessage());
      replicationServer.shutdown();
    }
    catch (DataFormatException e)
    {
      // Should never happen
    }
    finally
    {
      if (cursor != null)
        cursor.close();
      if (txn != null)
      {
        try
        {
          txn.abort();
        } catch (DatabaseException e1)
        {
          // can't do much more. The ReplicationServer is shuting down.
        }
      }
    }
    return count;
  }

  /**
   * Test if a provided changeNumber represents a counter record.
   * @param cn The provided changeNumber.
   * @return True if the provided changenumber is a counter.
   */
  static private boolean isaCounter(ChangeNumber cn)
  {
    return ((cn.getServerId()== 0) && (cn.getSeqnum()==0));
  }

  /**
   * Decode the provided database entry as a the value of a counter.
   * @param entry The provided entry.
   * @return The counter value.
   * @throws DataFormatException
   */
  private static int decodeCounterValue(byte[] entry)
  throws DataFormatException
  {
    try
    {
      String numAckStr = new String(entry, 0, entry.length, "UTF-8");
      return Integer.parseInt(numAckStr);

    } catch (UnsupportedEncodingException e)
    {
      throw new DataFormatException("UTF-8 is not supported by this jvm.");
    }
  }

  /**
   * Encode the provided counter value in a database entry.
   * @param entry The provided entry.
   * @return The databse entry with the counter value encoded inside..
   * @throws UnsupportedEncodingException
   */
  static private DatabaseEntry encodeCounterValue(int value)
  throws UnsupportedEncodingException
  {
    DatabaseEntry entry = new DatabaseEntry();
    entry.setData(String.valueOf(value).getBytes("UTF-8"));
    return entry;
  }

  /**
   * Set the counter writing window size (public method for unit tests only).
   * @param size Size in number of record.
   */
  public void setCounterWindowSize(int size)
  {
    this.counterWindowSize = size;
  }

}

 opends/src/server/org/opends/server/replication/server/ReplicationServer.java

@@ -1931,11 +1931,12 @@

  /**
   * Get first and last DraftCN.
   * @param crossDomainEligibleCN The provided crossDomainEligibleCN used as
   *        the upper limit for the lastDraftCN
   * @param excludedServiceIDs The serviceIDs that are excluded from the ECL.
   * @return The first and last draftCN.
   * @throws DirectoryException a.
   *
   * @param  crossDomainEligibleCN The provided crossDomainEligibleCN used as
   *                               the upper limit for the lastDraftCN
   * @param  excludedServiceIDs  The serviceIDs that are excluded from the ECL.
   * @return                       The first and last draftCN.
   * @throws DirectoryException    When it happens.
   */
  public int[] getECLDraftCNLimits(
      ChangeNumber crossDomainEligibleCN,
@@ -2007,6 +2008,7 @@

        // for this domain, have the state in the replchangelog
        // where the last DraftCN update is
        long ec =0;
        ServerState domainServerStateForLastSeqnum;
        if ((domainsServerStateForLastSeqnum == null) ||
            (domainsServerStateForLastSeqnum.get(rsd.getBaseDn())==null))
@@ -2017,11 +2019,12 @@
        {
          domainServerStateForLastSeqnum =
            domainsServerStateForLastSeqnum.get(rsd.getBaseDn());
          ec--;
        }

        // Count the number of (eligible) changes from this place
        // to the eligible CN (cross server)
        long ec = rsd.getEligibleCount(
        ec = rsd.getEligibleCount(
            domainServerStateForLastSeqnum, crossDomainEligibleCN);

        // the state from which we started is the one BEFORE the lastdraftCN

 opends/src/server/org/opends/server/replication/server/ReplicationServerDomain.java

@@ -1439,7 +1439,8 @@
    if (handler == null)
      return 0;

    return handler.getCount(from, to);
    int count = handler.getCount(from, to);
    return count;
  }

  /**
@@ -2674,12 +2675,12 @@
      for (ServerHandler rs : replicationServers.values())
      {
        int serverId = rs.getServerId();
        // Store the fact that we expect a MonitoringMsg back from this server
        expectedMonitoringMsg.add(new GlobalServerId(baseDn, serverId));
        MonitorRequestMsg msg =
          new MonitorRequestMsg(this.replicationServer.getServerId(),
          serverId);
        rs.send(msg);
        // Store the fact that we expect a MonitoringMsg back from this server
        expectedMonitoringMsg.add(new GlobalServerId(baseDn, serverId));
      }
    } catch (Exception e)
    {
@@ -3379,6 +3380,7 @@
   */
  public long getEligibleCount(ServerState startState, ChangeNumber endCN)
  {
    long sidRes = 0;
    long res = 0;

    // Parses the dbState of the domain , server by server
@@ -3391,7 +3393,13 @@
      ChangeNumber startCN = null;
      if (startState.getMaxChangeNumber(sid) != null)
        startCN = startState.getMaxChangeNumber(sid);
      res += getCount(sid, startCN, endCN);
      sidRes += getCount(sid, startCN, endCN);

      // The startPoint is excluded when counting the ECL eligible changes
      if ((startCN!=null)&&(sidRes>0))
        sidRes--;

      res+=sidRes;
    }
    return res;
  }

 opends/src/server/org/opends/server/replication/server/ReplicationServerHandler.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.replication.server;

@@ -104,13 +104,6 @@
      }

      oldGenerationId = -100;

      // Duplicate server ?
      if (!replicationServerDomain.checkForDuplicateRS(this))
      {
        abortStart(null);
        return false;
      }
    }
    catch(Exception e)
    {
@@ -179,10 +172,8 @@
  public void connect(String serviceId, boolean sslEncryption)
  throws DirectoryException
  {

    //
    // the encryption we will request to the peer as we are the session creator
    this.initSslEncryption = sslEncryption;
    // we are the initiator and decides of the encryption
    this.sslEncryption = sslEncryption;

    setServiceIdAndDomain(serviceId, false);

@@ -194,9 +185,6 @@
      //
      lockDomain(false); // no timeout

      // we are the initiator and decides of the encryption
      boolean sessionInitiatorSSLEncryption = this.initSslEncryption;

      // Send start
      ReplServerStartMsg outReplServerStartMsg =
        sendStartToRemote(ProtocolVersion.getCurrentVersion());
@@ -217,12 +205,19 @@
      // Process hello from remote
      processStartFromRemote((ReplServerStartMsg)msg);

      // Duplicate server ?
      if (!replicationServerDomain.checkForDuplicateRS(this))
      {
        abortStart(null);
        return;
      }

      // Log
      logStartHandshakeSNDandRCV(outReplServerStartMsg,(ReplServerStartMsg)msg);

      // Until here session is encrypted then it depends on the negociation
      // The session initiator decides whether to use SSL.
      if (!sessionInitiatorSSLEncryption)
      if (!this.sslEncryption)
        session.stopEncryption();

      if (protocolVersion > ProtocolVersion.REPLICATION_PROTOCOL_V1)
@@ -286,13 +281,19 @@
    oldGenerationId = -100;
    try
    {
      // Process start from remote
      boolean sessionInitiatorSSLEncryption =
        processStartFromRemote(inReplServerStartMsg);
      // The initiator decides if the session is encrypted
      sslEncryption = processStartFromRemote(inReplServerStartMsg);

      // lock with timeout
      lockDomain(true);

      // Duplicate server ?
      if (!replicationServerDomain.checkForDuplicateRS(this))
      {
        abortStart(null);
        return;
      }

      this.localGenerationId = replicationServerDomain.getGenerationId();
      ReplServerStartMsg outReplServerStartMsg =
        sendStartToRemote(protocolVersion);
@@ -302,7 +303,7 @@

      // until here session is encrypted then it depends on the negotiation
      // The session initiator decides whether to use SSL.
      if (!sessionInitiatorSSLEncryption)
      if (!sslEncryption)
        session.stopEncryption();

      TopologyMsg inTopoMsg = null;

 opends/src/server/org/opends/server/replication/server/ServerHandler.java

@@ -215,11 +215,6 @@
   */
  protected byte groupId = (byte) -1;
  /**
   * The SSL encryption provided by the creator/starter of this handler.
   */
  protected boolean initSslEncryption;

  /**
   * The SSL encryption after the negotiation with the peer.
   */
  protected boolean sslEncryption;

 opends/src/server/org/opends/server/tools/EncodePassword.java

@@ -535,7 +535,7 @@
          int size = storageSchemes.size();

          ArrayList<String> nameList = new ArrayList<String>(size);
          for (PasswordStorageScheme<?> s : storageSchemes.values())
          for (PasswordStorageScheme s : storageSchemes.values())
          {
            nameList.add(s.getAuthPasswordSchemeName());
          }
@@ -566,7 +566,7 @@
          int size = storageSchemes.size();

          ArrayList<String> nameList = new ArrayList<String>(size);
          for (PasswordStorageScheme<?> s : storageSchemes.values())
          for (PasswordStorageScheme s : storageSchemes.values())
          {
            nameList.add(s.getStorageSchemeName());
          }
@@ -622,7 +622,7 @@
          return 1;
        }

        PasswordStorageScheme<?> storageScheme =
        PasswordStorageScheme storageScheme =
             DirectoryServer.getAuthPasswordStorageScheme(scheme);
        if (storageScheme == null)
        {
@@ -672,7 +672,7 @@
      }
      else
      {
        PasswordStorageScheme<?> storageScheme;
        PasswordStorageScheme storageScheme;
        String                encodedPWString;

        if (UserPasswordSyntax.isEncoded(encodedPW))
@@ -772,7 +772,7 @@
    else
    {
      // Try to get a reference to the requested password storage scheme.
      PasswordStorageScheme<?> storageScheme;
      PasswordStorageScheme storageScheme;
      if (authPasswordSyntax.isPresent())
      {
        String scheme = schemeName.getValue();
@@ -909,10 +909,12 @@
          directoryServer.initializePlugins(pluginTypes);
          //Initialize Trust Backend.
          initializeServerBackends(directoryServer);
          // Initialize the subentry manager.
          directoryServer.initializeSubentryManager();
          //Initialize PWD policy components.
          directoryServer.initializePasswordPolicyComponents();
          //Load the crypto-manager key cache among other things.
         new CryptoManagerSync(false);
         new CryptoManagerSync();
    } catch (InitializationException ie) {
        Message message = ERR_ENCPW_CANNOT_INITIALIZE_SERVER_COMPONENTS.get(
                getExceptionMessage(ie));
@@ -955,7 +957,7 @@
          backendCfg instanceof LDIFBackendCfg) {
        if(backendCfg.isEnabled()) {
          String className = backendCfg.getJavaClass();
          Class<?> backendClass;
          Class backendClass;
          Backend backend;
          try {
            backendClass = DirectoryServer.loadClass(className);
@@ -1181,7 +1183,7 @@
        try
        {
          // attempt masking at this rate
          ErasingThread.sleep(1);
          this.sleep(1);
        }
        catch (InterruptedException iex)
        {

 opends/src/server/org/opends/server/tools/ImportLDIF.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.tools;

@@ -53,6 +53,7 @@
import org.opends.server.core.CoreConfigManager;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.LockFileManager;
import org.opends.server.core.PluginConfigManager;
import org.opends.server.extensions.ConfigFileHandler;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.TextErrorLogPublisher;
@@ -881,6 +882,66 @@
        }
      }

      // Initialize the root DNs.
      try
      {
        directoryServer.initializeRootDNConfigManager();
      }
      catch (ConfigException ce)
      {
        Message message = ERR_CANNOT_INITIALIZE_ROOTDN_MANAGER.get(
                ce.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
      catch (InitializationException ie)
      {
        Message message = ERR_CANNOT_INITIALIZE_ROOTDN_MANAGER.get(
                ie.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }

      // Initialize the plugin manager.
      try
      {
        HashSet<PluginType> pluginTypes = new HashSet<PluginType>(1);
        directoryServer.initializePlugins(pluginTypes);
      }
      catch (ConfigException ce)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                ce.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
      catch (InitializationException ie)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                ie.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
      catch (Exception e)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                getExceptionMessage(e));
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }

      // Initialize the subentry manager.
      try
      {
        directoryServer.initializeSubentryManager();
      }
      catch (InitializationException ie)
      {
        Message message = ERR_CANNOT_INITIALIZE_SUBENTRY_MANAGER.get(
                ie.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }

      // Initialize all the password policy information.
      try
@@ -908,38 +969,38 @@
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }


      // Make sure that the Directory Server plugin initialization is performed.
      try
      {
        HashSet<PluginType> pluginTypes = new HashSet<PluginType>(1);
        pluginTypes.add(PluginType.LDIF_IMPORT);
        directoryServer.initializePlugins(pluginTypes);
      }
      catch (ConfigException ce)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                ce.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
      catch (InitializationException ie)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                ie.getMessage());
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
      catch (Exception e)
      {
        Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
                getExceptionMessage(e));
        err.println(wrapText(message, MAX_LINE_WIDTH));
        return 1;
      }
    }

    // Make sure that the plugin initialization is performed.
    try
    {
      HashSet<PluginType> pluginTypes = new HashSet<PluginType>(1);
      pluginTypes.add(PluginType.LDIF_IMPORT);
      PluginConfigManager pluginConfigManager =
              DirectoryServer.getPluginConfigManager();
      pluginConfigManager.initializeUserPlugins(pluginTypes);
    }
    catch (ConfigException ce)
    {
      Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
              ce.getMessage());
      err.println(wrapText(message, MAX_LINE_WIDTH));
      return 1;
    }
    catch (InitializationException ie)
    {
      Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
              ie.getMessage());
      err.println(wrapText(message, MAX_LINE_WIDTH));
      return 1;
    }
    catch (Exception e)
    {
      Message message = ERR_LDIFIMPORT_CANNOT_INITIALIZE_PLUGINS.get(
              getExceptionMessage(e));
      err.println(wrapText(message, MAX_LINE_WIDTH));
      return 1;
    }

    // See if there were any user-defined sets of include/exclude attributes or
    // filters.  If so, then process them.

 opends/src/server/org/opends/server/tools/makeldif/Branch.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.tools.makeldif;
import org.opends.messages.Message;
@@ -224,7 +224,7 @@
        if (subordinateTemplates[i] == null)
        {
          Message message = ERR_MAKELDIF_UNDEFINED_BRANCH_SUBORDINATE.get(
              subordinateTemplateNames[i], branchDN.toString());
              branchDN.toString(), subordinateTemplateNames[i]);
          throw new MakeLDIFException(message);
        }
      }

 opends/src/server/org/opends/server/types/Entry.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.types;
import org.opends.messages.Message;
@@ -3361,7 +3361,8 @@
  public boolean isCollectiveAttributeSubentry()
  {
    ObjectClass collectiveAttributeSubentryOC =
         DirectoryServer.getObjectClass(OC_COLLECTIVE_ATTR_SUBENTRY);
         DirectoryServer.getObjectClass(
         OC_COLLECTIVE_ATTR_SUBENTRY_LC);
    if (collectiveAttributeSubentryOC == null)
    {
      // This should not happen -- The server doesn't have
@@ -3393,6 +3394,49 @@


  /**
   * Indicates whether the entry meets the criteria to consider it a
   * LDAP password policy subentry (i.e., it contains the "pwdPolicy"
   * objectclass of LDAP Password Policy Internet-Draft).
   *
   * @return  <CODE>true</CODE> if this entry meets the criteria to
   *          consider it a LDAP Password Policy Internet-Draft
   *          subentry, or <CODE>false</CODE> if not.
   */
  public boolean isPasswordPolicySubentry()
  {
    ObjectClass passwordPolicySubentryOC =
         DirectoryServer.getObjectClass(OC_PWD_POLICY_SUBENTRY_LC);
    if (passwordPolicySubentryOC == null)
    {
      // This should not happen -- The server doesn't have
      // a pwdPolicy objectclass defined.
      if (debugEnabled())
      {
        TRACER.debugWarning(
            "No %s objectclass is defined in the server schema.",
                     OC_PWD_POLICY_SUBENTRY);
      }

      for (String ocName : objectClasses.values())
      {
        if (ocName.equalsIgnoreCase(OC_PWD_POLICY_SUBENTRY))
        {
          return true;
        }
      }

      return false;
    }


    // Make the determination based on whether this entry
    // has the pwdPolicy objectclass.
    return objectClasses.containsKey(passwordPolicySubentryOC);
  }



  /**
   * Indicates whether this entry falls within the range of the
   * provided search base DN and scope.
   *

 opends/src/server/org/opends/server/types/SubEntry.java

@@ -164,7 +164,7 @@
      // There is none for some reason eg this could be
      // old Draft based ldapSubEntry so create a dummy.
      this.subTreeSpec = new RFC3672SubtreeSpecification(
                entry.getDN().getParent(), null, -1, -1,
                DN.NULL_DN, null, -1, -1,
                null, null, null);
    }


 opends/src/server/org/opends/server/util/ServerConstants.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.util;

@@ -929,6 +929,22 @@


  /**
   * The name of the LDAP Password Policy Internet-Draft
   * "pwdPolicy" objectclass, formatted in camel case.
   */
  public static final String OC_PWD_POLICY_SUBENTRY = "pwdPolicy";



  /**
   * The name of the LDAP Password Policy Internet-Draft
   * "pwdPolicy" objectclass, formatted in all lowercase.
   */
  public static final String OC_PWD_POLICY_SUBENTRY_LC = "pwdpolicy";



  /**
   * The name of the custom objectclass that will be included in backend monitor
   * entries.
   */

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_sasl_addsubjectdnattribute.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.250,ou=people,dc=com
changetype: modify
add: ds-certificate-subject-dn
ds-certificate-subject-dn:  uid=user.250,ou=People,dc=com

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_sasl_allowdelete.ldif

New file
@@ -0,0 +1,4 @@
dn: ou=people,dc=com
changetype: modify
add: aci
aci: (target="ldap:///uid=user.42*,ou=people,dc=com") (version 3.0; acl "example"; allow (delete) userdn="ldap:///uid=user.350,ou=people,dc=com";)

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_sasl_ldapmodify.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.120,ou=people,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +1 420 810 8800

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_sasl_ldapmodify2.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.120,ou=people,dc=com
changetype: modify
replace: postalCode
postalCode: 38000

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_ssl_ldapmodify.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.100,ou=people,dc=com
changetype: modify
replace: givenName
givenName: Olga

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_ssl_ldapmodify2.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.101,ou=people,dc=com
changetype: modify
replace: mail
mail: user.101@sun.com

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_start.ldif

New file
Diff too large

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_startls_ldapmodify.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.110,ou=people,dc=com
changetype: modify
replace: sn
sn: John

 opends/tests/staf-tests/functional-tests/shared/data/clu_secure/clus_startls_ldapmodify2.ldif

New file
@@ -0,0 +1,4 @@
dn: uid=user.111,ou=people,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +3312345678

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/add/add.ldif

New file
@@ -0,0 +1,75 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Bil Bo,ou=People,dc=example,dc=com
changetype: add
cn: Bil Bo
sn: Bo
givenName: Bil
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bbo
mail: bbo@example.com
roomnumber: 5484



dn: uid=Blam Blo,ou=People,dc=example,dc=com
changetype: add
cn: Blam Bo
sn: Blo
givenName: Blam
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: blbo
mail: blbo@example.com
roomnumber: 5484


dn: uid=Blum Blue,ou=People,dc=example,dc=com
changetype: add
cn: Blum Blue
sn: Blue
givenName: Blum
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: blubu
mail: blubu@example.com
roomnumber: 5484




 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/add/add.ref

New file
@@ -0,0 +1,49 @@
dn: uid=Bil Bo,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: Bo
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomnumber: 5484
l: Santa Clara
cn: Bil Bo
uid: bbo
uid: Bil Bo
givenName: Bil
mail: bbo@example.com


dn: uid=Blam Blo,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: Blo
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomnumber: 5484
l: Santa Clara
cn: Blam Bo
uid: blbo
uid: Blam Blo
givenName: Blam
mail: blbo@example.com


dn: uid=Blum Blue,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: Blue
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomnumber: 5484
l: Santa Clara
cn: Blum Blue
uid: blubu
uid: Blum Blue
givenName: Blum
mail: blubu@example.com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/add/delete.ldif

New file
@@ -0,0 +1 @@
uid=Blum Blue,ou=People,dc=example,dc=com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/add/moddn.ldif

New file
@@ -0,0 +1,27 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Bil Bo, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=BillyBo
deleteoldrdn: 1


 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/add/modify.ldif

New file
@@ -0,0 +1,27 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Blam Blo, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 123456


 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/default.ldif

New file
@@ -0,0 +1,2810 @@
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2006-2010 Sun Microsystems, Inc.
#
#
# dc=com sample LDIF file
#
# Notes:
#   161 total entries.
#     2 (objectclass=domain) entries (dc=example,dc=com).
#     4 (objectclass=organizationalunit) entries.
#     5 (objectclass=groupofuniquenames) entries.
#   150 (objectclass=person) entries (all under ou=people,dc=example,dc=com).
#   
dn: dc=com
objectclass: top
objectclass: domain
dc: com

dn: dc=example,dc=com
objectclass: top
objectclass: domain
dc: example

dn: ou=Groups, dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: Groups

dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com
cn: Directory Administrators
objectclass: top
objectclass: groupofuniquenames
ou: Groups
uniquemember: uid=kvaughan, ou=People, dc=example,dc=com
uniquemember: uid=rdaugherty, ou=People, dc=example,dc=com
uniquemember: uid=hmiller, ou=People, dc=example,dc=com

dn: ou=People, dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: People

dn: ou=Special Users,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts

dn: uid=scarter, ou=People, dc=example,dc=com
cn: Sam Carter
sn: Carter
givenname: Sam
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: scarter
mail: scarter@example.com
telephonenumber: +1 408 555 4798
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 4612
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tmorris, ou=People, dc=example,dc=com
cn: Ted Morris
sn: Morris
givenname: Ted
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: tmorris
mail: tmorris@example.com
telephonenumber: +1 408 555 9187
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 4117
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kvaughan, ou=People, dc=example,dc=com
cn: Kirsten Vaughan
sn: Vaughan
givenname: Kirsten
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: kvaughan
mail: kvaughan@example.com
telephonenumber: +1 408 555 5625
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 2871
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=abergin, ou=People, dc=example,dc=com
cn: Andy Bergin
sn: Bergin
givenname: Andy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Cupertino
uid: abergin
mail: abergin@example.com
telephonenumber: +1 408 555 8585
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 3472
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dmiller, ou=People, dc=example,dc=com
cn: David Miller
sn: Miller
givenname: David
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: dmiller
mail: dmiller@example.com
telephonenumber: +1 408 555 9423
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 4135
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=gfarmer, ou=People, dc=example,dc=com
cn: Gern Farmer
sn: Farmer
givenname: Gern
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: gfarmer
mail: gfarmer@example.com
telephonenumber: +1 408 555 6201
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1269
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kwinters, ou=People, dc=example,dc=com
cn: Kelly Winters
sn: Winters
givenname: Kelly
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: kwinters
mail: kwinters@example.com
telephonenumber: +1 408 555 9069
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 4178
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=trigden, ou=People, dc=example,dc=com
cn: Torrey Rigden
sn: Rigden
givenname: Torrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: trigden
mail: trigden@example.com
telephonenumber: +1 408 555 9280
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 3584
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=cschmith, ou=People, dc=example,dc=com
cn: Chris Schmith
sn: Schmith
givenname: Chris
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: cschmith
mail: cschmith@example.com
telephonenumber: +1 408 555 8011
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0416
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jwallace, ou=People, dc=example,dc=com
cn: Judy Wallace
sn: Wallace
givenname: Judy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: jwallace
mail: jwallace@example.com
telephonenumber: +1 408 555 0319
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1033
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jwalker, ou=People, dc=example,dc=com
cn: John Walker
sn: Walker
givenname: John
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Cupertino
uid: jwalker
mail: jwalker@example.com
telephonenumber: +1 408 555 1476
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 3915
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tclow, ou=People, dc=example,dc=com
cn: Torrey Clow
sn: Clow
givenname: Torrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: tclow
mail: tclow@example.com
telephonenumber: +1 408 555 8825
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 4376
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rdaugherty, ou=People, dc=example,dc=com
cn: Robert Daugherty
sn: Daugherty
givenname: Robert
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: rdaugherty
mail: rdaugherty@example.com
telephonenumber: +1 408 555 1296
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 0194
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jreuter, ou=People, dc=example,dc=com
cn: Jayne Reuter
sn: Reuter
givenname: Jayne
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Cupertino
uid: jreuter
mail: jreuter@example.com
telephonenumber: +1 408 555 1122
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 2942
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tmason, ou=People, dc=example,dc=com
cn: Torrey Mason
sn: Mason
givenname: Torrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: tmason
mail: tmason@example.com
telephonenumber: +1 408 555 1596
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 1124
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bhall, ou=People, dc=example,dc=com
cn: Benjamin Hall
sn: Hall
givenname: Benjamin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: bhall
mail: bhall@example.com
telephonenumber: +1 408 555 6067
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 2511
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=btalbot, ou=People, dc=example,dc=com
cn: Brad Talbot
sn: Talbot
givenname: Brad
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: btalbot
mail: btalbot@example.com
telephonenumber: +1 408 555 4992
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 3532
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mward, ou=People, dc=example,dc=com
cn: Marcus Ward
sn: Ward
givenname: Marcus
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: mward
mail: mward@example.com
telephonenumber: +1 408 555 5688
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 1707
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bjablons, ou=People, dc=example,dc=com
cn: Barbara Jablonski
sn: Jablonski
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: bjablons
mail: bjablons@example.com
telephonenumber: +1 408 555 8815
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0906
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jmcFarla, ou=People, dc=example,dc=com
cn: Judy McFarland
sn: McFarland
givenname: Judy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: jmcFarla
mail: jmcFarla@example.com
telephonenumber: +1 408 555 2567
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 2359
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=llabonte, ou=People, dc=example,dc=com
cn: Lee Labonte
sn: Labonte
givenname: Lee
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: llabonte
mail: llabonte@example.com
telephonenumber: +1 408 555 0957
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 2854
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jcampaig, ou=People, dc=example,dc=com
cn: Jody Campaigne
sn: Campaigne
givenname: Jody
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: jcampaig
mail: jcampaig@example.com
telephonenumber: +1 408 555 1660
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 4385
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bhal2, ou=People, dc=example,dc=com
cn: Barbara Hall
sn: Hall
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: bhal2
mail: bhal2@example.com
telephonenumber: +1 408 555 4491
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 2758
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=alutz, ou=People, dc=example,dc=com
cn: Alexander Lutz
sn: Lutz
givenname: Alexander
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: alutz
mail: alutz@example.com
telephonenumber: +1 408 555 6505
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 1327
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=btalbo2, ou=People, dc=example,dc=com
cn: Bjorn Talbot
sn: Talbot
givenname: Bjorn
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: btalbo2
mail: btalbo2@example.com
telephonenumber: +1 408 555 4234
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 1205
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=achassin, ou=People, dc=example,dc=com
cn: Ashley Chassin
sn: Chassin
givenname: Ashley
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: achassin
mail: achassin@example.com
telephonenumber: +1 408 555 9972
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 0466
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=hmiller, ou=People, dc=example,dc=com
cn: Harry Miller
sn: Miller
givenname: Harry
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: hmiller
mail: hmiller@example.com
telephonenumber: +1 408 555 9804
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 4304
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jcampai2, ou=People, dc=example,dc=com
cn: Jeffrey Campaigne
sn: Campaigne
givenname: Jeffrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: jcampai2
mail: jcampai2@example.com
telephonenumber: +1 408 555 7393
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 1377
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=lulrich, ou=People, dc=example,dc=com
cn: Lee Ulrich
sn: Ulrich
givenname: Lee
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: lulrich
mail: lulrich@example.com
telephonenumber: +1 408 555 8652
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 0985
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mlangdon, ou=People, dc=example,dc=com
cn: Marcus Langdon
sn: Langdon
givenname: Marcus
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: mlangdon
mail: mlangdon@example.com
telephonenumber: +1 408 555 6249
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 4471
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=striplet, ou=People, dc=example,dc=com
cn: Stephen Triplett
sn: Triplett
givenname: Stephen
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: striplet
mail: striplet@example.com
telephonenumber: +1 408 555 4519
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 3083
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=gtriplet, ou=People, dc=example,dc=com
cn: Gern Triplett
sn: Triplett
givenname: Gern
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: gtriplet
mail: gtriplet@example.com
telephonenumber: +1 408 555 2582
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 4023
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jfalena, ou=People, dc=example,dc=com
cn: John Falena
sn: Falena
givenname: John
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: jfalena
mail: jfalena@example.com
telephonenumber: +1 408 555 8133
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 1917
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=speterso, ou=People, dc=example,dc=com
cn: Sue Peterson
sn: Peterson
givenname: Sue
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: speterso
mail: speterso@example.com
telephonenumber: +1 408 555 3613
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 3073
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ejohnson, ou=People, dc=example,dc=com
cn: Emanuel Johnson
sn: Johnson
givenname: Emanuel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: ejohnson
mail: ejohnson@example.com
telephonenumber: +1 408 555 3287
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 3737
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=prigden, ou=People, dc=example,dc=com
cn: Peter Rigden
sn: Rigden
givenname: Peter
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: prigden
mail: prigden@example.com
telephonenumber: +1 408 555 5099
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1271
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bwalker, ou=People, dc=example,dc=com
cn: Brad Walker
sn: Walker
givenname: Brad
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bwalker
mail: bwalker@example.com
telephonenumber: +1 408 555 5476
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 3529
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kjensen, ou=People, dc=example,dc=com
cn: Kurt Jensen
sn: Jensen
givenname: Kurt
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: kjensen
mail: kjensen@example.com
telephonenumber: +1 408 555 6127
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 1944
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mlott, ou=People, dc=example,dc=com
cn: Mike Lott
sn: Lott
givenname: Mike
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: mlott
mail: mlott@example.com
telephonenumber: +1 408 555 2234
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 0498
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=cwallace, ou=People, dc=example,dc=com
cn: Cecil Wallace
sn: Wallace
givenname: Cecil
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: cwallace
mail: cwallace@example.com
telephonenumber: +1 408 555 6438
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 0349
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tpierce, ou=People, dc=example,dc=com
cn: Tobias Pierce
sn: Pierce
givenname: Tobias
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: tpierce
mail: tpierce@example.com
telephonenumber: +1 408 555 1531
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 1383
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rbannist, ou=People, dc=example,dc=com
cn: Richard Bannister
sn: Bannister
givenname: Richard
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: rbannist
mail: rbannist@example.com
telephonenumber: +1 408 555 1833
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 0983
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bplante, ou=People, dc=example,dc=com
cn: Brian Plante
sn: Plante
givenname: Brian
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: bplante
mail: bplante@example.com
telephonenumber: +1 408 555 3550
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 4654
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rmills, ou=People, dc=example,dc=com
cn: Randy Mills
sn: Mills
givenname: Randy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: rmills
mail: rmills@example.com
telephonenumber: +1 408 555 2072
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 3823
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bschneid, ou=People, dc=example,dc=com
cn: Benjamin Schneider
sn: Schneider
givenname: Benjamin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: bschneid
mail: bschneid@example.com
telephonenumber: +1 408 555 1012
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 4471
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=skellehe, ou=People, dc=example,dc=com
cn: Sue Kelleher
sn: Kelleher
givenname: Sue
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: skellehe
mail: skellehe@example.com
telephonenumber: +1 408 555 3480
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 1608
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=brentz, ou=People, dc=example,dc=com
cn: Bertram Rentz
sn: Rentz
givenname: Bertram
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: brentz
mail: brentz@example.com
telephonenumber: +1 408 555 5526
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 0617
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dsmith, ou=People, dc=example,dc=com
cn: Daniel Smith
sn: Smith
givenname: Daniel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: dsmith
mail: dsmith@example.com
telephonenumber: +1 408 555 9519
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 0368
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=scarte2, ou=People, dc=example,dc=com
cn: Stephen Carter
sn: Carter
givenname: Stephen
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: scarte2
mail: scarte2@example.com
telephonenumber: +1 408 555 6022
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 2013
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dthorud, ou=People, dc=example,dc=com
cn: David Thorud
sn: Thorud
givenname: David
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: dthorud
mail: dthorud@example.com
telephonenumber: +1 408 555 6185
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 1128
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ekohler, ou=People, dc=example,dc=com
cn: Elba Kohler
sn: Kohler
givenname: Elba
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: ekohler
mail: ekohler@example.com
telephonenumber: +1 408 555 1926
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 2721
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=lcampbel, ou=People, dc=example,dc=com
cn: Laurel Campbell
sn: Campbell
givenname: Laurel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: lcampbel
mail: lcampbel@example.com
telephonenumber: +1 408 555 2537
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 2073
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tlabonte, ou=People, dc=example,dc=com
cn: Tim Labonte
sn: Labonte
givenname: Tim
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: tlabonte
mail: tlabonte@example.com
telephonenumber: +1 408 555 0058
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 1426
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=slee, ou=People, dc=example,dc=com
cn: Scott Lee
sn: Lee
givenname: Scott
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: slee
mail: slee@example.com
telephonenumber: +1 408 555 2335
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 1806
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bfree, ou=People, dc=example,dc=com
cn: Bjorn Free
sn: Free
givenname: Bjorn
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: bfree
mail: bfree@example.com
telephonenumber: +1 408 555 8588
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 3307
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tschneid, ou=People, dc=example,dc=com
cn: Torrey Schneider
sn: Schneider
givenname: Torrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: tschneid
mail: tschneid@example.com
telephonenumber: +1 408 555 7086
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 2292
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=prose, ou=People, dc=example,dc=com
cn: Paula Rose
sn: Rose
givenname: Paula
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: prose
mail: prose@example.com
telephonenumber: +1 408 555 9998
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 0542
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jhunter, ou=People, dc=example,dc=com
cn: Janet Hunter
sn: Hunter
givenname: Janet
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: jhunter
mail: jhunter@example.com
telephonenumber: +1 408 555 7665
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 4856
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ashelton, ou=People, dc=example,dc=com
cn: Alexander Shelton
sn: Shelton
givenname: Alexander
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: ashelton
mail: ashelton@example.com
telephonenumber: +1 408 555 1081
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 1987
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mmcinnis, ou=People, dc=example,dc=com
cn: Marcus Mcinnis
sn: Mcinnis
givenname: Marcus
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: mmcinnis
mail: mmcinnis@example.com
telephonenumber: +1 408 555 9655
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 4818
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=falbers, ou=People, dc=example,dc=com
cn: Frank Albers
sn: Albers
givenname: Frank
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: falbers
mail: falbers@example.com
telephonenumber: +1 408 555 3094
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 1439
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mschneid, ou=People, dc=example,dc=com
cn: Martin Schneider
sn: Schneider
givenname: Martin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: mschneid
mail: mschneid@example.com
telephonenumber: +1 408 555 5017
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 3153
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=pcruse, ou=People, dc=example,dc=com
cn: Patricia Cruse
sn: Cruse
givenname: Patricia
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: pcruse
mail: pcruse@example.com
telephonenumber: +1 408 555 8641
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 3967
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tkelly, ou=People, dc=example,dc=com
cn: Timothy Kelly
sn: Kelly
givenname: Timothy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
l: Santa Clara
uid: tkelly
mail: tkelly@example.com
telephonenumber: +1 408 555 4295
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 3107
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ahel, ou=People, dc=example,dc=com
cn: Andrew Hel
sn: Hel
givenname: Andrew
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: ahel
mail: ahel@example.com
telephonenumber: +1 408 555 2666
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 0572
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jburrell, ou=People, dc=example,dc=com
cn: James Burrell
sn: Burrell
givenname: James
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: jburrell
mail: jburrell@example.com
telephonenumber: +1 408 555 0751
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 4926
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=smason, ou=People, dc=example,dc=com
cn: Sue Mason
sn: Mason
givenname: Sue
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: smason
mail: smason@example.com
telephonenumber: +1 408 555 9780
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 4971
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ptyler, ou=People, dc=example,dc=com
cn: Pete Tyler
sn: Tyler
givenname: Pete
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: ptyler
mail: ptyler@example.com
telephonenumber: +1 408 555 3335
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0327
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=calexand, ou=People, dc=example,dc=com
cn: Chris Alexander
sn: Alexander
givenname: Chris
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Sunnyvale
uid: calexand
mail: calexand@example.com
telephonenumber: +1 408 555 9438
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 2884
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jcruse, ou=People, dc=example,dc=com
cn: Jim Cruse
sn: Cruse
givenname: Jim
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: jcruse
mail: jcruse@example.com
telephonenumber: +1 408 555 9482
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 0083
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kcarter, ou=People, dc=example,dc=com
cn: Karen Carter
sn: Carter
givenname: Karen
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: kcarter
mail: kcarter@example.com
telephonenumber: +1 408 555 4675
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 2320
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rfish, ou=People, dc=example,dc=com
cn: Randy Fish
sn: Fish
givenname: Randy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: rfish
mail: rfish@example.com
telephonenumber: +1 408 555 9865
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 2317
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=phunt, ou=People, dc=example,dc=com
cn: Philip Hunt
sn: Hunt
givenname: Philip
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: phunt
mail: phunt@example.com
telephonenumber: +1 408 555 1242
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 1183
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rschneid, ou=People, dc=example,dc=com
cn: Rachel Schneider
sn: Schneider
givenname: Rachel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: rschneid
mail: rschneid@example.com
telephonenumber: +1 408 555 9908
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 4183
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bjensen, ou=People, dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: bjensen
mail: bjensen@example.com
telephonenumber: +1 408 555 1862
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 0209
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jlange, ou=People, dc=example,dc=com
cn: Jim Lange
sn: Lange
givenname: Jim
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: jlange
mail: jlange@example.com
telephonenumber: +1 408 555 0488
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 3798
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rulrich, ou=People, dc=example,dc=com
cn: Randy Ulrich
sn: Ulrich
givenname: Randy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: rulrich
mail: rulrich@example.com
telephonenumber: +1 408 555 5311
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 1282
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rfrancis, ou=People, dc=example,dc=com
cn: Richard Francis
sn: Francis
givenname: Richard
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: rfrancis
mail: rfrancis@example.com
telephonenumber: +1 408 555 8157
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 3482
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mwhite, ou=People, dc=example,dc=com
cn: Morgan White
sn: White
givenname: Morgan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: mwhite
mail: mwhite@example.com
telephonenumber: +1 408 555 9620
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 3088
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=gjensen, ou=People, dc=example,dc=com
cn: Gern Jensen
sn: Jensen
givenname: Gern
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: gjensen
mail: gjensen@example.com
telephonenumber: +1 408 555 3299
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 4609
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=awhite, ou=People, dc=example,dc=com
cn: Alan White
sn: White
givenname: Alan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: awhite
mail: awhite@example.com
telephonenumber: +1 408 555 3232
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 0142
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bmaddox, ou=People, dc=example,dc=com
cn: Barbara Maddox
sn: Maddox
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bmaddox
mail: bmaddox@example.com
telephonenumber: +1 408 555 7783
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 2207
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mtalbot, ou=People, dc=example,dc=com
cn: Martin Talbot
sn: Talbot
givenname: Martin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: mtalbot
mail: mtalbot@example.com
telephonenumber: +1 408 555 9228
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1415
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jbrown, ou=People, dc=example,dc=com
cn: Judy Brown
sn: Brown
givenname: Judy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: jbrown
mail: jbrown@example.com
telephonenumber: +1 408 555 6885
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 4224
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jjensen, ou=People, dc=example,dc=com
cn: Jody Jensen
sn: Jensen
givenname: Jody
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: jjensen
mail: jjensen@example.com
telephonenumber: +1 408 555 7587
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 4882
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mcarter, ou=People, dc=example,dc=com
cn: Mike Carter
sn: Carter
givenname: Mike
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: mcarter
mail: mcarter@example.com
telephonenumber: +1 408 555 1846
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 3819
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dakers, ou=People, dc=example,dc=com
cn: David Akers
sn: Akers
givenname: David
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: dakers
mail: dakers@example.com
telephonenumber: +1 408 555 4812
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 4944
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=sfarmer, ou=People, dc=example,dc=com
cn: Scott Farmer
sn: Farmer
givenname: Scott
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: sfarmer
mail: sfarmer@example.com
telephonenumber: +1 408 555 4228
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 0019
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dward, ou=People, dc=example,dc=com
cn: Daniel Ward
sn: Ward
givenname: Daniel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: dward
mail: dward@example.com
telephonenumber: +1 408 555 5322
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 3927
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tward, ou=People, dc=example,dc=com
cn: Tobias Ward
sn: Ward
givenname: Tobias
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: tward
mail: tward@example.com
telephonenumber: +1 408 555 7202
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 2238
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=pshelton, ou=People, dc=example,dc=com
cn: Patricia Shelton
sn: Shelton
givenname: Patricia
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Cupertino
uid: pshelton
mail: pshelton@example.com
telephonenumber: +1 408 555 6442
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 2918
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jrentz, ou=People, dc=example,dc=com
cn: Jody Rentz
sn: Rentz
givenname: Jody
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: jrentz
mail: jrentz@example.com
telephonenumber: +1 408 555 5829
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 3025
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=plorig, ou=People, dc=example,dc=com
cn: Peter Lorig
sn: Lorig
givenname: Peter
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: plorig
mail: plorig@example.com
telephonenumber: +1 408 555 0624
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 1276
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ajensen, ou=People, dc=example,dc=com
cn: Allison Jensen
sn: Jensen
givenname: Allison
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: ajensen
mail: ajensen@example.com
telephonenumber: +1 408 555 7892
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 0784
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kschmith, ou=People, dc=example,dc=com
cn: Kelly Schmith
sn: Schmith
givenname: Kelly
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: kschmith
mail: kschmith@example.com
telephonenumber: +1 408 555 9749
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 2221
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=pworrell, ou=People, dc=example,dc=com
cn: Pete Worrell
sn: Worrell
givenname: Pete
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: pworrell
mail: pworrell@example.com
telephonenumber: +1 408 555 1637
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 2449
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mreuter, ou=People, dc=example,dc=com
cn: Matthew Reuter
sn: Reuter
givenname: Matthew
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: mreuter
mail: mreuter@example.com
telephonenumber: +1 408 555 6879
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 1356
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=gtyler, ou=People, dc=example,dc=com
cn: Gern Tyler
sn: Tyler
givenname: Gern
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: gtyler
mail: gtyler@example.com
telephonenumber: +1 408 555 1020
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0312
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tschmith, ou=People, dc=example,dc=com
cn: Tobias Schmith
sn: Schmith
givenname: Tobias
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: tschmith
mail: tschmith@example.com
telephonenumber: +1 408 555 9626
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 4607
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bjense2, ou=People, dc=example,dc=com
cn: Bjorn Jensen
sn: Jensen
givenname: Bjorn
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bjense2
mail: bjense2@example.com
telephonenumber: +1 408 555 5655
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 4294
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dswain, ou=People, dc=example,dc=com
cn: Dietrich Swain
sn: Swain
givenname: Dietrich
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Sunnyvale
uid: dswain
mail: dswain@example.com
telephonenumber: +1 408 555 9222
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 4396
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ahall, ou=People, dc=example,dc=com
cn: Andy Hall
sn: Hall
givenname: Andy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: ahall
mail: ahall@example.com
telephonenumber: +1 408 555 6169
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 3050
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jmuffly, ou=People, dc=example,dc=com
cn: Jeff Muffly
sn: Muffly
givenname: Jeff
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: jmuffly
mail: jmuffly@example.com
telephonenumber: +1 408 555 5287
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 0997
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tjensen, ou=People, dc=example,dc=com
cn: Ted Jensen
sn: Jensen
givenname: Ted
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: tjensen
mail: tjensen@example.com
telephonenumber: +1 408 555 8622
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 4717
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ahunter, ou=People, dc=example,dc=com
cn: Allison Hunter
sn: Hunter
givenname: Allison
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Sunnyvale
uid: ahunter
mail: ahunter@example.com
telephonenumber: +1 408 555 7713
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1213
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jgoldste, ou=People, dc=example,dc=com
cn: Jon Goldstein
sn: Goldstein
givenname: Jon
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: jgoldste
mail: jgoldste@example.com
telephonenumber: +1 408 555 5769
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 1454
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=aworrell, ou=People, dc=example,dc=com
cn: Alan Worrell
sn: Worrell
givenname: Alan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: aworrell
mail: aworrell@example.com
telephonenumber: +1 408 555 1591
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 3966
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=wlutz, ou=People, dc=example,dc=com
cn: Wendy Lutz
sn: Lutz
givenname: Wendy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: wlutz
mail: wlutz@example.com
telephonenumber: +1 408 555 3358
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 4912
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jlutz, ou=People, dc=example,dc=com
cn: Janet Lutz
sn: Lutz
givenname: Janet
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: jlutz
mail: jlutz@example.com
telephonenumber: +1 408 555 4902
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 2544
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dlangdon, ou=People, dc=example,dc=com
cn: Dan Langdon
sn: Langdon
givenname: Dan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: dlangdon
mail: dlangdon@example.com
telephonenumber: +1 408 555 7044
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 3263
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=aknutson, ou=People, dc=example,dc=com
cn: Ashley Knutson
sn: Knutson
givenname: Ashley
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: aknutson
mail: aknutson@example.com
telephonenumber: +1 408 555 2169
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 4736
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kmcinnis, ou=People, dc=example,dc=com
cn: Kelly Mcinnis
sn: Mcinnis
givenname: Kelly
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: kmcinnis
mail: kmcinnis@example.com
telephonenumber: +1 408 555 8596
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 4312
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tcouzens, ou=People, dc=example,dc=com
cn: Trent Couzens
sn: Couzens
givenname: Trent
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Sunnyvale
uid: tcouzens
mail: tcouzens@example.com
telephonenumber: +1 408 555 8401
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 3994
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=lstockto, ou=People, dc=example,dc=com
cn: Lee Stockton
sn: Stockton
givenname: Lee
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: lstockto
mail: lstockto@example.com
telephonenumber: +1 408 555 0518
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0169
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jbourke, ou=People, dc=example,dc=com
cn: Jon Bourke
sn: Bourke
givenname: Jon
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Cupertino
uid: jbourke
mail: jbourke@example.com
telephonenumber: +1 408 555 8541
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 0034
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dlanoway, ou=People, dc=example,dc=com
cn: Dan Lanoway
sn: Lanoway
givenname: Dan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: dlanoway
mail: dlanoway@example.com
telephonenumber: +1 408 555 2017
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 3540
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=kcope, ou=People, dc=example,dc=com
cn: Karl Cope
sn: Cope
givenname: Karl
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: kcope
mail: kcope@example.com
telephonenumber: +1 408 555 2709
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 3040
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=abarnes, ou=People, dc=example,dc=com
cn: Anne-Louise Barnes
sn: Barnes
givenname: Anne-Louise
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: abarnes
mail: abarnes@example.com
telephonenumber: +1 408 555 9445
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 2290
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rjensen, ou=People, dc=example,dc=com
cn: Richard Jensen
sn: Jensen
givenname: Richard
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: rjensen
mail: rjensen@example.com
telephonenumber: +1 408 555 5957
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 2631
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=phun2, ou=People, dc=example,dc=com
cn: Pete Hunt
sn: Hunt
givenname: Pete
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: phun2
mail: phun2@example.com
telephonenumber: +1 408 555 0342
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 0087
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mvaughan, ou=People, dc=example,dc=com
cn: Matthew Vaughan
sn: Vaughan
givenname: Matthew
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: mvaughan
mail: mvaughan@example.com
telephonenumber: +1 408 555 4692
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 4508
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jlut2, ou=People, dc=example,dc=com
cn: James Lutz
sn: Lutz
givenname: James
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: jlut2
mail: jlut2@example.com
telephonenumber: +1 408 555 9689
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 3541
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mjablons, ou=People, dc=example,dc=com
cn: Morgan Jablonski
sn: Jablonski
givenname: Morgan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: mjablons
mail: mjablons@example.com
telephonenumber: +1 408 555 0813
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 3160
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=pchassin, ou=People, dc=example,dc=com
cn: Peter Chassin
sn: Chassin
givenname: Peter
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: pchassin
mail: pchassin@example.com
telephonenumber: +1 408 555 2816
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 4524
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=dcope, ou=People, dc=example,dc=com
cn: Dan Cope
sn: Cope
givenname: Dan
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Sunnyvale
uid: dcope
mail: dcope@example.com
telephonenumber: +1 408 555 9813
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 1737
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jrent2, ou=People, dc=example,dc=com
cn: Judy Rentz
sn: Rentz
givenname: Judy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Santa Clara
uid: jrent2
mail: jrent2@example.com
telephonenumber: +1 408 555 2523
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 4405
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tcruse, ou=People, dc=example,dc=com
cn: Tobias Cruse
sn: Cruse
givenname: Tobias
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: tcruse
mail: tcruse@example.com
telephonenumber: +1 408 555 5980
facsimiletelephonenumber: +1 408 555 4774
roomnumber: 4191
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=eward, ou=People, dc=example,dc=com
cn: Eric Ward
sn: Ward
givenname: Eric
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: eward
mail: eward@example.com
telephonenumber: +1 408 555 2320
facsimiletelephonenumber: +1 408 555 7472
roomnumber: 4874
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ttully, ou=People, dc=example,dc=com
cn: Torrey Tully
sn: Tully
givenname: Torrey
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: ttully
mail: ttully@example.com
telephonenumber: +1 408 555 2274
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 3924
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=charvey, ou=People, dc=example,dc=com
cn: Cecil Harvey
sn: Harvey
givenname: Cecil
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: charvey
mail: charvey@example.com
telephonenumber: +1 408 555 1815
facsimiletelephonenumber: +1 408 555 3825
roomnumber: 4583
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rfisher, ou=People, dc=example,dc=com
cn: Randy Fisher
sn: Fisher
givenname: Randy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: rfisher
mail: rfisher@example.com
telephonenumber: +1 408 555 1506
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 1579
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=alangdon, ou=People, dc=example,dc=com
cn: Andrew Langdon
sn: Langdon
givenname: Andrew
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: alangdon
mail: alangdon@example.com
telephonenumber: +1 408 555 8289
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 2254
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=drose, ou=People, dc=example,dc=com
cn: David Rose
sn: Rose
givenname: David
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: drose
mail: drose@example.com
telephonenumber: +1 408 555 3963
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 4012
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=polfield, ou=People, dc=example,dc=com
cn: Peter Olfield
sn: Olfield
givenname: Peter
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: polfield
mail: polfield@example.com
telephonenumber: +1 408 555 8231
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 1376
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=awalker, ou=People, dc=example,dc=com
cn: Andy Walker
sn: Walker
givenname: Andy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Cupertino
uid: awalker
mail: awalker@example.com
telephonenumber: +1 408 555 9199
facsimiletelephonenumber: +1 408 555 3372
roomnumber: 0061
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=lrentz, ou=People, dc=example,dc=com
cn: Lex Rentz
sn: Rentz
givenname: Lex
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: lrentz
mail: lrentz@example.com
telephonenumber: +1 408 555 2019
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 2203
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jvaughan, ou=People, dc=example,dc=com
cn: Jeff Vaughan
sn: Vaughan
givenname: Jeff
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: jvaughan
mail: jvaughan@example.com
telephonenumber: +1 408 555 4543
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 1734
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bfrancis, ou=People, dc=example,dc=com
cn: Barbara Francis
sn: Francis
givenname: Barbara
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Santa Clara
uid: bfrancis
mail: bfrancis@example.com
telephonenumber: +1 408 555 9111
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 3743
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ewalker, ou=People, dc=example,dc=com
cn: Eric Walker
sn: Walker
givenname: Eric
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Payroll
ou: People
l: Cupertino
uid: ewalker
mail: ewalker@example.com
telephonenumber: +1 408 555 6387
facsimiletelephonenumber: +1 408 555 8721
roomnumber: 2295
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=tjames, ou=People, dc=example,dc=com
cn: Tobias James
sn: James
givenname: Tobias
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: tjames
mail: tjames@example.com
telephonenumber: +1 408 555 2458
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 0730
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=brigden, ou=People, dc=example,dc=com
cn: Bjorn Rigden
sn: Rigden
givenname: Bjorn
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: brigden
mail: brigden@example.com
telephonenumber: +1 408 555 5263
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 1643
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ecruse, ou=People, dc=example,dc=com
cn: Eric Cruse
sn: Cruse
givenname: Eric
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: ecruse
mail: ecruse@example.com
telephonenumber: +1 408 555 0648
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 4233
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rjense2, ou=People, dc=example,dc=com
cn: Randy Jensen
sn: Jensen
givenname: Randy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Sunnyvale
uid: rjense2
mail: rjense2@example.com
telephonenumber: +1 408 555 9045
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 1984
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=rhunt, ou=People, dc=example,dc=com
cn: Richard Hunt
sn: Hunt
givenname: Richard
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: rhunt
mail: rhunt@example.com
telephonenumber: +1 408 555 0139
facsimiletelephonenumber: +1 408 555 8473
roomnumber: 0718
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=bparker, ou=People, dc=example,dc=com
cn: Barry Parker
sn: Parker
givenname: Barry
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Sunnyvale
uid: bparker
mail: bparker@example.com
telephonenumber: +1 408 555 4647
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 1148
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=ealexand, ou=People, dc=example,dc=com
cn: Erin Alexander
sn: Alexander
givenname: Erin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: ealexand
mail: ealexand@example.com
telephonenumber: +1 408 555 5563
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 2434
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=mtyler, ou=People, dc=example,dc=com
cn: Matthew Tyler
sn: Tyler
givenname: Matthew
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Cupertino
uid: mtyler
mail: mtyler@example.com
telephonenumber: +1 408 555 7907
facsimiletelephonenumber: +1 408 555 4661
roomnumber: 2701
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=elott, ou=People, dc=example,dc=com
cn: Emanuel Lott
sn: Lott
givenname: Emanuel
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
l: Santa Clara
uid: elott
mail: elott@example.com
telephonenumber: +1 408 555 0932
facsimiletelephonenumber: +1 408 555 9751
roomnumber: 3906
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=cnewport, ou=People, dc=example,dc=com
cn: Christoph Newport
sn: Newport
givenname: Christoph
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Sunnyvale
uid: cnewport
mail: cnewport@example.com
telephonenumber: +1 408 555 0066
facsimiletelephonenumber: +1 408 555 9332
roomnumber: 0056
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: uid=jvedder, ou=People, dc=example,dc=com
cn: Jeff Vedder
sn: Vedder
givenname: Jeff
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Development
ou: People
l: Santa Clara
uid: jvedder
mail: jvedder@example.com
telephonenumber: +1 408 555 4668
facsimiletelephonenumber: +1 408 555 0111
roomnumber: 3445
userpassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
uniquemember: uid=scarter, ou=People, dc=example,dc=com
uniquemember: uid=tmorris, ou=People, dc=example,dc=com
description: People who can manage accounting entries

dn: cn=HR Managers,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: HR Managers
ou: groups
uniquemember: uid=kvaughan, ou=People, dc=example,dc=com
uniquemember: uid=cschmith, ou=People, dc=example,dc=com
description: People who can manage HR entries

dn: cn=QA Managers,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: QA Managers
ou: groups
uniquemember: uid=abergin, ou=People, dc=example,dc=com
uniquemember: uid=jwalker, ou=People, dc=example,dc=com
description: People who can manage QA entries

dn: cn=PD Managers,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: PD Managers
ou: groups
uniquemember: uid=kwinters, ou=People, dc=example,dc=com
uniquemember: uid=trigden, ou=People, dc=example,dc=com
description: People who can manage engineer entries

dn: ou=Company Servers,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Company Servers
description: Standard branch for Company Server registration

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/delete/add.ldif

New file
@@ -0,0 +1,40 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Bada Boum,ou=People,dc=example,dc=com
changetype: add
cn: Bada Boum
sn: Boum
givenName: Bada
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bboum
mail: bboum@example.com
roomnumber: 5484
userpassword: donuts



 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/delete/delete.ldif

New file
@@ -0,0 +1,4 @@
uid=tmorris,ou=People,dc=example,dc=com
uid=abergin,ou=People,dc=example,dc=com
uid=jwalker,ou=People,dc=example,dc=com
uid=tclow,ou=People,dc=example,dc=com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/delete/delete.ref

New file
@@ -0,0 +1,76 @@


dn: uid=tmorris,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: Morris
facsimileTelephoneNumber: +1 408 555 8473
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomNumber: 4117
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Santa Clara
cn: Ted Morris
telephoneNumber: +1 408 555 9187
givenName: Ted
uid: tmorris
mail: tmorris@example.com


dn: uid=abergin,ou=People,dc=example,dc=com
ou: Product Testing
ou: People
sn: Bergin
facsimileTelephoneNumber: +1 408 555 7472
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomNumber: 3472
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Cupertino
cn: Andy Bergin
telephoneNumber: +1 408 555 8585
givenName: Andy
uid: abergin
mail: abergin@example.com


dn: uid=jwalker,ou=People,dc=example,dc=com
ou: Product Testing
ou: People
sn: Walker
facsimileTelephoneNumber: +1 408 555 1992
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomNumber: 3915
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Cupertino
cn: John Walker
telephoneNumber: +1 408 555 1476
givenName: John
uid: jwalker
mail: jwalker@example.com


dn: uid=tclow,ou=People,dc=example,dc=com
ou: Human Resources
ou: People
sn: Clow
facsimileTelephoneNumber: +1 408 555 1992
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: organizationalPerson
roomNumber: 4376
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Santa Clara
cn: Torrey Clow
telephoneNumber: +1 408 555 8825
givenName: Torrey
uid: tclow
mail: tclow@example.com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/delete/moddn.ldif

New file
@@ -0,0 +1,26 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=elott, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=elotte
deleteoldrdn: 1

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/delete/modify.ldif

New file
@@ -0,0 +1,27 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=rschneid, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 70000


 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/moddn/add.ldif

New file
@@ -0,0 +1,40 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Bobo Baba,ou=People,dc=example,dc=com
changetype: add
cn: Bobo Baba
sn: Baba
givenName: Bobo
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bbaba
mail: bbaba@example.com
roomnumber: 5484
userpassword: donuts



 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/moddn/delete.ldif

New file
@@ -0,0 +1 @@
uid=Bobo Baba,ou=People,dc=example,dc=com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/moddn/moddn.ldif

New file
@@ -0,0 +1,36 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=mreuter, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=reuters
deleteoldrdn: 1

dn: uid=jgoldste, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=jgoldistec
deleteoldrdn: 1

dn: uid=dlanoway, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=noway
deleteoldrdn: 1

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/moddn/moddn.ref

New file
@@ -0,0 +1,55 @@
dn: uid=reuters,ou=People,dc=example,dc=com
ou: Human Resources
ou: People
sn: Reuter
facsimileTelephoneNumber: +1 408 555 3825
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomNumber: 1356
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Sunnyvale
cn: Matthew Reuter
telephoneNumber: +1 408 555 6879
givenName: Matthew
uid: reuters
mail: mreuter@example.com


dn: uid=jgoldistec,ou=People,dc=example,dc=com
ou: Human Resources
ou: People
sn: Goldstein
facsimileTelephoneNumber: +1 408 555 7472
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomNumber: 1454
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Santa Clara
cn: Jon Goldstein
telephoneNumber: +1 408 555 5769
givenName: Jon
uid: jgoldistec
mail: jgoldste@example.com


dn: uid=noway,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: Lanoway
facsimileTelephoneNumber: +1 408 555 8473
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomNumber: 3540
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Santa Clara
cn: Dan Lanoway
telephoneNumber: +1 408 555 2017
givenName: Dan
uid: noway
mail: dlanoway@example.com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/moddn/modify.ldif

New file
@@ -0,0 +1,27 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=lrentz, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 151515


 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/modify/add.ldif

New file
@@ -0,0 +1,40 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=Bidi Bim,ou=People,dc=example,dc=com
changetype: add
cn: Bidi Bim
sn: Bim
givenName: Bidi
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: bbim
mail: bbim@example.com
roomnumber: 5484
userpassword: donuts



 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/modify/delete.ldif

New file
@@ -0,0 +1,2 @@
uid=Bidi Bim,ou=People,dc=example,dc=com
uid=elo,ou=People,dc=example,dc=com

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/modify/moddn.ldif

New file
@@ -0,0 +1,26 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=elotte, ou=People, dc=example,dc=com
changetype: moddn
newrdn: uid=elo
deleteoldrdn: 1

 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/modify/modify.ldif

New file
@@ -0,0 +1,37 @@
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#      Copyright 2007-2010 Sun Microsystems, Inc.
#

dn: uid=bjensen, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 787878

dn: uid=mwhite, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 898989

dn: uid=mtalbot, ou=People, dc=example,dc=com
changetype: modify
replace: roomnumber
roomnumber: 101010


 opends/tests/staf-tests/functional-tests/shared/data/core/psearch/modify/modify.ref

New file
@@ -0,0 +1,56 @@
dn: uid=bjensen,ou=People,dc=example,dc=com
ou: Product Development
ou: People
sn: Jensen
facsimileTelephoneNumber: +1 408 555 1992
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomnumber: 787878
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Cupertino
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
uid: bjensen
givenName: Barbara
mail: bjensen@example.com


dn: uid=mwhite,ou=People,dc=example,dc=com
ou: Accounting
ou: People
sn: White
facsimileTelephoneNumber: +1 408 555 4661
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomnumber: 898989
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Cupertino
cn: Morgan White
telephoneNumber: +1 408 555 9620
uid: mwhite
givenName: Morgan
mail: mwhite@example.com


dn: uid=mtalbot,ou=People,dc=example,dc=com
ou: Product Development
ou: People
sn: Talbot
facsimileTelephoneNumber: +1 408 555 8473
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
roomnumber: 101010
userPassword: {SSHA}E67PSVsljn4LWHey7aeAAVy08uzS29pyzqZpsA==
l: Cupertino
cn: Martin Talbot
telephoneNumber: +1 408 555 9228
uid: mtalbot
givenName: Martin
mail: mtalbot@example.com

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clu_secure.xml

New file
@@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="main_clu_secure"/>

  <function name="main_clu_secure">
    
    <function-list-args>
      <function-required-arg name="STAXParentID"/>
    </function-list-args>

    <sequence>

      <block name="'clu_secure'">
        
        <sequence>

          <!--- Load the job environment for the test group execution -->
          <import machine="STAF_LOCAL_HOSTNAME"
                  file="'%s/environment.xml' % TESTS_FUNCTIONS_DIR" />
          <call function="'loadJobEnvironment'">
            { 'parent' : STAXParentID }
          </call>

          <!--- Test Group information
            #@TestGroupName          Clu secure tests
            #@TestGroupPurpose       Test the tools commands in secure mode.
          -->
          <script>
            CurrentTestPath['group'] = 'clu_secure'
          </script>

          <call function="'testGroup_Preamble'"/>

          <script>
            testList = []
            testList.append(['.','clus_setup'])
            testList.append(['.','clus_jks'])
            testList.append(['clus_ssl','clus_ssl'])
            testList.append(['clus_starttls','clus_starttls'])
            testList.append(['clus_saslexternal','clus_saslexternal'])
            testList.append(['.','clus_cleanup'])
          </script>

          <iterate var="_test" in="testList">
            <sequence>
              <import machine="STAF_LOCAL_HOSTNAME"
                      file="'%s/testcases/clu_secure/%s/%s.xml' %
                      (TESTS_DIR,_test[0],_test[1])"/>
              <call function="'%s' % _test[1]" />
            </sequence>
          </iterate>

          <call function="'testGroup_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>
  
</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_cleanup.xml

New file
@@ -0,0 +1,139 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_cleanup"/>

  <function name="clus_cleanup">

    <sequence>

      <block name="'clus_cleanup'">

        <sequence>

          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          cleanup
            #@TestName            cleanup: stop DS
            #@TestIssue           none
            #@TestPurpose         Stop DS.
            #@TestPreamble        none
            #@TestStep            Stop DS.
            #@TestPostamble       none
            #@TestResult          Success if StopDsWithScript returns 0.
          -->
          <testcase name="getTestCaseName('Stop DS')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Stop DS running on port %s' \
                % (DIRECTORY_INSTANCE_PORT)
              </message>

              <call function="'StopDsWithScript'">
                {
                'location'    : STAF_REMOTE_HOSTNAME ,
                'dsHost'      : DIRECTORY_INSTANCE_HOST ,
                'dsAdminPort' : DIRECTORY_INSTANCE_ADMIN_PORT ,
                'dsBindDN'    : DIRECTORY_INSTANCE_DN ,
                'dsBindPwd'   : DIRECTORY_INSTANCE_PSWD
                }
              </call>

              <call function="'checktestRC'">
                {
                'returncode' : RC ,
                'result'     : STAXResult
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          cleanup
            #@TestName            cleanup: remove DS topology
            #@TestIssue           none
            #@TestPurpose         Remove the topology created for
                                  the test suite.
            #@TestPreamble        none
            #@TestStep            Remove the topology created for
                                  the test suite.
            #@TestPostamble       none
            #@TestResult          Success if removeTopology returns 0.
          -->
          <testcase name="getTestCaseName('Remove DS topology')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Remove DS topology created for the test suite'
              </message>

              <call function="'removeTopology'"/>

              <call function="'checktestRC'">
                {
                'returncode' : RC ,
                'result'     : STAXResult
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>
          
        </sequence>

      </block>

    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_jks.xml

New file
@@ -0,0 +1,210 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_jks" />

  <function name="clus_jks">

    <sequence>

      <block name="'clus_jks'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       JKS certificates
          #@TestSuitePurpose    Create server certificates
          #@TestSuiteGroup      clus_secure
          #@TestScript          clus_jks.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          Certificates
            #@TestName            Create : server Certificates
            #@TestIssue           none
            #@TestPurpose         Create certificates needed to setup authentication
            #@TestPreamble        none
            #@TestStep            Generate and self-sign the two server certificates
            #@TestPostamble       none
            #@TestResult          Success if test pass
          -->
          <testcase name="getTestCaseName('Create server certificates')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <!--- Generate the two server Certificates -->
              <message>
                'Security : Server certicates :Step 1. Generating  1st server certicate'
              </message>
              <call function="'genCertificate'">
              {
                'certAlias'       : 'server-cert1' ,
                'dname'           : "cn=server-dname1,O=Sun Microsystems,C=US",
                'keystore'        : 'serverkeystore',
                'storepass'       : 'keystorepass',
                'keypass'         : 'keystorepass',
                'storetype'       : 'JKS'
              }
              </call>

              <message>
                'Security: Server certicates :Step 1bis. Generating 2nd server certicate'
              </message>
              <call function="'genCertificate'">
              {
                'certAlias'       : 'server-cert2' ,
                'dname'           : "cn=server-dname2,O=Sun Microsystems,C=US",
                'keystore'        : 'serverkeystore',
                'storepass'       : 'keystorepass',
                'keypass'         : 'keystorepass',
                'storetype'       : 'JKS'
              }
              </call>

              <!--- Self-Sign the two Server Certificates -->
              <message>
                'Security: Server certificates :Step 2. Self-Signing 1st server certicate'
              </message>
              <call function="'SelfSignCertificate'">
              {
                'certAlias'       : 'server-cert1' ,
                'storepass'       : 'keystorepass',
                'keypass'         : 'keystorepass',
                'keystore'        : 'serverkeystore',
                'storetype'       : 'JKS'
              }
              </call>

              <message>
                'Security: Server certificates : Step 2bis. Self-signing 2nd  server certicate'
              </message>
              <call function="'SelfSignCertificate'">
              {
                'certAlias'       : 'server-cert2' ,
                'storepass'       : 'keystorepass',
                'keypass'         : 'keystorepass',
                'keystore'        : 'serverkeystore',
                'storetype'       : 'JKS'
              }
              </call>

              <!---  Export then import server certificates into the client truststore -->
              <message>
                'Security: Server certificates : Step 3. Export 1st server certificate'
              </message>
              <call function="'ExportCertificate'">
              {
                'certAlias'       : 'server-cert1' ,
                'keystore'        : 'serverkeystore',
                'storepass'       : 'keystorepass',
                'outputfile'      : 'server-cert1.txt',
                'storetype'       : 'JKS',
                'format'          : 'rfc'
              }
              </call>

              <message>
                'Security: Server Certificates : Step 3bis. Export 2nd server certificate'
              </message>
              <call function="'ExportCertificate'">
              {
                'certAlias'       : 'server-cert2' ,
                'keystore'        : 'serverkeystore',
                'storepass'       : 'keystorepass',
                'outputfile'      : 'server-cert2.txt',
                'storetype'       : 'JKS',
                'format'          : 'rfc'
              }
              </call>

              <message>
                'Security: Client certificates : Create a client folder'
              </message>
              <script>
                InstanceInstallDir= '%s/%s' % (DIRECTORY_INSTANCE_DIR,OPENDSNAME)
              </script>
              <call function="'createFolder'">
              {
                'location' : DIRECTORY_INSTANCE_HOST,
                'foldername' : '%s/client_cert' %InstanceInstallDir
              }
              </call>

              <message>
                'Security: Client certificates : Import 1st server certificate to client truststore'
              </message>
              <call function="'ImportCertificate'">
              {
                'certAlias' : 'server-cert1',
                'inputfile' : 'server-cert1.txt',
                'keystore'  : '%s/client_cert/clientruststore' %(InstanceInstallDir),
                'storepass' : 'clientruststorepass',
                'storetype' : 'JKS'
              }
              </call>

              <message>
                'Security: Client certificates : Import 2nd server certificate to client truststore'
              </message>
              <call function="'ImportCertificate'">
              {
                'certAlias' : 'server-cert2',
                'inputfile' : 'server-cert2.txt',
                'keystore'  : '%s/client_cert/clientruststore' %(InstanceInstallDir),
                'storepass' : 'clientruststorepass',
                'storetype' : 'JKS'
              }
              </call>
      
              <call function="'testCase_Postamble'"/>

            </sequence>
            
          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>
        
      </block>

    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_saslexternal/clus_saslexternal.xml

New file
@@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_saslexternal"/>

  <function name="clus_saslexternal">

    <sequence>

      <script>
       testList = []
       testList.append(['clus_saslexternal','clus_saslexternal_equaldn'])
       testList.append(['clus_saslexternal','clus_saslexternal_subjectdn'])
       testList.append(['clus_saslexternal','clus_saslexternal_subjectattr'])
       testList.append(['clus_saslexternal','clus_saslexternal_fingerprint'])
      </script>

      <iterate var="_test" in="testList">
        <sequence>
          <import machine="STAF_LOCAL_HOSTNAME"
                  file="'%s/testcases/clu_secure/%s/%s.xml' %
                  (TESTS_DIR,_test[0],_test[1])"/>
          <call function="'%s' % _test[1]" />
        </sequence>
      </iterate>

    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_saslexternal/clus_saslexternal_equaldn.xml

New file
@@ -0,0 +1,518 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_saslexternal_equaldn"/>

  <function name="clus_saslexternal_equaldn" scope="local">

    <sequence>

      <block name="'clus_saslexternal_equaldn'">

        <sequence>

           <!--- Test Suite information
            #@TestSuiteName       SASL external equal DN check behaviors
            #@TestSuitePurpose    Test the results of ldap commands in the case
                                 of sasl external.
            #@TestSuiteGroup      LDAP tools check behavior tests
            #@TestScript          clus_saslexternal_equaldn.xml
           -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker          SASL external equal DN check behaviors
          #@TestName            Create certificates
          #@TestIssue           none
          #@TestPurpose         Create client certificates needed to
                                authentication
          #@TestPreamble        none
          #@TestStep            Generate certificates
          #@TestStep            Self_sign certificates
          #@TestPostamble       none
          -->
          <testcase name="getTestCaseName('Create a user certificate')">

            <sequence>

              <call function="'testCase_Preamble'"/>
              
              <!--- Create three client certificates-->
              <message>
              'Security : Server certicates :Step 1. Generating userbad client \
              certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'       : 'client-bad-cert' ,
                'dname'           : "uid=userbad,ou=People,dc=com",
                'keystore'        : '%s/client_cert/clientkeystore' \
                                    %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'storetype'       : 'JKS'
                }
              </call>

              <message>
              'Security : Server certicates :Step 1. Generating user.100 client\
              certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'       : 'client-100-cert' ,
                'dname'           : "uid=user.100,ou=People,dc=com",
                'keystore'        : '%s/client_cert/clientkeystore' \
                                  %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'storetype'       : 'JKS'
                }
              </call>

              <message>
              'Security : Server certicates :Step 1. Generating user.200 client\
              certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'       : 'client-200-cert' ,
                'dname'           : "uid=user.200,ou=People,dc=com",
                'keystore'        : '%s/client_cert/clientkeystore' \
                                   %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'storetype'       : 'JKS'
                }
              </call>

              <message>
              'Security: Server Certificates :Step 2 Self-Signing userbad \
              client Certicate'
              </message>
              <call function="'SelfSignCertificate'">
                {
                'certAlias'       : 'client-bad-cert' ,
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'keystore'  : '%s/client_cert/clientkeystore' %(InstanceInstallDir),
                'storetype'       : 'JKS'
                }
              </call>

              <message>
              'Security: Server Certificates :Step 2 Self-Signing user.100 \
              client Certicate'
              </message>

              <call function="'SelfSignCertificate'">
                {
                'certAlias'       : 'client-100-cert' ,
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'keystore'        : '%s/client_cert/clientkeystore' \
                                     %(InstanceInstallDir),
                'storetype'       : 'JKS'
                }
              </call>

              <message>
               'Security: Server Certificates :Step 2 Self-Signing user.200 \
               client Certicate'
              </message>

              <call function="'SelfSignCertificate'">
               {
               'certAlias'       : 'client-200-cert' ,
               'storepass'       : 'clientkeystorepass',
               'keypass'         : 'clientkeystorepass',
               'keystore'        : '%s/client_cert/clientkeystore' \
                                   %(InstanceInstallDir),
               'storetype'       : 'JKS'
               }
              </call>
              
              <message>
               'Security: Server Certificates : Export all certificates to RFC'
              </message>

              <call function="'ExportCertificate'">
                {
                'certAlias'       : 'client-bad-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore'\
                                    %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-bad-cert.txt'\
                                    %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>

               <call function="'ExportCertificate'">
                {
                'certAlias'       : 'client-100-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore'\
                                    %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-100-cert.txt' \
                                    %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>
              <call function="'ExportCertificate'">
                {
                'certAlias'       : 'client-200-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore'\
                                    %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-200-cert.txt' \
                                    %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          SASL external equal DN check behaviors
          #@TestName            Subject equals DN :  servertrust
                                all certificates
          #@TestPurpose         Test subject equal DN certificate mapper with
                                blind trust
          #@TestPreamble        none
          #@TestStep            Enable subject equal DN certificate mapper
          #@TestStep            Do a ldapsearch with client-bad-cert
          #@TestStep            Do an ldapseach with client-100-cert
          #@TestPostamble       none
          #@TestResult          Success if trying to connect with
                                client-bad-cert return 'no user entry' and using
                                client-100-cert return 'authorization ID
                                dn:uid=user.100,ou=People,dc=com
          -->
          <testcase name="getTestCaseName('Subject equals DN :  server trust all client certificates')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <!--- Enable subject equal DN certificate mapper blind trust -->
              <message>
                'Security: SASL External Check behaviors: Enable SASL External \
                subject equal DN with TrustStore'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'createKeyMgr'     : True,
                'KeyMgr'           : 'JKSPROVIDER',
                'keystoreFile'     : 'config/serverkeystore',
                'keystorePin'      : 'keystorepass',
                'handlerName'      : 'EXTERNAL',
                'optionSaSL'       : '--set certificate-validation-policy:always',
                'certMapper'       : 'Subject Equals DN',
                'certAlias'        : 'server-cert2'
                }
              </call>

              <message>
                'Security: SASL External Check behaviors: ldapsearch client\
                certificate DN not map an entry DN'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore'\
                                     %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-bad-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 49
                }
              </call>

              <message>
                'Security: SASL External Check behaviors: ldapsearch client \
                 certificate map an user entry'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-100-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 49
                }
              </call>
    
              <call function="'addCertificate'">
                {
                'userdn'            : 'uid=user.100,ou=People,dc=com',
                'user_cert_file_rfc': '%s/client_cert/client-100-cert.txt' \
                                       %(InstanceInstallDir),
                'ldif_path'         : '%s/client_cert/client-100-cert.ldif' \
                                       %(InstanceInstallDir)
                }
              </call>

              <call function="'addCertificate'">
                {
                'userdn'            : 'uid=user.200,ou=People,dc=com',
                'user_cert_file_rfc': '%s/client_cert/client-200-cert.txt' \
                                       %(InstanceInstallDir),
                'ldif_path'         : '%s/client_cert/client-200-cert.ldif' \
                                       %(InstanceInstallDir)
                }
              </call>

              <!--- Check Subject equal DN behavior -->
              <message>
                'Security: SASL External Check behaviors: ldapsearch client \
                 certificate dn map an entry dn'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsCertNickname'  : 'client-100-cert',
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck'
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'authorization ID dn:uid=user.100\
                ,ou=People,dc=com'
                }
              </call>
              
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          SASL external equal DN check behaviors
          #@TestName            Subject equal DN :  server use TrustStore
          #@TestIssue           none
          #@TestPurpose         Test subject equal DN certificate mapper with
                                TrustStore
          #@TestPreamble        none
          #@TestStep            Export then import client client-200-cert into
                                server TrustStore
          #@TestStep            Enable subject equal DN certificate mapper
          #@TestStep            Do a ldapsearch with client-100-cert
          #@TestStep            Do an ldapseach with client-200-cert
          #@TestPostamble       none
          #@TestResult          Success if trying to connect with 
                                client-100-cert return 'no user entry' and using
                                client200-cert return 'authorization ID
                                dn:uid=user.200,ou=People,dc=com
          -->
          <testcase name="getTestCaseName('Subject equals DN :  with TrustStore')">

            <sequence>

              <call function="'testCase_Preamble'"/>
             
              <message>
               'Security: SASL External Check behaviors : export user.200 \
                certificate'
              </message>

             
              <message>
               'Security: Import the user.200 certificate to server TrustStore'
              </message>
              <call function="'ImportCertificate'">
               {
               'certAlias' : 'client-200-cert',
               'inputfile' : '%s/client_cert/client-200-cert.txt' \
                              %(InstanceInstallDir),
               'keystore'  : '%s/config/servertruststore' %(InstanceInstallDir),
               'storepass' : 'truststorepass',
               'storetype' : 'JKS'
               }
              </call>


              <!--- Enable subject equal DN certificate mapper with TrustStore-->
              <message>
              'Security: SASL External Check behaviors: Enable SASL External \
               subject equal DN with TrustStore'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'           : 'JKSPROVIDER',
                'keystoreFile'     : '%s/config/serverkeystore' \
                                      %(InstanceInstallDir),
                'keystorePin'      : 'keystorepass',
                'trustMgr'         : 'JKS',
                'truststoreFile'   : '%s/config/servertruststore' \
                                      %(InstanceInstallDir),
                'truststorePin'    : 'truststorepass',
                'handlerName'      : 'EXTERNAL',
                'certMapper'       : 'Subject Equals DN',
                'certAlias'        : 'server-cert2'
                }
              </call>

              <message>
              'Security: SASL External Check behaviors: ldapsearch client \
               certificate not present in the server TrustStore'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-100-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck'
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Cannot send the SASL EXTERNAL bind request'
                }
              </call>
              
              <message>
              'Security: SASL External Check behaviors: ldapsearch client \
               certificate present in the server TrustStore'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-200-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck'
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'authorization ID dn:uid=user.200,\
                ou=People,dc=com'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>
          
          <call function="'testSuite_Postamble'"/>

        </sequence>
        
      </block>

    </sequence>

  </function>
</stax>





 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_saslexternal/clus_saslexternal_fingerprint.xml

New file
@@ -0,0 +1,573 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_saslexternal_fingerprint"/>

  <function name="clus_saslexternal_fingerprint" scope="local">

    <sequence>

      <block name="'clus_saslexternal_fingerprint'">
        
        <sequence>

          <!--- Test Suite information
            #@TestSuiteName       SASL external fingerprint mapper
                                  check behaviors
            #@TestSuitePurpose    Test the results of ldap commands in the case
                                  of fingerprint mapper
            #@TestSuiteGroup      ldapdmodify check behavior tests
            #@TestScript          clus_saslexternal_fingerprint.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker          SASL external fingerprint blind trust
                                check behaviors
          #@TestName            Fingerprint to user attribute :
                                server trust all client certificates
          #@TestPurpose         Test  fingerprint certificate mapper
                                with blind trust
          #@TestPreamble        none
          #@TestStep            Create a client-350-cert with dname
                                "uid=user.350,ou=People,dc=com"
          #@TestStep            Configure fingerprint certificate mapper
                                with blind trust
          #@TestStep            Make a ldapsearch using client-350-cert :
                                should fail
          #@TestStep            Add client-350-cert fingerprint to
                                user.350 attribute
          #@TestStep            Make a ldapsearch using client-350-cert :
                                should success
                                return "Anatoly"
          #@TestStep            Allow user.350 to delete user.42*
          #@TestStep            Make a ldapdelete using client-350-cert :
                                should success
          #@TestStep            Make a ldapseach using client-350-cert :
                                should success
                                return "total number of matching entries: 0"
          #@TestPostamble       none
          #@TestResult          Success if ldapseach after delete return
                                "Total number of matching entries: 0"
         -->
          <testcase name="getTestCaseName('Fingerprint to user attribute :  server trust all client certificates ')">
            
            <sequence>

              <call function="'testCase_Preamble'"/>
              
              <!-- Create user.350 Certificate -->
              <message>
               'SASL External : Client certicate :Step 1. Generating user.350 \
                client certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'       : 'client-350-cert' ,
                'dname'           : "uid=user.350,ou=People,dc=com",
                'keystore'        : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'storetype'       : 'JKS'
                }
              </call>

              <message>
               'SASL External: Client certicate :Step 2. Self-Signing user.350 \
                client Certicate'
              </message>
              <call function="'SelfSignCertificate'">
                {
                'certAlias'       : 'client-350-cert' ,
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'keystore'        : '%s/client_cert/clientkeystore' \
                                     %(InstanceInstallDir),
                'storetype'       : 'JKS'
                }
              </call>

              <message>
               'SASL External: export : export user.350 certificate'
              </message>
              <call function="'ExportCertificate'">
              {
                'certAlias'       : 'client-350-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore' \
                                     %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-350-cert.txt'\
                                     %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>

              <call function="'addCertificate'">
                {
                'userdn'            : 'uid=user.350,ou=People,dc=com',
                'user_cert_file_rfc': '%s/client_cert/client-350-cert.txt' \
                                       %(InstanceInstallDir),
                'ldif_path'         : '%s/client_cert/client-350-cert.ldif' \
                                       %(InstanceInstallDir)
                }
              </call>

              <!--- Enable Subject DN to user attribute with blind trust-->
              <message>
             'SASL External: configure :  Enable subject DN to user attribute \
              with blind trust'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'           : 'JKSPROVIDER',
                'keystoreFile'     : 'config/serverkeystore',
                'keystorePin'      : 'keystorepass',
                'handlerName'      : 'EXTERNAL',
                'certMapper'       : 'Fingerprint Mapper',
                'optionSaSL'       : '--set certificate-validation-policy:always',
                'certAlias'        : 'server-cert2'
                }
              </call>


              <message>
              'SASL External: Test fingerpint mapper : try to connect with \
               user.120 certificate'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword': 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.585' ,
                'dsAttributes'     : 'givenName',
                'expectedRC'       : 49
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Invalid Credentials'
                }
              </call>

               <!-- get the fingerprint for user.350 -->
              <call function="'getFingerprint'">
                 {
                 'certAlias' : 'client-350-cert',
                 'storepass' : 'clientkeystorepass',
                 'keystore'  : '%s/client_cert/clientkeystore' \
                                %(InstanceInstallDir)
                 }
              </call>

              <script>
                STAXCode = RC
                certificateResult = STAXResult[0][1]
              </script>
              <script>
                string_len=len(certificateResult)
                index_MD5=certificateResult.find("MD5:")
                index_SHA1=certificateResult.find("SHA1:")
                index_Signature=certificateResult.find\
                ("Signature algorithm name:")
                MD5_fingerprint_user350=certificateResult\
                [index_MD5+5:index_SHA1].strip()
                if index_Signature == -1:
                  SHA1_fingerprint_user350=certificateResult\
                  [index_SHA1+5:string_len].strip()
                else:
                  SHA1_fingerprint_user350=certificateResult\
                  [index_SHA1+5:index_Signature].strip()
              </script>
              
              <message>
                'SASL External: configure :  add ds-certificate-fingerprint \
                attribute in user.350 entry'
              </message>

              <call function="'modifyAnAttribute'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'       : 'uid=user.350,ou=people,dc=com',
                'attributeName'    : 'ds-certificate-fingerprint',
                'newAttributeValue': MD5_fingerprint_user350,
                'changetype'       : 'add',
                'expectedRC'       :  0
                }
              </call>

              <!---Test Subject DN to user attribute ldapdelete behaviors -->
              <message>
                'SASL External: Test fingerpint mapper : try to connect with \
                user.350 certificate'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.420' ,
                'dsAttributes'     : 'givenName',
                'expectedRC'       : 0
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Anitra'
                }
              </call>

              <message>
                'SASL External: aci : allow permission delete for user.350'
              </message>
              <script>
                aci_allowdelete = 'clu_secure/clus_sasl_allowdelete.ldif'
              </script>
              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT,
                'dsFilename'       : '%s/%s' % (remote.data,aci_allowdelete),
                'expectedRC'       : 0
                }
              </call>

              <message>
                'SASL External: ldapdelete : delete user.420'
              </message>

              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                 'dsDn'            : ['uid=user.420,ou=people,dc=com'],
                'expectedRC'       : 0
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                'dsCountEntries'   : 'True' ,
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'        : 'dc=com' ,
                'dsFilter'         : 'uid=user.420' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>
      
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          SASL external fingerprint TrustStore
                                check behaviors
          #@TestName            Fingerprint to user attribute :
                                server use TrustStore
          #@TestPurpose         Test  fingerprint certificate mapper
                                withTrustStore
          #@TestPreamble        none
          #@TestStep            Configure fingerprint certificate mapper
                                with TrustStore
          #@TestStep            Make a ldapdelete using client-350-cert :
                                should fail
          #@TestStep            Add client-350-cert certificate
                                into server TrustStore
          #@TestStep            Make a ldapsearch using client-350-cert :
                                should success
                                return "Total number of matching entries: 1"
          #@TestStep            Make a ldapdelete using client-350-cert :
                                should success
          #@TestStep            Make a ldapseach using client-350-cert :
                                should success
                                return "total number of matching entries: 0"
          #@TestPostamble       none
          #@TestResult          Success if ldapseach after delete return
                                "Total number of matching entries: 0"
         -->

          <testcase name="getTestCaseName('Fingerprint mapper:  with trust file manager')">
            <sequence>
              <call function="'testCase_Preamble'"/>

              <!--- Test SASL External Subject DN to user attribute with truststore -->

              <message>
             'SASL External: configure :  Enable subject SN to user attribute \
              with TrustStore file'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'           : 'JKSPROVIDER',
                'optionSaSL'       : '--set certificate-validation-policy:always',
                'keystoreFile'     : 'config/serverkeystore',
                'keystorePin'      : 'keystorepass',
                'trustMgr'         : 'JKS',
                'truststoreFile'   : 'config/servertruststore',
                'truststorePin'    : 'truststorepass',
                'handlerName'      : 'EXTERNAL',
                'certMapper'       : 'Fingerprint mapper',
                'certAlias'        : 'server-cert2'
                }
              </call>

              <message>
              'SASL External: ldapdelete : delete allow but certificate not in \
               TrustStore'
              </message>
              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                'dsDn'             : ['uid=user.421,ou=people,dc=com'],
                'expectedRC'       : 81
                }
              </call>

             <!--- Add the user.350 certificate to the server truststore -->
              
              <message>
               'SASL External: import : import user.350 certificate to server \
                truststore'
              </message>
              <call function="'ImportCertificate'">
                {
                'certAlias' : 'client-350-cert',
                'inputfile' : '%s/client_cert/client-350-cert.txt' \
                               %(InstanceInstallDir),
                'keystore'  : '%s/config/servertruststore' %(InstanceInstallDir),
                'storepass' : 'truststorepass',
                'storetype' : 'JKS'
                }
              </call>

              <message>
               'SASL External: restart LDAPS connection handler to re-read trustore'
              </message>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:false' ,
                  'expectedRC'     : 0
                }
              </call>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:true' ,
                  'expectedRC'     : 0
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                'dsCountEntries'   : 'True' ,
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.421' ,
                'expectedRC'       : 'noCheck'
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 1'
                }
              </call>

              <message>
             'SASL External: ldapdelete : delete user.421'
              </message>
              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                 'dsDn'            : ['uid=user.421,ou=people,dc=com'],
                'expectedRC'       : 0
                }
              </call>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-350-cert',
                'dsReportAuthzID'  : ' ',
                'dsCountEntries'   : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.421' ,
                'expectedRC'       : 'noCheck'
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>


          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>





 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_saslexternal/clus_saslexternal_subjectattr.xml

New file
@@ -0,0 +1,541 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_saslexternal_subjectattr"/>

  <function name="clus_saslexternal_subjectattr" scope="local">

    <sequence>
      
      <block name="'clus_saslexternal_subjectattr'">

        <sequence>

          <!--- Test Suite information
            #@TestSuiteName       SASL external subject attribute
                                  to user attribute check behavior tests
            #@TestSuitePurpose    Test the results of ldap commands in the case
                                  of subject attribute to user attribute
            #@TestSuiteGroup      ldapdmodify check behavior tests
            #@TestScript          clus_saslexternal_subjectattr.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>


         <!--- Test Case information
          #@TestMarker          SASL external subject attribute
                                to user attribute blind trust check behaviors
          #@TestName            Subject attribute to user attribute :
                                server trust all certificates
          #@TestPurpose         Test  attribute to user attribute certificate
                                mapper with blind trust
          #@TestPreamble        none
          #@TestStep            Create a client-120-cert with dname
                                "CN=Aileen Akita,OU=people,L=Saint Louis,C=com"
          #@TestStep            Configure subject attribute to user attribute
                                certificate mapper with blind trust
          #@TestStep            Try a ldapmodify using client-250-cert :
                                should fail
          #@TestStep            Make a ldapsearch using client-120-cert :
                                should success
                                return "user.120@maildomain.net"
          #@TestStep            Make a ldapmodify using client-120-cert :
                                should success
          #@TestStep            Make a ldapsearch using client-120-cert :
                                should success
                                return "user.120@sundomain.net"
          #@TestPostamble       none
          #@TestResult          Success if the "mail" value is user.120@sun.com
         -->

          <testcase name="getTestCaseName
          ('Subject attribute to user attribute : server trust all client certificates')">
            <sequence>

              <call function="'testCase_Preamble'"/>

              <!--- Generate user.120 certificate-->

              <message>
               'SASL External : Client certicate :Step 1. Generating user.120 \
                client certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'   : 'client-120-cert' ,
                'dname'       : "CN=Aileen Akita,OU=people,L=Saint Louis,C=com",
                'keystore':'%s/client_cert/clientkeystore' %(InstanceInstallDir),
                'storepass'   : 'clientkeystorepass',
                'keypass'     : 'clientkeystorepass',
                'storetype'   : 'JKS'
                }
              </call>

              <message>
               'SASL External: Client certicate :Step 2. Self-Signing user.120 \
                client Certicate'
              </message>
              <call function="'SelfSignCertificate'">
                {
                'certAlias'       : 'client-120-cert' ,
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'keystore':'%s/client_cert/clientkeystore'%(InstanceInstallDir),
                'storetype'       : 'JKS'
                }
              </call>

              <message>
               'SASL External: export : export user.120 certificate'
              </message>
                           
              <call function="'ExportCertificate'">
                {
                'certAlias'       : 'client-120-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore' \
                                     %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-120-cert.txt'\
                                     %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>

              <message>
               'SASL External: add : add certificate to user attribute'
              </message>

              <call function="'addCertificate'">
                {
                'userdn'            : 'uid=user.120,ou=People,dc=com',
                'user_cert_file_rfc': '%s/client_cert/client-120-cert.txt' \
                                       %(InstanceInstallDir),
                'ldif_path'         : '%s/client_cert/client-120-cert.ldif' \
                                       %(InstanceInstallDir)
                }
              </call>


              <!--- Test SASL External Subject attribute to user attribute
                    with blind trust -->

              <message>
             'SASL External: configure :  Enable subject attribute to user \
              attribute with blind trust'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'         : 'JKSPROVIDER',
                'keystoreFile'   : 'config/serverkeystore',
                'keystorePin'    : 'keystorepass',
                'handlerName'    : 'EXTERNAL',
                'certMapper'     : 'Subject Attribute to User Attribute',
                'optionMapper'   : '--set subject-attribute-mapping:cn:cn ',
                'optionSaSL'     : '--set certificate-validation-policy:always',
                'certAlias'      : 'server-cert2'
                }
              </call>
              <call function="'dsconfig'">
                {
                'location'       : location ,
                'dsPath'         : dsPath ,
                'dsInstanceHost' : dsInstanceHost ,
                'dsInstanceAdminPort' : dsInstanceAdminPort ,
                'dsInstanceDn'   : dsInstanceDn ,
                'dsInstancePswd' : dsInstancePswd ,
                'subcommand'     : 'set-certificate-mapper-prop',
                'objectType'     : 'mapper-name' ,
                'objectName'     : 'Subject Attribute to User Attribute',
                'optionsString':'--add subject-attribute-mapping:l:l --no-prompt',
                'expectedRC'     : 0
                }
              </call>

              <message>
              'SASL External: ldapmodify : subject attributes not map any \
               user attributes'
              </message>
              <script>
              telnumbermodify = 'clu_secure/clus_sasl_ldapmodify.ldif'
              </script>
              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsReportAuthzID'  : ' ',
                'dsCertNickname'   : 'client-250-cert',
                'dsFilename'       : '%s/%s' % (remote.data,telnumbermodify),
                'expectedRC'       : 49
                }
              </call>

              <!---Subject attribute to user attribute ldapmodify
                   check behaviors-->

              <message>
              'SASL External: ldapmodify : subject attributes map an \
               user attributes'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.120' ,
                'dsAttributes'     : 'telephoneNumber',
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'telephoneNumber: \+1 420 810 8882'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsReportAuthzID'  : ' ',
                'dsCertNickname'   : 'client-120-cert',
                'dsFilename'       : '%s/%s' % (remote.data,telnumbermodify),
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Bound with authorization ID \
                dn:uid=user.120,ou=People,dc=com'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.120' ,
                'dsAttributes'     : 'telephoneNumber',
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'telephoneNumber: \+1 420 810 8800'
                }
              </call>

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>

          <!--- Test Case information
          #@TestMarker          SASL external subject attribute to user
                                attribute with trust store check behaviors
          #@TestName            Subject attribute to user attribute :
                                server trust store
          #@TestPurpose         Test  subject attribute to user attribute
                                certificate mapper with trust store
          #@TestPreamble        none
          #@TestStep            Configure subject attribute to user attribute
                                certificate mapper with trust store
          #@TestStep            Try a ldapmodify using client-120-cert :
                                should fail
          #@TestStep            Export-Import client-120-cert into server trust
                                store
          #@TestStep            Make a ldapsearch using client-120-cert :
                                should success
                                return "74219"
          #@TestStep            Make a ldapmodify using client-120-cert :
                                should success
          #@TestStep            Make a ldapsearch using client-120-cert :
                                should success
                                return "38000"
          #@TestPostamble       none
          #@TestResult          Success if the "postalCode" value is 38000
         -->

          <testcase name="getTestCaseName('Subject attribute to user attribute :  with trust file manager')">
            <sequence>
              <call function="'testCase_Preamble'"/>

              <!--- Test SASL External Subject attribute to user attribute with
                    truststore -->

              <message>
             'SASL External: configure :  Enable subject attribute to user \
              attribute with trust store file'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'           : 'JKSPROVIDER',
                'keystoreFile'     : 'config/serverkeystore',
                'truststoreFile'   : 'config/servertruststore',
                'keystorePin'      : 'keystorepass',
                'trustMgr'         : 'JKS',
                'truststorePin'    : 'truststorepass',
                'handlerName'      : 'EXTERNAL',
                'certMapper'       : 'Subject Attribute to User Attribute',
                'optionSaSL'       : '--set certificate-validation-policy:always',
                'certAlias'        : 'server-cert2'
                }
              </call>


              <message>
              'SASL External: ldapmodify test: client certificate not present \
               in the server trust store'
              </message>
              <script>
                postalcodemodify='clu_secure/clus_sasl_ldapmodify2.ldif'
              </script>
              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsFilename'       : '%s/%s' % (remote.data,postalcodemodify),
                'expectedRC'       : 81
                }
              </call>

              <!--- Add the user.120 certificate to the server truststore -->    
         
              <message>
               'SASL External: import : import user.120 certificate to server \
                truststore'
              </message>
              <call function="'ImportCertificate'">
                {
                'certAlias' : 'client-120-cert',
                'inputfile' : '%s/client_cert/client-120-cert.txt' \
                               %(InstanceInstallDir),
                'keystore'  : '%s/config/servertruststore' %(InstanceInstallDir),
                'storepass' : 'truststorepass',
                'storetype' : 'JKS'
                }
              </call>

              <message>
               'SASL External: restart LDAPS connection handler to re-read trustore'
              </message>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:false' ,
                  'expectedRC'     : 0
                }
              </call>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:true' ,
                  'expectedRC'     : 0
                }
              </call>

              <!---ldapmodify check behaviors with truststore-->

              <message>
              'SASL External: ldapmodify test: client certificate present in \
               the server trust store'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.120' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : '74219'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsFilename'       : '%s/%s' % (remote.data,postalcodemodify),
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Bound with authorization ID \
                dn:uid=user.120,ou=People,dc=com'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-120-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.120' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 0
                }
              </call>
              <script>
                returnString = STAXResult[0][1]
              </script>

              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : '38000'
                }
              </call>
              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>


          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>





 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_saslexternal/clus_saslexternal_subjectdn.xml

New file
@@ -0,0 +1,464 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_saslexternal_subjectdn"/>

  <function name="clus_saslexternal_subjectdn" scope="local">

    <sequence>

      <block name="'clus_saslexternal_subjectdn'">

        <sequence>

           <!--- Test Suite information
            #@TestSuiteName       SASL external subject DN to user attribute \
                                  check behaviors
            #@TestSuitePurpose    Test the results of ldap commands in the case
                                  of sasl external.
            #@TestSuiteGroup      ldapcompare check behavior tests
            #@TestScript          clus_saslexternal_subjectdn.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker          SASL external subject DN to user attribute
                                check behaviors
          #@TestName            Subject subject DN :  server trust all
                                certificates
          #@TestPurpose         Test subject subject DN certificate mapper with
                                blind trust
          #@TestPreamble        none
          #@TestStep            Enable subject DN to user attribute
                                certificate mapper
          #@TestStep            Do a ldapsearch with client-200-cert
          #@TestStep            Create client-250_cert with
                                ds-certificate-subject-dn:uid=user.250,
                                ou=People,dc=com
          #@TestStep            Compare using client-250-cert
          #@TestPostamble       none
          #@TestResult          Success if ldapcompare with client-200-cert
                                return 'Invalid credentials' and using
                                client-250-cert return 'authorization ID
                                dn:uid=user.250,ou=People,dc=com'
          -->
          <testcase name="getTestCaseName('Subject DN to user attribute :  server trust all client certificates ')">
            <sequence>

              <call function="'testCase_Preamble'"/>

              <!--- Enable Subject DN to user attribute with blind trust-->
              <message>
               'SASL External: configure :  Enable subject DN to user attribute \
                with blind trust'
              </message>
              <call function="'configureSASL'">
                {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'         : 'JKSPROVIDER',
                'keystoreFile'   : 'config/serverkeystore',
                'keystorePin'    : 'keystorepass',
                'handlerName'    : 'EXTERNAL',
                'certMapper'     : 'Subject DN to User Attribute',
                'optionSaSL'     : '--set certificate-validation-policy:always',
                'certAlias'      : 'server-cert2'
                }
              </call>

              <message>
              'SASL External: Test subject DN : try to connect with user.200 \
               certificate'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-200-cert',
                'dsReportAuthzID'  : ' ',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.585' ,
                'dsAttributes'     : 'givenName',
                'expectedRC'       : 49
                }
              </call>

              <!---Test Subject DN to user attribute ldapcompare-->
              <message>
               'SASL External : Client certicate :Step 1. Generating user.250 \
                client certificate'
              </message>
              <call function="'genCertificate'">
                {
                'certAlias'       : 'client-250-cert' ,
                'dname'           : "uid=user.250,ou=People,dc=com",
                'keystore':'%s/client_cert/clientkeystore' %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'storetype'       : 'JKS'
                }
              </call>

              <message>
               'SASL External: Client certicate :Step 2. Self-Signing user.250 \
                client Certicate'
              </message>
              <call function="'SelfSignCertificate'">
                {
                'certAlias'       : 'client-250-cert' ,
                'storepass'       : 'clientkeystorepass',
                'keypass'         : 'clientkeystorepass',
                'keystore':'%s/client_cert/clientkeystore' %(InstanceInstallDir),
                'storetype'       : 'JKS'
                }
              </call>
              
              <message>
               'SASL External: export : export user.250 certificate'
              </message>
              <call function="'ExportCertificate'">
                {
                'certAlias'       : 'client-250-cert' ,
                'keystore'        : '%s/client_cert/clientkeystore' \
                                     %(InstanceInstallDir),
                'storepass'       : 'clientkeystorepass',
                'outputfile'      : '%s/client_cert/client-250-cert.txt' \
                                     %(InstanceInstallDir),
                'storetype'       : 'JKS',
                'format'          : 'rfc'
                }
              </call>

              <call function="'addCertificate'">
                {
                'userdn'            : 'uid=user.250,ou=People,dc=com',
                'user_cert_file_rfc': '%s/client_cert/client-250-cert.txt' \
                                       %(InstanceInstallDir),
                'ldif_path'         : '%s/client_cert/client-250-cert.ldif' \
                                       %(InstanceInstallDir)
                }
              </call>

              <message>
               'SASL External: configure :  add ds-certificate-subject-dn \
                attribute in user.250 entry'
              </message>
              <script>
                addsubjectdnattribute = \
                'clu_secure/clus_sasl_addsubjectdnattribute.ldif'
              </script>
              <call function="'ldapModifyWithScript'">
              {
              'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
              'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
              'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
              'dsInstancePort'   : DIRECTORY_INSTANCE_PORT,
              'dsFilename'       : '%s/%s' % (remote.data,addsubjectdnattribute),
              'expectedRC'       : 0
              }
              </call>

              <message>
                'SASL External: ldapcompare : compare different values'
              </message>

              <script>
                dncompare = 'uid=user.320,ou=people,dc=com'
              </script>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-250-cert',
                'dsDn'             : ['street: 0901 Chestnut Street' ,'%s' \
                                      %dncompare],
                'expectedRC'       : 0
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <message>
              'SASL External: ldapcompare :compare value is true'
              </message>
              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-250-cert',
                'dsDn'             : ['street: 30901 Chestnut Street' ,'%s' \
                                      %dncompare] ,
                'expectedRC'       : 0
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          SASL external subject DN to user attribute
                                check behaviors
          #@TestName            Subject subject DN :  server TrustStore
          #@TestPurpose         Test subject subject DN certificate mapper with
                                TrustStore
          #@TestPreamble        none
          #@TestStep            Enable subject DN to user attribute certificate 
                                mapper with TrustStore
          #@TestStep            Do a ldapsearch with client-250-cert
          #@TestStep            Export and import client-250_cert into server
                                TrustStore
          #@TestStep            Compare using client-250-cert
          #@TestPostamble       none
          #@TestResult          Success if ldapcompare with client-250-cert
                                fail before import-export and return
                                'authorization ID
                                dn:uid=user.250,ou=People,dc=com after
          -->
          <testcase name="getTestCaseName('Subject DN to user attribute :  with trust file manager')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <!--- Test SASL External Subject DN to user attribute with truststore -->
              <message>
                'SASL External: configure :  Enable subject SN to user attribute \
                with TrustStore file'
              </message>

              <call function="'configureSASL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'KeyMgr'           : 'JKSPROVIDER',
                'optionSaSL'     : '--set certificate-validation-policy:always',
                'keystoreFile'     : 'config/serverkeystore',
                'keystorePin'      : 'keystorepass',
                'trustMgr'         : 'JKS',
                'truststoreFile'   : 'config/servertruststore',
                'truststorePin'    : 'truststorepass',
                'handlerName'      : 'EXTERNAL',
                'certMapper'       : 'Subject DN to User Attribute',
                'certAlias'        : 'server-cert2'
                }
              </call>

              <message>
                'SASL External: ldapcompare :compare value true but certificate \
                not in truststore'
              </message>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-250-cert',
                'dsDn'             : ['street: 59000 Ridge Street' ,'%s' \
                                      %dncompare] ,
                'expectedRC'       : 81
                }
              </call>

              <!--- Add the user.250 certificate to the server truststore -->
              <message>
                'SASL External: import : import user.250 certificate to server \
                truststore'
              </message>

              <call function="'ImportCertificate'">
                {
                'certAlias' : 'client-250-cert',
                'inputfile' : '%s/client_cert/client-250-cert.txt'\
                               %(InstanceInstallDir),
                'keystore'  : '%s/config/servertruststore' %(InstanceInstallDir),
                'storepass' : 'truststorepass',
                'storetype' : 'JKS'
                }
              </call>

              <message>
               'SASL External: restart LDAPS connection handler to re-read trustore'
              </message>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:false' ,
                  'expectedRC'     : 0
                }
              </call>
              <call function="'dsconfig'">
                { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'subcommand'     : 'set-connection-handler-prop',
                  'objectType'     : 'handler-name' ,
                  'objectName'     : 'LDAPS Connection Handler',
                  'optionsString'  : '--set enabled:true' ,
                  'expectedRC'     : 0
                }
              </call>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-250-cert',
                'dsDn'             : ['street: 3001 Chestnut Street' ,'%s' \
                                     %dncompare],
                'expectedRC'       : 0
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <message>
                'SASL External: ldapcompare :compare true certificate not in \
                truststore'
              </message>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsUseSASLExternal': ' ',
                'dsKeyStorePath'   : '%s/client_cert/clientkeystore' \
                                      %(InstanceInstallDir),
                'dsKeyStorePassword' : 'clientkeystorepass',
                'dsCertNickname'   : 'client-250-cert',
                'dsDn'             : ['street: 30901 Chestnut Street' ,'%s' \
                                     %dncompare] ,
                'expectedRC'       : 0
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>
             
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>





 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_setup.xml

New file
@@ -0,0 +1,188 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_setup" />

  <function name="clus_setup">

    <sequence>

      <block name="'clus_setup'">

        <sequence>

          <!--- Test Suite information
            #@TestSuiteName       setup
            #@TestSuitePurpose    Setup for the clus_secure test suite
            #@TestSuiteGroup      setup
            #@TestScript          clus_setup.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          setup
            #@TestName            setup: create DS topology
            #@TestIssue           none
            #@TestPurpose         Create the topology necessary to the
                                  test suite.
            #@TestPreamble        none
            #@TestStep            Create DS topology as described in config.py.
            #@TestPostamble       none
            #@TestResult          Success if createTopology returns 0.
          -->
          <testcase name="getTestCaseName('Create DS topology')">

            <sequence>
              
              <call function="'testCase_Preamble'"/>
              
              <message>
                'Create DS topology as described in config.py'
              </message>

              <call function="'createTopology'">
                { 'initialiseInstance' : False }
              </call>

              <call function="'checktestRC'">
                {
                'returncode' : RC ,
                'result'     : STAXResult
                }
              </call>
              
              <call function="'testCase_Postamble'"/>
              
            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          setup
            #@TestName            setup: adding initial entries
            #@TestIssue           none
            #@TestPurpose         Load the data needed by the test suite.
            #@TestPreamble        none
            #@TestStep            Load the data needed by the test suite.
            #@TestPostamble       none
            #@TestResult          Success if importLdif returns 0.
          -->
          <testcase name="getTestCaseName('Load data')">

            <sequence>
              
              <call function="'testCase_Preamble'"/>
              
              <message>
                'Add initial entries'
              </message>

              <call function="'importLdif'">
                { 
                'ldifFile'    : '%s/clu_secure/clus_start.ldif'
                                % remote.data
                }
              </call>

              <call function="'checktestRC'">
                {
                'returncode' : RC ,
                'result'     : STAXResult
                }
              </call>
              
              <call function="'testCase_Postamble'"/>
              
            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          setup
            #@TestName            setup: start DS
            #@TestIssue           none
            #@TestPurpose         Start DS.
            #@TestPreamble        none
            #@TestStep            Start DS.
            #@TestPostamble       none
            #@TestResult          Success if StartDsWithScript returns 0.
          -->
          <testcase name="getTestCaseName('Start DS')">
            
            <sequence>
              
              <call function="'testCase_Preamble'"/>

              <message>
                'Start DS to run on port %s' % (DIRECTORY_INSTANCE_PORT)
              </message>
              
              <!--- Start DS -->
              <call function="'StartDsWithScript'">
                { 'location' : STAF_REMOTE_HOSTNAME }
              </call>

              <call function="'checktestRC'">
                {
                'returncode' : RC ,
                'result'     : STAXResult
                }
              </call>
              
              <!--- Check that DS started -->
              <call function="'isAlive'">
                {
                'noOfLoops'        : 5 ,
                'noOfMilliSeconds' : 2000
                }
              </call>
              
              <call function="'testCase_Postamble'"/>
              
            </sequence>
            
          </testcase>

          <call function="'testSuite_Postamble'"/>
          
        </sequence>

      </block>
      
    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl.xml

New file
@@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_ssl" />

  <function name="clus_ssl">

    <sequence>

      <script>
        testList = []
        testList.append(['clus_ssl','clus_ssl_setup'])
        testList.append(['clus_ssl','clus_ssl_ldapsearch'])
        testList.append(['clus_ssl','clus_ssl_ldapmodify'])
        testList.append(['clus_ssl','clus_ssl_ldappasswdmodify'])
        testList.append(['clus_ssl','clus_ssl_ldapcompare'])
        testList.append(['clus_ssl','clus_ssl_ldapdelete'])
        testList.append(['clus_ssl','clus_ssl_cleanup'])
      </script>

      <iterate var="_test" in="testList">
        <sequence>
          <import machine="STAF_LOCAL_HOSTNAME"
                  file="'%s/testcases/clu_secure/%s/%s.xml' %
                  (TESTS_DIR,_test[0],_test[1])"/>
          <call function="'%s' % _test[1]" />
        </sequence>
      </iterate>

    </sequence>

  </function>
  
</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_cleanup.xml

New file
@@ -0,0 +1,85 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->

<stax>
  
  <defaultcall function="clus_ssl_cleanup"/>

  <function name="clus_ssl_cleanup" scope="local">

    <sequence>
      <block name="'clus_ssl_cleanup'">

        <sequence>

           <!--- Test Suite information
           #@TestSuiteName       clean up ssl
           #@TestSuitePurpose    unconfigure ssl
           #@TestSuiteGroup      clean up ssl
           #@TestScript          clus_ssl_cleanup.xml
           -->

          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

          <testcase name="getTestCaseName('Disable SSL blind trust')">
            <sequence>

              <call function="'testCase_Preamble'"/>
              <message>
              'Security: SSL Check behaviors: Disable SSL blind trust'
              </message>
              <call function="'unconfigureSSL'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'customKeyMgr'     : 'JKSPROVIDER',
                }
              </call>

               <call function="'testCase_Postamble'"/>

            </sequence>
          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>
      </block>

    </sequence>

  </function>
</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_ldapcompare.xml

New file
@@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_ssl_ldapcompare"/>

  <function name="clus_ssl_ldapcompare" scope="local">

    <sequence>

      <block name="'clus_ssl_ldapcompare'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       SSL ldapcompare check behaviors
          #@TestSuitePurpose    Test the results of  SSL ldapcompare command
          #@TestSuiteGroup      ldapcompare check behaviors
          #@TestScript          clus_ssl_ldapcompare.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker          SSL ldapcompare check behaviors
          #@TestName            Client use blind trust : ldapcompare successful
          #@TestPurpose         Verify that the operation is successful and
                                that the comparison is successful when client
                                trust all server certificates.
          #@TestPreamble        none
          #@TestStep            Do an ldapcompare with correct options
          #@TestPostamble       none
          #@TestResult          Success if ldapcompare return true
          -->
          <testcase name="getTestCaseName ('Client use blind trust : ldapcompare successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: SSL Check behaviors: ldapcompare, client trustall \
                 server cert'
              </message>

              <script>
              dncompare = 'uid=user.300,ou=people,dc=com'
              </script>
              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['postalCode:21700' ,'%s' %dncompare],
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['postalCode:01700' ,'%s' %dncompare],
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>
               
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          SSL ldapcompare check behaviors
            #@TestName            Client use TrustStore file : ldapcompare
                                  successful
            #@TestPurpose         Verify that the operation is successful and
                                  that the comparison is successful when client
                                  uses TrustStore file.
            #@TestPreamble        none
            #@TestStep            Do an ldapcompare with correct options.
            #@TestPostamble       none
            #@TestResult          Success if ldapcompare return true
          -->
          <testcase name="getTestCaseName
          ('Client use TrustStore file : ldapcompare successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapcompare, \
               client TrustStore file'
              </message>

              <script>
              dncompare2 = 'uid=user.301,ou=people,dc=com'
              </script>
              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'             : ['street: 50303 Sunset' ,'%s' %dncompare2],
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'             : ['street: 50303 Sunset Street' ,'%s' \
                                       %dncompare2] ,
                'expectedRC'       : 'noCheck'
                }
              </call>
              
              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>
         
              <call function="'testCase_Postamble'"/>

            </sequence>
            
          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_ldapdelete.xml

New file
@@ -0,0 +1,257 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_ssl_ldapdelete"/>

  <function name="clus_ssl_ldapdelete" scope="local">

    <sequence>

      <block name="'clus_ssl_ldapdelete'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       SSL ldapdelete check behaviors
          #@TestSuitePurpose    Test the result of SSL ldapdelete command
          #@TestSuiteGroup      ldapdelete check behavior tests
          #@TestScript          clus_ssl_ldapdelete.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

           <!--- Test Case information
            #@TestMarker          SSL ldapdelete check behaviors
            #@TestName            ldapdelete: delete an entry
            #@TestIssue           none
            #@TestPurpose         Test ldapdelete with correct options
                                  when client trust all server certificates .
            #@TestPreamble        none
            #@TestStep            Check using ldapsearch that "uid=user.400"
                                  entry is present.
            #@TestStep            Delete this entry using ldapdelete.
            #@TestStep            Check using ldapsearch that this entry is no
                                  more present.
            #@TestPostamble       none
            #@TestResult          Success if the "uid=user.400" entry is deleted.
          -->
          <testcase name="getTestCaseName ('SSL server blind trust : ldapdelete successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapdelete, client trustall server cert'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.400' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 1'
                }
              </call>

              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['uid=user.400,ou=people,dc=com']
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.400' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          SSL ldapdelete check behaviors
            #@TestName            Client use TrustStore file : ldapdelete successful
            #@TestIssue           none
            #@TestPurpose         Test ldapdelete with correct options
                                  when client uses a TrustStore file.
            #@TestPreamble        none
            #@TestStep            Check using ldapsearch that "uid=user.401"
                                  entry is present.
            #@TestStep            Delete this entry using ldapdelete.
            #@TestStep            Check using ldapsearch that this entry is no
                                  more present.
            #@TestPostamble       none
            #@TestResult          Success if the "uid=user.401" entry is deleted.
          -->
          <testcase name="getTestCaseName ('Client use TrustStore file : ldapdelete successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapdelete, client TrustStore file'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.401' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 1'
                }
              </call>

              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'             : ['uid=user.401,ou=people,dc=com']
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.401' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>


 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_ldapmodify.xml

New file
@@ -0,0 +1,249 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_ssl_ldapmodify"/>

  <function name="clus_ssl_ldapmodify" scope="local">

    <sequence>

      <block name="'clus_ssl_ldapmodify'">
        
        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       SSL ldapmodify check behaviors
          #@TestSuitePurpose    Test the results of the SSL ldapmodify command
          #@TestSuiteGroup      ldapmodify check bahaviors
          #@TestScript          clus_ssl_ldapmodify.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker        SSL ldapmodify check behaviors
          #@TestName          Client blind trust : ldapmodify
          #@TestIssue         none
          #@TestPurpose       Verify that the operation is successful and
                              that the attribute value has been modified
                              when client trust all server certificates.
          #@TestPreamble      none
          #@TestStep          Check that the "givenName" value for "uid=user.100"
                              is Aggy.
          #@TestStep          Modify the "giveName" value using SSL ldapmodify.
          #@TestStep          Check that the "givenName" value for
                              "uid=user.100" is Olga.
          #@TestPostamble     none
          #@TestResult        Success if the "givenName" value is Olga.
          -->
          <testcase name="getTestCaseName('Client blind trust : ldapmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>
              
              <message>
              'Security: SSL Check behaviors: ldapmodify, client trustall server cert'
              </message>

              <script>
              modifygivenname = 'clu_secure/clus_ssl_ldapmodify.ldif'
              modifymail = 'clu_secure/clus_ssl_ldapmodify2.ldif'
              </script>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.100' ,
                'dsAttributes'     : 'givenName'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'givenName: Aggy'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilename'       : '%s/%s' % (remote.data,modifygivenname)
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.100' ,
                'dsAttributes'     : 'givenName'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'givenName: Olga'
                }
              </call>

              <call function="'testCase_Postamble'"/>
              
            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker        SSL ldapmodify check behaviors
            #@TestName          Client use TrustStore file : ldapmodify
            #@TestIssue         none
            #@TestPurpose       Verify that the operation is successful and
                                that the attribute value has been modified
                                when client uses a TrustStore file.
            #@TestPreamble      none
            #@TestStep          Check that the "mail" value for "uid=user.450"
                                is  user.101@maildomain.net.
            #@TestStep          Modify the "mail" value using ssl ldapmodify.
            #@TestStep          Check that the "mail" value for
                                "uid=user.101" is user.101@sun.com.
            #@TestPostamble     none
            #@TestResult        Success if the "mail" value is user.101@sun.com.
          -->
          <testcase name="getTestCaseName('Client use TrustStore file : ldapmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapmodify, client TrustStore file'
              </message>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.101' ,
                'dsAttributes'     : 'mail'
                }
              </call>

              <script>
              returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'mail: user.101@maildomain.net'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsFilename'       : '%s/%s' % (remote.data,modifymail)
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsFilter'         : 'uid=user.101' ,
                'dsAttributes'     : 'mail'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'mail: user.101@sun.com'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>
            
          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_ldappasswdmodify.xml

New file
@@ -0,0 +1,244 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_ssl_ldappasswdmodify"/>

  <function name="clus_ssl_ldappasswdmodify" scope="local">

    <sequence>

      <block name="'clus_ssl_ldappasswdmodify'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       SSL ldappasswordmodify check behaviors
          #@TestSuitePurpose    Test the results of ssl ldappasswordmodify
                                command.
          #@TestSuiteGroup      ldappasswordmodify check behavior tests
          #@TestScript          clus_ssl_ldapassmodify.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          SSL ldappasswordmodify check behavior tests
            #@TestName            Client blind trust : ldappasswordmodify
            #@TestIssue           none
            #@TestPurpose         Verify that a user can change his own
                                  password when client trust all server
                                  certificates
            #@TestPreamble        none
            #@TestStep            Check that user.200 can do an SSL ldapsearch.
            #@TestStep            Do an ldappasswordmodify to change user
                                  password
            #@TestStep            Check that user.200 can't do an ldapsearch
                                  with his old password
            #@TestStep            Check that user.200 can do an ldapsearch with
                                  his new password
            #@TestPostamble       none
            #@TestResult          Success if user200password works.
          -->
          <testcase name="getTestCaseName('Client blind trust : ldappasswordmodify')">
            
            <sequence>

              <call function="'testCase_Preamble'"/>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsInstanceDn'     : 'uid=user.200,ou=people,dc=com',
                'dsInstancePswd'   : 'password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'ldapPasswordModifyWithScript'">
                {
                'dsInstanceHost'      : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'      : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsAuthzID'           : 'uid=user.200,ou=people,dc=com' ,
                'dsUseSSL'            : ' ' ,
                'dsTrustAll'          : ' ' ,
                'dsCurrentPassword'   : 'password' ,
                'dsNewPassword'       : 'user200password'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : 'uid=user.200,ou=people,dc=com' ,
                'dsInstancePswd'   : 'password' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*' ,
                'expectedRC'       : 49
                }
              </call>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsInstanceDn'     : 'uid=user.200,ou=people,dc=com',
                'dsInstancePswd'   : 'user200password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          SSL ldappasswordmodify check behaviors
            #@TestName            Client blind trust : ldappasswordmodify
            #@TestIssue           none
            #@TestPurpose         Verify that a user can change his own
                                  password when client uses a TrustStore file.
            #@TestPreamble        none
            #@TestStep            Check that user.201 can do an ssl ldapsearch.
            #@TestStep            Do an ldappasswordmodify to change user
                                  password.
            #@TestStep            Check that user.201 can't do an ldapsearch with
                                  his old password.
            #@TestStep            Check that user.201 can do an ldapsearch with
                                  his new password.
            #@TestPostamble       none
            #@TestResult          Success if user201password works.
          -->
          <testcase name="getTestCaseName('Client trust file : ldappasswordmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsInstanceDn'     : 'uid=user.201,ou=people,dc=com',
                'dsInstancePswd'   : 'password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'ldapPasswordModifyWithScript'">
                {
                'dsInstanceHost'      : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'      : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsAuthzID'        : 'uid=user.201,ou=people,dc=com' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsCurrentPassword'   : 'password' ,
                'dsNewPassword'       : 'user201password'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : 'uid=user.201,ou=people,dc=com' ,
                'dsInstancePswd'   : 'password' ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*' ,
                'expectedRC'       : 49
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsInstanceDn'     : 'uid=user.201,ou=people,dc=com',
                'dsInstancePswd'   : 'user201password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>
        
      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_ldapsearch.xml

New file
@@ -0,0 +1,260 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>
  <defaultcall function="clus_ssl_ldapsearch"/>

  <function name="clus_ssl_ldapsearch" scope="local">

    <sequence>

      <block name="'clus_ssl_ldapsearch'">

        <sequence>

           <!--- Test Suite information
            #@TestSuiteName       SSL ldapsearch check behaviors
            #@TestSuitePurpose    Test the results of ssl ldapsearch command
            #@TestSuiteGroup      SSL behaviors
            #@TestScript          clus_ssl_ldapsearch.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

           <!--- Test Case information
           #@TestMarker          SSL ldapsearch check behaviors
           #@TestName            Client blind trust : ldapsearch
           #@TestIssue           none
           #@TestPurpose         Verify that the operation is successful and
                                 the number of returned entries is correct,
                                 when client trust all server cerificates.
           #@TestPreamble        none
           #@TestStep            Do a SSL ldapsearch with postal code filter.
           #@TestPostamble       none
           #@TestResult          Success if user is found and postal code
                                 is 36500.
          -->
          <testcase name="getTestCaseName('Client blind trust : ldapsearch')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapsearch client trustall \
               server cert'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'postalCode: 36500'
                }
              </call>

              <message>
              'Security: SSL Check behaviors: ldapsearch, client trustall \
               server cert,missing Trustall option'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck',
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'server is using the following certificate'
                }
              </call>

              <message>
              'Security: SSL Check behaviors: ldapsearch, client trustall \
               server cert,wrong port'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.340' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck',
                'knownIssue'       : '6934118'
                }
              </call>

              <if expr="RC == 0">
                <sequence>
                  <script>
                    returnString = STAXResult[0][1]
                  </script>
                  <call function="'checktestString'">
                    {
                    'returnString'     : returnString ,
                    'expectedString'   : 'Unrecognized SSL message'
                    }
                  </call>
                </sequence>
              </if>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          SSL ldapsearch check behaviors
            #@TestName            Client use a TrustStore file : ldapsearch
            #@TestIssue           none
            #@TestPurpose         Verify that the operation is successful and
                                  the number of returned entries is correct,
                                  when client uses a TrustStore file.
            #@TestPreamble        none
            #@TestStep            Do a ssl ldapsearch with postal code filter.
            #@TestPostamble       none
            #@TestResult          Success if user is found and postal code
                                  is 86150.
          -->
          <testcase name="getTestCaseName ('Client use TrustStore file : ldapsearch')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL Check behaviors: ldapsearch, client truststore'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.440' ,
                'dsAttributes'     : 'postalCode'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'postalCode: 86150'
                }
              </call>

              <message>
              'Security: SSL Check behaviors: ldapsearch, client truststore, \
               wrong TrustStore file path'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsUseSSL'         : ' ' ,
                'dsTrustStorePath' : '%s/config/serverkeystore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.440' ,
                'dsAttributes'     : 'postalCode',
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Cannot load the key store'
                }
              </call>

              <call function="'testCase_Postamble'"/>
              
            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>
      
    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_ssl/clus_ssl_setup.xml

New file
@@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->

<stax>

  <defaultcall function="clus_ssl_setup"/>

  <function name="clus_ssl_setup" scope="local">

    <sequence>

      <block name="'clus_ssl_setup'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       Setup SSL
          #@TestSuitePurpose    Configure ssl to test ldap tools
          #@TestSuiteGroup      SSL setup
          #@TestScript          clus_ssl_setup.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clus_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <testcase name="getTestCaseName('Enable SSL with blind trust manager')">
            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
              'Security: SSL setup : Enable SSL with blind trust manager'
              </message>
              <call function="'configureSSL'">
              {
              'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
              'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
              'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
              'customKeyMgr'     : 'JKSPROVIDER',
              'keystoreFile'     : 'config/serverkeystore',
              'keystorePin'      : 'keystorepass',
              'certAlias'        : 'server-cert1'
              }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>
        
      </block>

    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls.xml

New file
@@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls"/>

  <function name="clus_starttls">

    <sequence>

      <script>
        testList = []
        testList.append(['clus_starttls','clus_starttls_setup'])
        testList.append(['clus_starttls','clus_starttls_ldapsearch'])
        testList.append(['clus_starttls','clus_starttls_ldapmodify'])
        testList.append(['clus_starttls','clus_starttls_ldappasswdmodify'])
        testList.append(['clus_starttls','clus_starttls_ldapcompare'])
        testList.append(['clus_starttls','clus_starttls_ldapdelete'])
        testList.append(['clus_starttls','clus_starttls_cleanup'])
      </script>

      <iterate var="_test" in="testList">
        <sequence>
          <import machine="STAF_LOCAL_HOSTNAME"
                  file="'%s/testcases/clu_secure/%s/%s.xml' %
                  (TESTS_DIR,_test[0],_test[1])"/>
          <call function="'%s' % _test[1]" />
        </sequence>
      </iterate>

    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_cleanup.xml

New file
@@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_cleanup"/>

  <function name="clus_starttls_cleanup" scope="local">

    <sequence>
      
      <block name="'clus_starttls_cleanup'">

        <sequence>

           <!--- Test Suite information
           #@TestSuiteName       clean up StartTLS
           #@TestSuitePurpose    unconfigure StartTLS
           #@TestSuiteGroup      clean up StartTLS
           #@TestScript          clus_startTLS_cleanup.xml
           -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <testcase name="getTestCaseName('Disable startTLS with blind trust manager')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
               'Security: startTLS Check behaviors: Disable startTLS with blind \
                trust manager'
              </message>

              <call function="'unconfigureTLS'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'customKeyMgr'     : 'JKSPROVIDER',
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>
  
</stax>

 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_ldapcompare.xml

New file
@@ -0,0 +1,219 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_ldapcompare"/>

  <function name="clus_starttls_ldapcompare" scope="local">

    <sequence>

      <block name="'clus_starttls_ldapcompare'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       StartTLS ldapcompare check behaviors
          #@TestSuitePurpose    Test the results of StartTLS ldapcompare command.
          #@TestSuiteGroup      ldapcompare check behavior tests
          #@TestScript          clus_startTLS_ldapcompare.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          StartTLS ldapcompare check behavior tests
            #@TestName            Client use blind trust : ldapcompare successful
            #@TestPurpose         Verify that the operation is successful and
                                  that the comparison is successful when client
                                  trust all server certificates.
            #@TestPreamble        none
            #@TestStep            Do an ldapcompare with correct options.
            #@TestPostamble       none
            #@TestResult          Success if ldapcompare return true
          -->
          <testcase name="getTestCaseName ('Client use blind trust : ldapcompare successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: StartTLS Check behaviors : ldapcompare, client trustall\
                 server cert'
              </message>

              <script>
                dncompare = 'uid=user.310,ou=people,dc=com'
              </script>
              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['postalCode:6728' ,'%s' %dncompare],
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['postalCode:67258' ,'%s' %dncompare],
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>
               
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          StartTLS ldapcompare check behaviors
          #@TestName            Client use TrustStore file :
                                ldapcompare successful
          #@TestPurpose         Verify that the operation is successful and
                                that the comparison is successful when client
                                uses TrustStore file.
          #@TestPreamble        none
          #@TestStep            Do an ldapcompare with correct options.
          #@TestPostamble       none
          #@TestResult          Success if ldapcompare return true
          -->
          <testcase name="getTestCaseName ('Client use TrustStore file : ldapcompare successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security:startTLS Check behaviors: ldapcompare, client trust \
                 store file'
              </message>

              <script>
                dncompare2 = 'uid=user.311,ou=people,dc=com'
              </script>
              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'           : ['description: This is for Amber Arbuckle.',\
                                   '%s' %dncompare2] ,
                'expectedRC'     : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned false'
                }
              </call>

              <call function="'ldapCompareWithScript'">
                {
                'dsInstanceHost'  : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'  : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'   : ' ' ,
                'dsTrustStorePath': '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'            : ['description: This is the description for \
                                   Amber Arbuckle.' ,'%s' %dncompare2] ,
                'expectedRC'      : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Compare operation returned true'
                }
              </call>
         
              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_ldapdelete.xml

New file
@@ -0,0 +1,264 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_ldapdelete"/>

  <function name="clus_starttls_ldapdelete" scope="local">

    <sequence>

      <block name="'clus_starttls_ldapdelete'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       StartTLS ldapdelete check behavior tests
          #@TestSuitePurpose    Test the results of the StartTLS ldapdelete command.
          #@TestSuiteGroup      ldapdelete check behavior tests
          #@TestScript          clus_startTLS_ldapdelete.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

           <!--- Test Case information
            #@TestMarker          StartTLS ldapdelete check behavior tests
            #@TestName            ldapdelete: delete an entry
            #@TestIssue           none
            #@TestPurpose         Test ldapdelete with correct options
                                  when client trust all server certificates .
            #@TestPreamble        none
            #@TestStep            Check using ldapsearch that "uid=user.410"
                                  entry is present.
            #@TestStep            Delete this entry using ldapdelete.
            #@TestStep            Check using ldapsearch that this entry is no
                                  more present.
            #@TestPostamble       none
            #@TestResult          Success if the "uid=user.410" entry is deleted.
          -->
          <testcase name="getTestCaseName
          ('StartTLS server blind trust : ldapdelete successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: StartTLS Check behaviors: ldapdelete, client trustall \
                 server cert'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.410' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 1'
                }
              </call>

              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsDn'             : ['uid=user.410,ou=people,dc=com']
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.410' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          StartTLS ldapdelete check behavior tests
            #@TestName            Client use TrustStore file : ldapdelete
                                  successful
            #@TestIssue           none
            #@TestPurpose         Test ldapdelete with correct options
                                  when client uses a TrustStore file.
            #@TestPreamble        none
            #@TestStep            Check using ldapsearch that "uid=user.411"
                                  entry is present.
            #@TestStep            Delete this entry using ldapdelete.
            #@TestStep            Check using ldapsearch that this entry is no
                                  more present.
            #@TestPostamble       none
            #@TestResult          Success if the "uid=user.411" entry is deleted.
          -->
          <testcase name="getTestCaseName ('Client use TrustStore file : ldapdelete successful')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: StartTLS Check behaviors: ldapdelete, client trust \
                 store file'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.411' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 1'
                }
              </call>

              <call function="'ldapDeleteWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsDn'             : ['uid=user.411,ou=people,dc=com']
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsCountEntries'   : 'True' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.411' ,
                'expectedRC'       : 'noCheck'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'Total number of matching entries: 0'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>
            
          </testcase>


          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_ldapmodify.xml

New file
@@ -0,0 +1,253 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_ldapmodify"/>

  <function name="clus_starttls_ldapmodify" scope="local">

    <sequence>

      <block name="'clus_starttls_ldapmodify'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       StartTLS ldapmodify check behaviors
          #@TestSuitePurpose    Test the results of the startTLS ldapmodify
                                command
          #@TestSuiteGroup      ldapmodify check bahavior tests
          #@TestScript          clus_startTLS_ldapmodify.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
          #@TestMarker        StartTLS ldapmodify check behaviors
          #@TestName          Client blind trust : ldapmodify
          #@TestIssue         none
          #@TestPurpose       Verify that the operation is successful and
                              that the attribute value has been modified
                              when client trust all server certificates.
          #@TestPreamble      none
          #@TestStep          Check that the "sn" value for "uid=user.110"
                              is Aimone.
          #@TestStep          Modify the "sn" value using startTLS ldapmodify
          #@TestStep          Check that the "sn" value for
                              "uid=user.110" is John.
          #@TestPostamble     none
          #@TestResult        Success if the "sn" value is John
          -->
          <testcase name="getTestCaseName('Client blind trust : ldapmodify')">
            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: startTLS Check behaviors: ldapmodify, client trustall \
                 server cert'
              </message>

              <script>
              modifysn = 'clu_secure/clus_startls_ldapmodify.ldif'
              modifyphone = 'clu_secure/clus_startls_ldapmodify2.ldif'
              </script>
              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.110' ,
                'dsAttributes'     : 'sn'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'sn: Aimone'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilename'       : '%s/%s' % (remote.data,modifysn)
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.110' ,
                'dsAttributes'     : 'sn'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'sn: John'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker      StartTLS ldapmodify check behaviors
            #@TestName        Client use TrustStore file : ldapmodify
            #@TestIssue       none
            #@TestPurpose     Verify that the operation is successful and
                              that the attribute value has been modified
                              when client uses a TrustStore file.
            #@TestPreamble    none
            #@TestStep        Check that the "telephoneNumber" value for 
                              "uid=user.111" is +1 896 751 0209
            #@TestStep        Modify the "mail" value using startTLS ldapmodify.
            #@TestStep        Check that the "telephoneNumber" value for
                              "uid=user.111" is +3312345678
            #@TestPostamble   none
            #@TestResult      Success if the "telephoneNumber" value is
                              +3312345678.
          -->
          <testcase name="getTestCaseName('Client use TrustStore file : ldapmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: startTLS Check behaviors: ldapmodify, client \
                 TrustStore file'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsFilter'         : 'uid=user.111' ,
                'dsAttributes'     : 'telephoneNumber'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'telephoneNumber: \+1 896 751 0209'
                }
              </call>

              <call function="'ldapModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsFilename'       : '%s/%s' % (remote.data,modifyphone)
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsBaseDN'         : 'dc=com' ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsFilter'         : 'uid=user.111' ,
                'dsAttributes'     : 'telephoneNumber'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'telephoneNumber: \+3312345678'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>
      
    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_ldappasswdmodify.xml

New file
@@ -0,0 +1,246 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_ldappasswdmodify"/>

  <function name="clus_starttls_ldappasswdmodify" scope="local">

    <sequence>

      <block name="'clus_starttls_ldappasswdmodify'">

        <sequence>

          <!--- Test Suite information
            #@TestSuiteName       StartTLS ldappasswordmodify check behaviors
            #@TestSuitePurpose    Test the results of StartTLS ldappasswordmodify
                                  command.
            #@TestSuiteGroup      ldappasswordmodify check behavior tests
            #@TestScript          clus_startTLS_ldapassmodify.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <!--- Test Case information
            #@TestMarker          StartTLS ldappasswordmodify check behaviors
            #@TestName            Client blind trust : ldappasswordmodify
            #@TestIssue           none
            #@TestPurpose         Verify that a user can change his own
                                  password when client trust all server
                                  certificates.
            #@TestPreamble        none
            #@TestStep            Check that user.210 can do an startTLS
                                  ldapsearch.
            #@TestStep            Do an ldappasswordmodify to change user
                                  password.
            #@TestStep            Check that user.210 can't do an ldapsearch
                                  with his old password.
            #@TestStep            Check that user.210 can do an ldapsearch with
                                  his new password.
            #@TestPostamble       none
            #@TestResult          Success if user210password works.
          -->
          <testcase name="getTestCaseName('Client blind trust : ldappasswordmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsInstanceDn'     : 'uid=user.210,ou=people,dc=com',
                'dsInstancePswd'   : 'password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'ldapPasswordModifyWithScript'">
                {
                'dsInstanceHost'      : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'      : DIRECTORY_INSTANCE_PORT ,
                'dsAuthzID'        : 'uid=user.210,ou=people,dc=com' ,
                'dsUseStartTLS'            : ' ' ,
                'dsTrustAll'          : ' ' ,
                'dsCurrentPassword'   : 'password' ,
                'dsNewPassword'       : 'user210password'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : 'uid=user.210,ou=people,dc=com' ,
                'dsInstancePswd'   : 'password' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*' ,
                'expectedRC'       : 49
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsInstanceDn'     : 'uid=user.210,ou=people,dc=com',
                'dsInstancePswd'   : 'user210password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
          #@TestMarker          StartTLS ldappasswordmodify check behaviors
          #@TestName            Client blind trust : ldappasswordmodify
          #@TestIssue           none
          #@TestPurpose         Verify that a user can change his own
                                password when client uses a TrustStore file.
          #@TestPreamble        none
          #@TestStep            Check that user.211 can do
                                an StartTLS ldapsearch.
          #@TestStep            Do an ldappasswordmodify to change user
                                password.
          #@TestStep            Check that user.211 can't do an ldapsearch with
                                his old password.
          #@TestStep            Check that user.211 can do an ldapsearch with
                                his new password.
          #@TestPostamble       none
          #@TestResult          Success if user211password works.
          -->
          <testcase name="getTestCaseName('Client use TrustStore file : ldappasswordmodify')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsInstanceDn'     : 'uid=user.211,ou=people,dc=com',
                'dsInstancePswd'   : 'password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'ldapPasswordModifyWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsAuthzID'        : 'uid=user.211,ou=people,dc=com' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore'
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsCurrentPassword'   : 'password' ,
                'dsNewPassword'       : 'user211password'
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : 'uid=user.211,ou=people,dc=com' ,
                'dsInstancePswd'   : 'password' ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      % InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*' ,
                'expectedRC'       : 49
                }
              </call>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsInstanceDn'     : 'uid=user.211,ou=people,dc=com',
                'dsInstancePswd'   : 'user211password' ,
                'dsTypesOnly'      : 'True' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.*'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>
        
      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_ldapsearch.xml

New file
@@ -0,0 +1,172 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_ldapsearch"/>

  <function name="clus_starttls_ldapsearch" scope="local">

    <sequence>
      <block name="'clus_starttls_ldapsearch'">

        <sequence>

           <!--- Test Suite information
            #@TestSuiteName       StartTLS ldapsearch check behaviors
            #@TestSuitePurpose    Test the results of ssl ldapsearch command
            #@TestSuiteGroup      StartTLS behaviors
            #@TestScript          clus_startTLS_ldapsearch.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>


          <call function="'testSuite_Preamble'"/>

           <!--- Test Case information
            #@TestMarker          StartTLS ldapsearch check behaviors
            #@TestName            Client blind trust : ldapsearch
            #@TestIssue           none
            #@TestPurpose         Verify that the operation is successful and
                                  the number of returned entries is correct,
                                  when client trust all server cerificates.
            #@TestPreamble        none
            #@TestStep            Do a startTLS ldapsearch with phone number filter.
            #@TestPostamble       none
            #@TestResult          Success if user is found and pager
                                  is +1 608 828 0224.
          -->
          <testcase name="getTestCaseName('Client blind trust : ldapsearch')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: startTLS Check behaviors: ldapsearch, client trustall \
                server cert'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'         : ' ' ,
                'dsTrustAll'       : ' ' ,
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.500' ,
                'dsAttributes'     : 'pager'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'pager: \+1 608 828 0224'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <!--- Test Case information
            #@TestMarker          StartTLS ldapsearch check behaviors
            #@TestName            Client use a TrustStore file : ldapsearch
            #@TestIssue           none
            #@TestPurpose         Verify that the operation is successful and
                                  the number of returned entries is correct,
                                  when client uses a TrustStore file.
            #@TestPreamble        none
            #@TestStep            Do a StartTLS ldapsearch with street filter.
            #@TestPostamble       none
            #@TestResult          Success if user is found and street
                                  is 77009 South Street.
          -->
          <testcase name="getTestCaseName
          ('Client use TrustStore file : ldapsearch')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: startTLS Check behaviors: ldapsearch, client truststore'
              </message>

              <call function="'ldapSearchWithScript'">
                {
                'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsUseStartTLS'    : ' ' ,
                'dsTrustStorePath' : '%s/client_cert/clientruststore' \
                                      %InstanceInstallDir,
                'dsTrustStorePassword': 'clientruststorepass',
                'dsBaseDN'         : 'dc=com' ,
                'dsFilter'         : 'uid=user.505' ,
                'dsAttributes'     : 'street'
                }
              </call>

              <script>
                returnString = STAXResult[0][1]
              </script>
              <call function="'checktestString'">
                {
                'returnString'     : returnString ,
                'expectedString'   : 'street: 77009 South Street'
                }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>
          
          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>

  </function>

</stax>



 opends/tests/staf-tests/functional-tests/testcases/clu_secure/clus_starttls/clus_starttls_setup.xml

New file
@@ -0,0 +1,93 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="clus_starttls_setup"/>

  <function name="clus_starttls_setup" scope="local">

    <sequence>

      <block name="'clus_starttls_setup'">

        <sequence>

          <!--- Test Suite information
          #@TestSuiteName       Setup startTLS
          #@TestSuitePurpose    Configure startTLS to test ldap tools
          #@TestSuiteGroup      startTLS setup
          #@TestScript          clus_starttls_setup.xml
          -->
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group'] = 'clu_secure'
            CurrentTestPath['suite'] = STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>

          <testcase name="getTestCaseName('Enable startTLS with blind trust manager')">

            <sequence>

              <call function="'testCase_Preamble'"/>

              <message>
                'Security: SSL Check behaviors: Enable startTLS with blind \
                 trust manager'
              </message>

              <call function="'configureTLS'">
               {
               'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
               'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
               'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD,
               'customKeyMgr'     : 'JKSPROVIDER',
               'keystoreFile'     : 'config/serverkeystore',
               'keystorePin'      : 'keystorepass',
               'certAlias'        : 'server-cert2'
               }
              </call>

              <call function="'testCase_Postamble'"/>

            </sequence>

          </testcase>

          <call function="'testSuite_Postamble'"/>

        </sequence>

      </block>

    </sequence>
    
  </function>
  
</stax>

 opends/tests/staf-tests/functional-tests/testcases/core/collectiveattr/core_collectiveattr_tests.xml

@@ -3648,7 +3648,7 @@
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsBaseDN'         : targetDN3 ,
                'dsFilter'         : 'description\=Worldwide*' ,
                'dsFilter'         : 'description=Worldwide*' ,
              }
            </call>
            <script>

 opends/tests/staf-tests/functional-tests/testcases/core/collectiveattr/core_collectiveattr_tests_bk.xml

File was deleted

 opends/tests/staf-tests/functional-tests/testcases/core/core.xml

@@ -23,7 +23,7 @@
 !
 ! CDDL HEADER END
 !
 !      Copyright 2006-2009 Sun Microsystems, Inc.
 !      Copyright 2006-2010 Sun Microsystems, Inc.
 ! -->
<stax>
  <defaultcall function="main_core" />
@@ -60,6 +60,7 @@
              suiteList.append('controls/core_ctrls_matched_values')
              suiteList.append('binaryattr/core_binaryattr')
              suiteList.append('collectiveattr/core_collectiveattr')
              suiteList.append('psearch/core_psearch')
            </script>
    
            <!-- Run the test suites -->

 opends/tests/staf-tests/functional-tests/testcases/core/psearch/core_psearch.xml

New file
@@ -0,0 +1,139 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>
  <defaultcall function="core_psearch"/>
  <function name="core_psearch" scope="local">
    <sequence>
      <block name="'core_psearch'">
        <try>
          <sequence>
            <script>
              CurrentTestPath['group']='core'
              CurrentTestPath['suite']='psearch'

              __group=CurrentTestPath['group']
              __groupdir='%s/testcases/%s' % (TESTS_DIR,__group)
            </script>

            <!--- Test Suite information
            #@TestSuiteName       PSearch delete Tests
            #@TestSuitePurpose    Verify that the basic persistent search for delete operations is working in the Directory Server.
            #@TestSuiteID         PSearch delete operations
            #@TestSuiteGroup      PSearch delete
            #@TestGroup           PSearch
            #@TestScript          psearch.xml
            #@TestHTMLLink        http://opends.dev.java.net/
            -->

            <call function="'testSuite_Preamble'"/>

            <try>
              <sequence>

                <call function="'common_setup'">
                  {
                    'quickStart'  : False ,
                    'startServer' : False,
                    'loadData'    : False ,
                    'stopServer'  : False
                  }
                </call>

                <script>
                  psearchList=[]
                  psearchList.append('psearch/core_psearch_tests')
                </script>

                <!-- Import the files for this test suite -->
                <iterate var="__psearch" in="psearchList">
                  <import machine="STAF_LOCAL_HOSTNAME"
                    file="'%s/%s.xml' % (__groupdir,__psearch)"/>
                </iterate>

                <!-- List of Import of Test Functions -->
                <script>
                  testsList=[]
                  testsList.append('core_psearch_import-ldif_1')
                  testsList.append('core_psearch_delete_1')
                  testsList.append('core_psearch_delete_2')
                  testsList.append('core_psearch_modify_1')
                  testsList.append('core_psearch_modify_2')
                  testsList.append('core_psearch_moddn_1')
                  testsList.append('core_psearch_moddn_2')
                  testsList.append('core_psearch_add_1')
                  testsList.append('core_psearch_add_2')
                </script>

                <!-- Execute the Tests -->
                <iterate var="__test" in="testsList">
                  <sequence>
                    <call function="'%s' % (__test)" />
                  </sequence>
                </iterate>

              </sequence>
              <catch exception="'STAFException.TestSuite.SetupException'">
                <sequence>
                  <message log="1" level="'fatal'">
                  'Setup of test suite failed.'
                  </message>
                  <rethrow/>
                </sequence>
              </catch>

              <finally>
                <message>'Test Cases Completed.'</message>
              </finally>

            </try>

          </sequence>

          <finally>
            <sequence>
              <!-- Test Suite Cleanup -->
              <message>'Finally: Global Schema Cleanup.'</message>
              <try>
                <call function="'common_cleanup'" />
                <catch exception="'STAFException'">
                  <sequence>
                    <message log="1" level="'fatal'">'Cleanup of test suite failed.'</message>
                  </sequence>
                </catch>
                <finally>
                  <call function="'testSuite_Postamble'"/>
                </finally>
              </try>
            </sequence>
          </finally>

        </try>
      </block>
    </sequence>
  </function>
</stax>

 opends/tests/staf-tests/functional-tests/testcases/core/psearch/core_psearch_tests.xml

New file
@@ -0,0 +1,1191 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>


  <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Import  LDIF file
  #@TestID              Import  LDIF file
  #@TestPurpose         Import LDIF file using the default backend and start the server
  #@TestPreamble
  #@TestSteps          
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_import-ldif_1" scope="local">

    <testcase name="getTestCaseName('Import  LDIF file')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <call function="'ImportLdifWithScript'">
            {
              'dsLdifFile'  : '%s/core/psearch/default.ldif' % remote.data,
              'dsBackEnd'   : DIRECTORY_INSTANCE_BE
            }
          </call>

          <call function="'checkImport'">
            { 'expectedEntries' : ['uid=scarter,ou=People,dc=example,dc=com',
                                   'uid=dmiller, ou=People, dc=example,dc=com',
                                   'uid=rhunt, ou=People, dc=example,dc=com'] }
          </call>
          
          <call function="'StartDsWithScript'"/>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

  <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Delete entries
  #@TestID              Delete entries
  #@TestPurpose         Verify PSearch with "delete" option, detect delete operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "delete" option, in parallel delete some entries
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_delete_1" scope="local">

    <testcase name="getTestCaseName('Delete entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_delete: starting the psearch client with "delete" option'
              </message>

              <call function="'psearch'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'dsBaseDn'       : "dc=example,dc=com",
                'operation'      : "delete",
                'ldif'           : "True",
                'outputFile'     : '%s/core/psearch/delete/delete.out' % remote.data
              }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_delete: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_delete: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
              {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
              }
              </call>

              <message>
                'psearch_delete: delete  entries tmorris,abergin,jwalker,tclow'
              </message>
              <call function="'ldapDeleteWithScript'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                'dsFilename'     : '%s/core/psearch/delete/delete.ldif' % remote.data
              }
              </call>

              <call function="'SendEvent'">
              {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch tests/Completed'
              }
              </call>

              <message>
            'psearch_delete: Check all delete operations have been successfully detected'
              </message>
              <call function="'LdifDiffWithScript'">
              {
                'sourceLdif' : '%s/core/psearch/delete/delete.out' % remote.data,
                'targetLdif' : '%s/core/psearch/delete/delete.ref' % remote.data,
                'outputLdif' : '%s/delete.out' % remote.temp
              }
              </call>
              <if expr="STAXResult != 0">
                <tcstatus result="'fail'"/>
              </if>

            </sequence>
          </parallel>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

    <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Add-Modify-Moddn entries
  #@TestID              Add-Modify-Moddn entries
  #@TestPurpose         Verify PSearch with "delete" option, no detect other  operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "delete" option, in parallel make the following operations modify add moddn
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_delete_2" scope="local">

    <testcase name="getTestCaseName('Add-Modify-Moddn entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_delete_blank: starting the psearch client with "delete" option'
              </message>

              <call function="'psearch'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'dsBaseDn'       : "dc=example,dc=com",
                  'operation'      : "delete",
                  'ldif'           : "True",
                  'outputFile'     : '%s/core/psearch/delete/delete_blank.out' % remote.data
                }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_delete_blank: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_delete_blank: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
              {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
              }
              </call>

              <message>
                'psearch_delete_blank: add entry uid=Bada Boum,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/delete/add.ldif' % remote.data
                }
              </call>

              <message>
                'psearch_delete_blank: moddn entry uid=elott, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/delete/moddn.ldif' % remote.data
                }
              </call>


              <message>
                'psearch_delete_blank: modify entry uid=rschneid, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/delete/modify.ldif' % remote.data
                }
              </call>

              <call function="'SendEvent'">
              {
              'location' : STAF_REMOTE_HOSTNAME ,
              'name'     : 'PSearch tests/Completed'
              }
              </call>

            </sequence>


          </parallel>

          <message>
            'psearch_delete: Check "modify,add,moddn" operations have not been detected'
          </message>
          
          <call function="'GetEntry'">
            {
              'location'  : STAF_REMOTE_HOSTNAME ,
              'entry'     :  '%s/core/psearch/delete/delete_blank.out' % remote.data,
              'attribute' : 'TYPE'
            }
          </call>

          <if expr="RC != 48">
            <tcstatus result="'fail'"/>
          </if>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>


   <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Modify entries
  #@TestID              Modify entries
  #@TestPurpose         Verify PSearch with "modify" option, detect modify operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "modify" option, in parallel modify some entries
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_modify_1" scope="local">

    <testcase name="getTestCaseName('Modify entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_modify: starting the psearch client with "modify" option'
              </message>

              <call function="'psearch'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'dsBaseDn'       : "dc=example,dc=com",
                'operation'      : "modify",
                'ldif'           : "True",
                'outputFile'     : '%s/core/psearch/modify/modify.out' % remote.data
              }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_modify: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
             {
               'location' : STAF_REMOTE_HOSTNAME ,
               'name'     : 'PSearch/Ready'
             }
              </call>

              <message>
                'psearch_modify: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
              {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
              }
              </call>

              <message>
                'psearch_modify: modify entries uid=bjensen, ou=People, dc=example,dc=com\
                uid=mwhite, ou=People, dc=example,dc=com\
                uid=mtalbot, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/modify/modify.ldif' % remote.data
                }
              </call>

              <call function="'SendEvent'">
                {
                  'location' : STAF_REMOTE_HOSTNAME ,
                  'name'     : 'PSearch tests/Completed'
                }
              </call>

              <message>
            'psearch_modify: Check all modify operations have been successfully detected'
              </message>
              <call function="'LdifDiffWithScript'">
              {
                'sourceLdif' : '%s/core/psearch/modify/modify.out' % remote.data,
                'targetLdif' : '%s/core/psearch/modify/modify.ref' % remote.data,
                'outputLdif' : '%s/modify.out' % remote.temp
              }
              </call>
              <if expr="STAXResult != 0">
                <tcstatus result="'fail'"/>
              </if>

            </sequence>
          </parallel>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

   <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Add-Delete-Moddn entries
  #@TestID              Add-Delete-Moddn entries
  #@TestPurpose         Verify PSearch with "modify" option, no detect other  operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "modify" option, in parallel make the following operations add  delete moddn
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_modify_2" scope="local">

    <testcase name="getTestCaseName('Add-Delete-Moddn entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_modify_blank: starting the psearch client with "modify" option'
              </message>

              <call function="'psearch'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'dsBaseDn'       : "dc=example,dc=com",
                'operation'      : "modify",
                'ldif'           : "True",
                'outputFile'     : '%s/core/psearch/modify/modify_blank.out' % remote.data
              }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_modify_blank: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_modify_blank: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
                {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
                }
              </call>

              <message>
                'psearch_modify_blank: add entry uid=Bidi Bim,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/modify/add.ldif' % remote.data
                  }
              </call>

              <message>
                'psearch_modify_blank: moddn entry uid=elotte, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/modify/moddn.ldif' % remote.data
                  }
              </call>


              <message>
                'psearch_modify_blank: delete entry Bidi Bim,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapDeleteWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/modify/delete.ldif' % remote.data
                  }
              </call>

              <call function="'SendEvent'">
                {
                  'location' : STAF_REMOTE_HOSTNAME ,
                  'name'     : 'PSearch tests/Completed'
                }
              </call>

            </sequence>


          </parallel>

          <message>
            'psearch_modify: Check "delete,add,moddn" operations have not been detected'
          </message>

          <call function="'GetEntry'">
            {
            'location'  : STAF_REMOTE_HOSTNAME ,
            'entry'     :  '%s/core/psearch/modify/modify_blank.out' % remote.data,
            'attribute' : 'TYPE'
            }
          </call>

          <if expr="RC != 48">
            <tcstatus result="'fail'"/>
          </if>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

   <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Moddn entries
  #@TestID              Moddn entries
  #@TestPurpose         Verify PSearch with "moddn" option, detect moddn operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "moddn" option, in parallel moddn some entries
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_moddn_1" scope="local">

    <testcase name="getTestCaseName('Moddn entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_moddn: starting the psearch client with "moddn" option'
              </message>

              <call function="'psearch'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'dsBaseDn'       : "dc=example,dc=com",
                  'operation'      : "moddn",
                  'ldif'           : "True",
                  'outputFile'     : '%s/core/psearch/moddn/moddn.out' % remote.data
                }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_moddn: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
             {
               'location' : STAF_REMOTE_HOSTNAME ,
               'name'     : 'PSearch/Ready'
             }
              </call>

              <message>
                'psearch_moddn: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
                {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
                }
              </call>

              <message>
                 'psearch_moddn: moddn entries uid=mreuter, ou=People, dc=example,dc=com \
                  uid=jgoldste, ou=People, dc=example,dc=com \
                  uid=dlanoway, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/moddn/moddn.ldif' % remote.data
                  }
              </call>

              <call function="'SendEvent'">
                {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch tests/Completed'
                }
              </call>

              <message>
                'psearch_moddn: Check all moddn operations have been successfully detected'
              </message>
              <call function="'LdifDiffWithScript'">
                {
                  'sourceLdif' : '%s/core/psearch/moddn/moddn.out' % remote.data,
                  'targetLdif' : '%s/core/psearch/moddn/moddn.ref' % remote.data,
                  'outputLdif' : '%s/moddn.out' % remote.temp
                }
              </call>
              <if expr="STAXResult != 0">
                <tcstatus result="'fail'"/>
              </if>

            </sequence>
          </parallel>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

  <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Add-Delete-Modify entries
  #@TestID              Add-Delete-Modify entries
  #@TestPurpose         Verify PSearch with "moddn" option, no detect other  operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "moddn" option, in parallel make the following operations add  delete modify
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_moddn_2" scope="local">

    <testcase name="getTestCaseName('Add-Delete-Modify entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_moddn_blank: starting the psearch client with "moddn" option'
              </message>

              <call function="'psearch'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                  'dsBaseDn'       : "dc=example,dc=com",
                  'operation'      : "moddn",
                  'ldif'           : "True",
                  'outputFile'     : '%s/core/psearch/moddn/moddn_blank.out' % remote.data
                }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_moddn_blank: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_modify_blank: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
                {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch/Ready'
                }
              </call>

              <message>
                'psearch_moddn_blank: add entry uid=Bobo Baba,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/moddn/add.ldif' % remote.data
                  }
              </call>

              <message>
                'psearch_moddn_blank: modify entry lrentz, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/moddn/modify.ldif' % remote.data
                  }
              </call>


              <message>
                'psearch_moddn_blank: delete entry uid=Bobo Baba,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapDeleteWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/moddn/delete.ldif' % remote.data
                  }
              </call>

              <call function="'SendEvent'">
                {
                'location' : STAF_REMOTE_HOSTNAME ,
                'name'     : 'PSearch tests/Completed'
                }
              </call>

            </sequence>


          </parallel>

          <message>
            'psearch_moddn: Check "delete,add,modify" operations have not been detected'
          </message>

          <call function="'GetEntry'">
            {
              'location'  : STAF_REMOTE_HOSTNAME ,
              'entry'     :  '%s/core/psearch/moddn/moddn_blank.out' % remote.data,
              'attribute' : 'TYPE'
            }
          </call>

          <if expr="RC != 48">
            <tcstatus result="'fail'"/>
          </if>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>


   <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Add entries
  #@TestID              Add entries
  #@TestPurpose         Verify PSearch with "add" option, detect add operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "add" option, in parallel add some entries
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_add_1" scope="local">

    <testcase name="getTestCaseName('Add entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_add: starting the psearch client with "add" options'
              </message>

              <call function="'psearch'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'dsBaseDn'       : "dc=example,dc=com",
                'operation'      : "add",
                'ldif'           : "True",
                'outputFile'     : '%s/core/psearch/add/add.out' % remote.data
              }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_add: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_add: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
                {
                  'location' : STAF_REMOTE_HOSTNAME ,
                  'name'     : 'PSearch/Ready'
                }
              </call>

              <message>
                'psearch_add: add entries uid=Bil Bo,ou=People,dc=example,dc=com \
                Blam Blo,ou=People,dc=example,dc=com \
                Blum Blue,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                  {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/add/add.ldif' % remote.data
                  }
              </call>

              <call function="'SendEvent'">
              {
              'location' : STAF_REMOTE_HOSTNAME ,
              'name'     : 'PSearch tests/Completed'
              }
              </call>

              <message>
            'psearch_add: Check all add operations have been successfully detected'
              </message>
              <call function="'LdifDiffWithScript'">
              {
                'sourceLdif' : '%s/core/psearch/add/add.out' % remote.data,
                'targetLdif' : '%s/core/psearch/add/add.ref' % remote.data,
                'outputLdif' : '%s/add.out' % remote.temp
              }
              </call>
              <if expr="STAXResult != 0">
                <tcstatus result="'fail'"/>
              </if>

            </sequence>
          </parallel>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

   <!--- Test Case information
  #@TestMarker          Core PSearch Tests
  #@TestName            Core: PSearch: Moddn-Delete-Modify entries
  #@TestID              Moddn-Delete-Modify entries
  #@TestPurpose         Verify PSearch with "add" option, no detect other  operations
  #@TestPreamble
  #@TestSteps         Start PSearch with "add" option, in parallel make the following operations moddn  delete modify
  #@TestPostamble
  #@TestResult      Test is successful if the result code is 0
  -->

  <function name="core_psearch_add_2" scope="local">

    <testcase name="getTestCaseName('Moddn-Delete-Modify entries')">

      <try>

        <sequence>

          <call function="'testCase_Preamble'"/>

          <parallel>
            <sequence>

              <message>
                'psearch_add_blank: starting the psearch client with "add" option'
              </message>

              <call function="'psearch'">
              {
                'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
                'dsBaseDn'       : "dc=example,dc=com",
                'operation'      : "add",
                'ldif'           : "True",
                'outputFile'     : '%s/core/psearch/add/add_blank.out' % remote.data
              }
              </call>
            </sequence>

            <sequence>

              <message>
                'psearch_add_blank: wait event from psearch'
              </message>

              <call function="'WaitEvent'">
               {
                 'location' : STAF_REMOTE_HOSTNAME ,
                 'name'     : 'PSearch/Ready'
               }
              </call>

              <message>
                'psearch_add_blank: delete event from psearch'
              </message>

              <call function="'DeleteEvent'">
                {
                  'location' : STAF_REMOTE_HOSTNAME ,
                  'name'     : 'PSearch/Ready'
                }
              </call>

              <message>
                'psearch_add_blank: modify entry uid=Blam Blo, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/add/modify.ldif' % remote.data
                }
              </call>

              <message>
                'psearch_add_blank: moodn entry uid=Bil Bo, ou=People, dc=example,dc=com'
              </message>

              <call function="'ldapModifyWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/add/moddn.ldif' % remote.data
                }
              </call>


              <message>
                'psearch_add_blank: delete entry uid=Blum Blue,ou=People,dc=example,dc=com'
              </message>

              <call function="'ldapDeleteWithScript'">
                {
                  'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                  'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
                  'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                  'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                  'dsFilename'     : '%s/core/psearch/add/delete.ldif' % remote.data
                }
              </call>

              <call function="'SendEvent'">
              {
              'location' : STAF_REMOTE_HOSTNAME ,
              'name'     : 'PSearch tests/Completed'
              }
              </call>

            </sequence>


          </parallel>

          <message>
            'psearch_add: Check "delete,moddn,modify" operations have not been detected'
          </message>

          <call function="'GetEntry'">
            {
              'location'  : STAF_REMOTE_HOSTNAME ,
              'entry'     :  '%s/core/psearch/add/add_blank.out' % remote.data,
              'attribute' : 'TYPE'
            }
          </call>

          <if expr="RC != 48">
            <tcstatus result="'fail'"/>
          </if>

        </sequence>

        <catch exception="'STAXException.*'" typevar="eType" var="eInfo">
          <message log="1" level="'fatal'">
            '%s: Test failed. eInfo(%s)' % (eType,eInfo)
          </message>
        </catch>

        <finally>
          <call function="'testCase_Postamble'"/>
        </finally>

      </try>

    </testcase>
  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/dsml/dsml_setup.xml

@@ -103,6 +103,14 @@
                'remotehost' : STAXServiceMachine
                }
              </call>
              <call function="'copyFile'">
                {
                'location'   : STAF_REMOTE_HOSTNAME,
                'srcfile'    : '%s/../../ext/emma/lib/emma.jar' % TESTS_ROOT,
                'destfile'   : '%s/dsml/STAF-INF/jars/emma.jar' % TMPDIR,
                'remotehost' : STAXServiceMachine
                }
              </call>

              <script>
                if is_windows_platform(STAXServiceMachine):
@@ -111,6 +119,7 @@
                  separator=':'

                opendsjar='%s/dsml/STAF-INF/jars/OpenDS.jar' % TMPDIR
                emmajar='%s/dsml/STAF-INF/jars/emma.jar' % TMPDIR
                dsmlclasses='%s/dsml/STAF-INF/classes' % TMPDIR
              </script>

@@ -130,8 +139,8 @@
                'location'   : STAXServiceMachine,
                'foldername' : '%s/src' % TESTS_DSML_DIR,
                'destfolder' : '%s/dsml/STAF-INF/classes' % TMPDIR,
                'classpath'  : '%s%s%s%s%s' \
                               % (opendsjar,separator,dsmlclasses,separator,cp)
                'classpath'  : '%s%s%s%s%s%s%s' \
                               % (opendsjar,separator,emmajar,separator,dsmlclasses,separator,cp)
                }
              </call>


 opends/tests/staf-tests/functional-tests/testcases/replication/aci/aci.xml

New file
@@ -0,0 +1,1082 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../../shared/stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Copyright 2010 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="replication_aci"/>

  <function name="replication_aci">

    <sequence>

      <block name="'aci'">

        <sequence>
            
          <script>
            if not CurrentTestPath.has_key('group'):
              CurrentTestPath['group']='aci'                 
            CurrentTestPath['suite']=STAXCurrentBlock
          </script>            

          <call function="'testSuite_Preamble'"/>

          <!--- Test Suite information
          #@TestSuiteName       Replication ACI Tests
          #@TestSuitePurpose    Verify that updates on ACIs are replicated all
                                right and are applied accordingly across the
                                topology.  
          #@TestSuiteID         ACI Tests
          #@TestSuiteGroup      ACI
          #@TestGroup           Replication
          #@TestScript          replication_aci.xml
          #@TestHTMLLink        http://opends.dev.java.net/
          -->
            
                                                                        
          <import machine="STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/replication/replication_setup.xml'
                  % (TESTS_DIR)"/>
          <call function="'replication_setup'">
            { 'dataFile' : 'Short_Example.ldif' }
          </call>
                                    
          <script>
            class Entry:
              def __init__(self, rdn, suffix):
                self.userDn = '%s,ou=People,%s' \
                              % (rdn, suffix)
                self.suffix = suffix
                self.listAttr = []
                self.listAttr.append('objectclass:top')
                self.listAttr.append('objectclass:organizationalperson')
                self.listAttr.append('objectclass:inetorgperson')
                self.listAttr.append('objectclass:person')
              def getDn(self):
                return self.userDn
              def getSuffix(self):
                return self.suffix
              def getAttrList(self):
                return self.listAttr
              def addAttr(self, attrType, attrValue):
                self.listAttr.append('%s:%s' % (attrType, attrValue))
          </script>


                        
          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Add entry with ACI
          #@TestID              Add entry with ACI
          #@TestPurpose         Check ACI replication over an entry add
          #@TestPreamble
          #@TestSteps           Add entry with ACI: deny self description write
          #@TestSteps           Binding as entry, add givenname to entry
                                (expect SUCCESS)
          #@TestSteps           Binding as entry, add description to entry
                                (expect ERROR 50)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Add entry with ACI')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Add entry with ACI. Check ACI replication \
                over an entry add.'
              </message>
    
              <script>
                myAci = "(targetattr=\"description\")(version 3.0; acl \"Deny Self Description Write\"; deny (write) userdn=\"ldap:///self\";)"
                myUserpassword = 'entryPwd' 

                myEntry = Entry('cn=ACI entry', synchroSuffix)
                myEntry.addAttr('sn', 'ACI repl tests')
                myEntry.addAttr('aci', myAci)
                myEntry.addAttr('userpassword', myUserpassword)
              </script>
              
              <!-- Add entry to "master" server with aci:
               !   (targetattr="description")(version 3.0; acl 
               !   "Deny Self Description Write"; deny (write)
               !   userdn="ldap:///self";)  
              -->
              <message>
                'Add entry %s with ACI: \n%s' % (myEntry.getDn(), myAci)
              </message>
              <call function="'addAnEntry'">
                { 'location'       : masterHost,
                  'dsPath'         : masterPath,
                  'dsInstanceHost' : masterHost,
                  'dsInstancePort' : master.getPort(),
                  'dsInstanceDn'   : master.getRootDn(),
                  'dsInstancePswd' : master.getRootPwd(),
                  'DNToAdd'        : myEntry.getDn(),
                  'listAttributes' : myEntry.getAttrList()
                }
              </call>
              
              <message>
                '+++ New ACI +++\nDeny "%s" the access to write its own \
                description attribute.' % myEntry.getDn() 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath    = '%s/%s' % (server.getDir(), OPENDSNAME)
                    
                    myGivenname   = 'My own GIVENNAME value %s' % i
                    myDescription = 'My own DESCRIPTION value %s' % i
                  </script>
                        
                  <message>
                    'Binding as "%s", add givenname %s to entry %s on server \
                    %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myGivenname, myEntry.getDn(),
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myEntry.getDn(),
                      'attributeName'     : 'givenname',
                      'newAttributeValue' : myGivenname,
                      'changetype'        : 'add'
                    }
                  </call>
                  
                  <message>
                    'Binding as "%s", add description %s to entry %s on \
                    server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
                    Rights)' % \
                    (myEntry.getDn(), myDescription, myEntry.getDn(), 
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myEntry.getDn(),
                      'attributeName'     : 'description',
                      'newAttributeValue' : myDescription,
                      'changetype'        : 'add',
                      'expectedRC'        : 50
                    }
                  </call>
                </sequence>
              </iterate>
                
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>
          


          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Modify_add ACI
          #@TestID              Modify_add ACI
          #@TestPurpose         Check ACI replication over a modify_add
          #@TestPreamble        Add a user entry to suffix
          #@TestSteps           Binding as user, add description to child entry
                                (expect ERROR 50)
          #@TestSteps           Add ACI to parent entry: allow user full access
                                to all description attributes
          #@TestSteps           Binding as user, add description to child entry
                                (expect SUCCESS)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Modify_add ACI')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Modify_add ACI. Check ACI replication \
                over a modify_add.'
              </message>
              
              <script>
                myAci = "(targetattr=\"description\")(version 3.0; acl \"Allow ACI-user access to description\"; allow (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
                mySn = 'ACI repl user'
                myUserpassword = 'userPwd'

                myEntry = Entry('cn=ACI user', synchroSuffix)
                myEntry.addAttr('sn', mySn)
                myEntry.addAttr('userpassword', myUserpassword)
                
                myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
              </script>
              
              <!-- Add user entry to "master" server -->
              <message>
                'Add user entry %s' % myEntry.getDn()
              </message>
              <call function="'addAnEntry'">
                { 'location'       : masterHost,
                  'dsPath'         : masterPath,
                  'dsInstanceHost' : masterHost,
                  'dsInstancePort' : master.getPort(),
                  'dsInstanceDn'   : master.getRootDn(),
                  'dsInstancePswd' : master.getRootPwd(),
                  'DNToAdd'        : myEntry.getDn(),
                  'listAttributes' : myEntry.getAttrList()
                }
              </call>

              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath    = '%s/%s' % (server.getDir(), OPENDSNAME)
                    
                    myDescription = 'He was a serious opium adict - %s' % i
                  </script>
                  
                  <message>
                    'Binding as "%s", add description %s to entry %s on \
                    server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
                    Rights)' % \
                    (myEntry.getDn(), myDescription, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myTargetEntryDn,
                      'attributeName'     : 'description',
                      'newAttributeValue' : myDescription,
                      'changetype'        : 'add',
                      'expectedRC'        : 50
                    }
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Add aci to entry ou=People,o=example on "master" server:
               !   (targetattr="description")(version 3.0; acl 
               !   "Allow ACI-user access to description"; allow (all)
               !   userdn="ldap:///cn=ACI user,ou=People,o=example";)  
              -->
              <message>
                'Add ACI to entry ou=People,%s: \n%s' % (synchroSuffix, myAci)
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : 'ou=People,%s' % synchroSuffix,
                  'attributeName'     : 'aci',
                  'newAttributeValue' : myAci,
                  'changetype'        : 'add'
                }
              </call>
                                          
              <message>
                '+++ New ACI +++\nAllow "%s" full access to all description \
                attributes under ou=People,%s.' % \
                (myEntry.getDn(), synchroSuffix) 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath    = '%s/%s' % (server.getDir(), OPENDSNAME)
                    
                    myDescription = 'He was a serious opium adict - %s' % i
                  </script>
                  
                  <message>
                    'Binding as "%s", add description %s to entry %s on \
                    server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myDescription, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myTargetEntryDn,
                      'attributeName'     : 'description',
                      'newAttributeValue' : myDescription,
                      'changetype'        : 'add'
                    }
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>


          
          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Modify_replace ACI target
          #@TestID              Modify_replace ACI target
          #@TestPurpose         Check ACI replication over a modify_replace of
                                the ACI target
          #@TestPreamble
          #@TestSteps           Binding as user, add telephonenumber to child
                                entry (expect ERROR 50)
          #@TestSteps           Replace ACI on parent entry: allow user full
                                access to all telephonenumber attributes
          #@TestSteps           Binding as user, add telephonenumber to child
                                entry (expect SUCCESS)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Modify_replace ACI target')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Modify_replace ACI target. Check ACI \
                replication over a modify_replace of the ACI target.'
              </message>
              
              <script>
                myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Allow ACI-user access to telephonenumber\"; allow (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
                myUserpassword = 'userPwd'

                myEntry = Entry('cn=ACI user', synchroSuffix)
                
                myTargetEntryDn = 'uid=sholmes,ou=People,%s' % synchroSuffix
              </script>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath        = '%s/%s' % (server.getDir(), OPENDSNAME)
                    
                    myTelephonenumber = '221-221-221-%s' % i
                  </script>
                  
                  <message>
                    'Binding as "%s", add telephonenumber %s to entry %s on \
                    server %s:%s. -- Expect: ERROR 50 (Insufficient Access \
                    Rights)' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myTargetEntryDn,
                      'attributeName'     : 'telephonenumber',
                      'newAttributeValue' : myTelephonenumber,
                      'changetype'        : 'add',
                      'expectedRC'        : 50
                    }
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Replace aci on entry ou=People,o=example on "master" server:
               !   (targetattr="telephonenumber")(version 3.0; acl 
               !   "Allow ACI-user access to telephonenumber"; allow (all)
               !   userdn="ldap:///cn=ACI user,ou=People,o=example";)  
              -->
              <message>
                'Replace ACI on entry ou=People,%s: \n%s' % \
                (synchroSuffix, myAci)
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : 'ou=People,%s' % synchroSuffix,
                  'attributeName'     : 'aci',
                  'newAttributeValue' : myAci,
                  'changetype'        : 'replace'
                }
              </call>
                                          
              <message>
                '+++ New ACI +++\nAllow "%s" full access to all telephonenumber\
                 attributes under ou=People,%s.' % \
                (myEntry.getDn(), synchroSuffix) 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath        = '%s/%s' % (server.getDir(), OPENDSNAME)
                    
                    myTelephonenumber = '221-221-221-%s' % i
                  </script>
                  
                  <message>
                    'Binding as "%s", add description %s to entry %s on \
                    server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                  <!-- Modify entry on one of the servers -->
                  <call function="'modifyAnAttribute'">
                    { 'location'          : server.getHostname(),
                      'dsPath'            : serverPath,
                      'dsInstanceHost'    : server.getHostname(),
                      'dsInstancePort'    : server.getPort(),
                      'dsInstanceDn'      : myEntry.getDn(),
                      'dsInstancePswd'    : myUserpassword,
                      'DNToModify'        : myTargetEntryDn,
                      'attributeName'     : 'telephonenumber',
                      'newAttributeValue' : myTelephonenumber,
                      'changetype'        : 'add'
                    }
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>
          
          
          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Modify_replace ACI permission
          #@TestID              Modify_replace ACI permission
          #@TestPurpose         Check ACI replication over a modify_replace of
                                the ACI permission
          #@TestPreamble
          #@TestSteps           Binding as user, compare telephonenumber value
                                to child entry (expect SUCCESS)
          #@TestSteps           Replace ACI on parent entry: deny user access to
                                telephonenumber attributes
          #@TestSteps           Binding as user, compare telephonenumber value
                                to child entry (expect ERROR 50)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Modify_replace ACI permission')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Modify_replace ACI permission. Check ACI \
                replication over a modify_replace of the ACI permission.'
              </message>
              
              <script>
                myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI-user access to telephonenumber\"; deny (all) userdn=\"ldap:///cn=ACI user,ou=People,%s\";)" % synchroSuffix
                myUserpassword = 'userPwd'

                myEntry = Entry('cn=ACI user', synchroSuffix)
                
                myTargetEntryDn   = 'uid=sholmes,ou=People,%s' % synchroSuffix
                myTelephonenumber = '+1 408 555 6789'
              </script>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 0
                    }                
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Replace aci on entry ou=People,o=example on "master" server:
               !   (targetattr="telephonenumber")(version 3.0; acl 
               !   "Deny ACI-user access to telephonenumber"; deny (all)
               !   userdn="ldap:///cn=ACI user,ou=People,o=example";)  
              -->
              <message>
                'Replace ACI on entry ou=People,%s: \n%s' % \
                (synchroSuffix, myAci)
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : 'ou=People,%s' % synchroSuffix,
                  'attributeName'     : 'aci',
                  'newAttributeValue' : myAci,
                  'changetype'        : 'replace'
                }
              </call>
                                          
              <message>
                '+++ New ACI +++\nDeny "%s" access to all telephonenumber \
                attributes under ou=People,%s.' % \
                (myEntry.getDn(), synchroSuffix) 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: ERROR 50 \
                    (Insufficient Access Rights)' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 50
                    }                
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>



          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Modify_replace ACI bind rule
          #@TestID              Modify_replace ACI bind rule
          #@TestPurpose         Check ACI replication over a modify_replace of
                                the ACI bind rule
          #@TestPreamble        Add new user entry
          #@TestSteps           Binding as new user, compare telephonenumber
                                value to child entry  (expect SUCCESS)
          #@TestSteps           Replace ACI on parent entry: deny users with
                                a given sn access to telephonenumber attributes
          #@TestSteps           Binding as new user, compare telephonenumber
                                value to child entry  (expect ERROR 50)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Modify_replace ACI bind rule')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Modify_replace ACI bind rule. Check ACI \
                replication over a modify_replace of the ACI bind rule.'
              </message>
              
              <script>
                mySn  = 'ACI repl user'
                myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
                myUserpassword = 'secondUserPwd'

                myEntry = Entry('cn=Second ACI user', synchroSuffix)
                myEntry.addAttr('sn', mySn)
                myEntry.addAttr('userpassword', myUserpassword)
                
                myTargetEntryDn   = 'uid=sholmes,ou=People,%s' % synchroSuffix
                myTelephonenumber = '+1 408 555 6789'
              </script>
              
              <!-- Add user entry to "master" server -->
              <message>
                'Add user entry %s' % myEntry.getDn()
              </message>
              <call function="'addAnEntry'">
                { 'location'       : masterHost,
                  'dsPath'         : masterPath,
                  'dsInstanceHost' : masterHost,
                  'dsInstancePort' : master.getPort(),
                  'dsInstanceDn'   : master.getRootDn(),
                  'dsInstancePswd' : master.getRootPwd(),
                  'DNToAdd'        : myEntry.getDn(),
                  'listAttributes' : myEntry.getAttrList()
                }
              </call>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 0
                    }                
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Replace aci on entry ou=People,o=example on "master" server:
               !   (targetattr="telephonenumber")(version 3.0; acl 
               !   "Deny ACI repl users access to telephonenumber"; deny (all)
               !   userdn="ldap:///o=example??sub?(sn=ACI repl user)";)  
              -->
              <message>
                'Replace ACI on entry ou=People,%s: \n%s' % \
                (synchroSuffix, myAci)
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : 'ou=People,%s' % synchroSuffix,
                  'attributeName'     : 'aci',
                  'newAttributeValue' : myAci,
                  'changetype'        : 'replace'
                }
              </call>
                                          
              <message>
                '+++ New ACI +++\nDeny users with (sn=%s) access to all \
                telephonenumber attributes under ou=People,%s.' % \
                (mySn, synchroSuffix) 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: ERROR 50 \
                    (Insufficient Access Rights)' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 50
                    }                
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>
          

          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Bypass-acl privilege
          #@TestID              Bypass-acl privilege
          #@TestPurpose         Check the bypass-acl privilege is replicated and
                                successfully applied over the topology
          #@TestPreamble
          #@TestSteps           Binding as new user, compare telephonenumber
                                value to child entry  (expect ERROR 50)
          #@TestSteps           Add ds-privilege-name:bypass-acl to new user
          #@TestSteps           Binding as new user, compare telephonenumber
                                value to child entry  (expect SUCCESS)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Bypass-acl privilege')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Bypass-acl privilege. Check the bypass-acl \
                privilege is replicated and successfully applied over the \
                topology'
              </message>
              
              <script>
                myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
                myUserpassword = 'secondUserPwd'
                myPrivilege  = 'bypass-acl'

                myEntry = Entry('cn=Second ACI user', synchroSuffix)
                
                myTargetEntryDn   = 'uid=sholmes,ou=People,%s' % synchroSuffix
                myTelephonenumber = '+1 408 555 6789'
              </script>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: ERROR 50 \
                    (Insufficient Access Rights)' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 50
                    }                
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Add bypass-acl privilege to new user entry -->
              <message>
                'Add %s privilege to entry %s: \n' % \
                (myPrivilege, myEntry.getDn())
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : myEntry.getDn(),
                  'attributeName'     : 'ds-privilege-name',
                  'newAttributeValue' : myPrivilege,
                  'changetype'        : 'add'
                }
              </call>
                                          
              <message>
                '+++ Active ACI +++\nDeny users with (sn=%s) access to all \
                telephonenumber attributes under ou=People,%s.' % \
                (mySn, synchroSuffix) 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 0
                    }                
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>
          
          
          <!--- Test Case information
          #@TestMarker          Replication ACI Tests
          #@TestName            Replication: ACI: Modify_delete ACI
          #@TestID              Modify_delete ACI
          #@TestPurpose         Check ACI replication over a modify_delete
          #@TestPreamble
          #@TestSteps           Binding as user, compare telephonenumber value
                                to child entry  (expect ERROR 50)
          #@TestSteps           Delete ACI on parent entry
          #@TestSteps           Binding as user, compare telephonenumber value
                                to child entry  (expect SUCCESS)
          #@TestPostamble
          #@TestResult          Success if the servers synchronised and the aci
                                correctly applied after replication
          -->               
          <testcase name="getTestCaseName('Modify_delete ACI')">
            <sequence>            
              <call function="'testCase_Preamble'"/>
              <message>
                'Replication: ACI: Modify_delete ACI. Check ACI \
                replication over a modify_delete.'
              </message>
              
              <script>
                myAci = "(targetattr=\"telephonenumber\")(version 3.0; acl \"Deny ACI repl users access to telephonenumber\"; deny (all) userdn=\"ldap:///%s??sub?(sn=%s)\";)" % (synchroSuffix, mySn)
                myUserpassword = 'userPwd'

                myEntry = Entry('cn=ACI user', synchroSuffix)
                
                myTargetEntryDn   = 'uid=sholmes,ou=People,%s' % synchroSuffix
                myTelephonenumber = '+1 408 555 6789'
              </script>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: ERROR 50 \
                    (Insufficient Access Rights)' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 50
                    }                
                  </call>
                </sequence>
              </iterate>
                  
              <!-- Delete aci on entry ou=People,o=example on "master" server:
               !   (targetattr="telephonenumber")(version 3.0; acl 
               !   "Deny ACI repl users access to telephonenumber"; deny (all)
               !   userdn="ldap:///o=example??sub?(sn=ACI repl user)";)  
              -->
              <message>
                'Delete ACI on entry ou=People,%s: \n%s' % \
                (synchroSuffix, myAci)
              </message>
              <call function="'modifyAnAttribute'">
                { 'location'          : masterHost,
                  'dsPath'            : masterPath,
                  'dsInstanceHost'    : masterHost,
                  'dsInstancePort'    : master.getPort(),
                  'dsInstanceDn'      : master.getRootDn(),
                  'dsInstancePswd'    : master.getRootPwd(),
                  'DNToModify'        : 'ou=People,%s' % synchroSuffix,
                  'attributeName'     : 'aci',
                  'newAttributeValue' : myAci,
                  'changetype'        : 'delete'
                }
              </call>
                                          
              <message>
                '+++ New ACI +++\nNo aci in ou=People,%s.' % synchroSuffix 
              </message>
              
              <iterate var="server" in="_topologyServerList" indexvar="i">
                <sequence>
                  <script>
                    serverPath = '%s/%s' % (server.getDir(), OPENDSNAME)
                  </script>
                  
                  <message>
                    'Binding as "%s", compare telephonenumber:%s value to \
                    entry %s on server %s:%s. -- Expect: SUCCESS' % \
                    (myEntry.getDn(), myTelephonenumber, myTargetEntryDn, 
                     server.getHostname(), server.getPort())
                  </message>
                      
                  <!-- Compare 'telephonenumber:+1 408 555 6789' value to entry 
                   !   uid=sholmes,ou=People,o=example -->
                  <call function="'ldapCompareWithScript'">
                    { 'location'       : server.getHostname(),
                      'dsPath'         : serverPath,
                      'dsInstanceHost' : server.getHostname(),
                      'dsInstancePort' : server.getPort(),
                      'dsInstanceDn'   : myEntry.getDn(),
                      'dsInstancePswd' : myUserpassword,
                      'dsDn'           : ['telephonenumber:%s' % \
                                          myTelephonenumber, myTargetEntryDn],
                      'expectedRC'     : 0
                    }                
                  </call>
                </sequence>
              </iterate>
              
              <!-- Verify the synchronization of the trees among the servers in 
                the topology -->          
              <call function="'verifyTrees'">
                [ clientHost, clientPath, master, consumerList, synchroSuffix ]
              </call> 

              <call function="'testCase_Postamble'"/>
            </sequence>
          </testcase>


          <import machine="STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/replication/replication_cleanup.xml' 
                  % (TESTS_DIR)"/>
          <call function="'replication_cleanup'" />

          <call function="'testSuite_Postamble'"/>
                  
        </sequence>

      </block>
    
    </sequence>

  </function>

</stax>

 opends/tests/staf-tests/functional-tests/testcases/replication/externalchangelog/externalchangelog_common_ecl_tests.xml

Diff too large

 opends/tests/staf-tests/functional-tests/testcases/replication/replication.xml

@@ -23,7 +23,7 @@
 !
 ! CDDL HEADER END
 !
 !      Copyright 2007-2009 Sun Microsystems, Inc.
 !      Copyright 2007-2010 Sun Microsystems, Inc.
 ! -->
<stax>
  <defaultcall function="main_replication"/>
@@ -62,6 +62,7 @@
              suiteList.append('changelog')
              suiteList.append('conflict')
              suiteList.append('externalchangelog')
              suiteList.append('aci')
              
              globalAssuredReplication = None
              

 opends/tests/staf-tests/shared/ant/build.properties

@@ -111,8 +111,8 @@
ldclt.dir=
temp.dir=/tmp
test.plan.custom=
test.plan.functional.default=aci,backends,clu,core,dsconfig,dsml,groups,i18n,indexes,logging,monitoring,plugins,privileges,replication,schema,security,setup,snmp,tasks,virtualAttributes,fractional-replication
test.plan.stress.default=ldap_operation,import_ldif
test.plan.functional.default=aci,backends,clu,clu_secure,core,dsconfig,dsml,fractional-replication,groups,i18n,indexes,logging,monitoring,plugins,privileges,replication,schema,security,setup,snmp,tasks,virtualAttributes,replication-safe-data,replication-safe-read
test.plan.stress.default=import_ldif,ldap_operation,replication
verbose.mode=false

product.name=OpenDS Directory Server

 opends/tests/staf-tests/shared/ant/tests.xml

@@ -112,7 +112,7 @@
    <property name="tests.request" value="EXECUTE FILE ${tests.xml} JOBNAME OpenDS_${tests.type} SCRIPTFILE ${tests.run.dir}/${tests.run.time}/config/${tests.config.file} WAIT CLEARLOGS"/>

    <echo>While the tests are running you may tail the job logs at</echo>
    <echo>${staf.install.dir}/${staf.name}/logs/MACHINE/${host.name}</echo>
    <echo>${staf.install.dir}/${staf.name}/data-${host.name}/service/log/MACHINE/${host.name}/GLOBAL</echo>
    <echo>Running tests. This will take more than a while.</echo>
    <property name="CLASSPATH" value="${staf.lib.dir}/JSTAF.jar:."/>
    <exec
@@ -126,9 +126,9 @@
      <env key="STAFCODEPAGE" value="LATIN_1"/>
    </exec>

    <symlink link="${tests.run.dir}/latest" resource="${tests.run.time}" overwrite="true"/>
    <symlink link="${tests.run.dir}/${remote.hostname}-latest" resource="${tests.run.time}" overwrite="true"/>
    <echo>Report is available at</echo>
    <echo>${tests.run.dir}/latest</echo>
    <echo>${tests.run.dir}/${remote.hostname}-latest</echo>
  </target>

  <target name="configure">
@@ -398,28 +398,35 @@
  </target>
  <target name="coverage-instrument" if="coverage.on">
    <delete dir="${tests.tmp.dir}/coverage-instr" />
    <mkdir dir="${tests.tmp.dir}/coverage-instr" />
    <mkdir dir="${tests.tmp.dir}/coverage-instr/opends" />
    <mkdir dir="${tests.tmp.dir}/coverage-instr/dsml" />
    <!-- unzip the original package in a temporary location to make the
         changes necessary so that the coverage tool is called
     -->
    <unzip src="${opends.dir}/${opends.name}.zip"
           dest="${tests.tmp.dir}/coverage-instr"/>
           dest="${tests.tmp.dir}/coverage-instr/opends"/>

    <unzip src="${opends.dir}/${opends.name}-DSML.war"
           dest="${tests.tmp.dir}/coverage-instr/dsml"/>

    <!-- Add emma in the package along with the other librairies
         this has the advantage of being automatically picked up by the scripts
    -->
    <copy file="${project.home}/ext/emma/lib/emma.jar"
          tofile="${tests.tmp.dir}/coverage-instr/${opends.name}/lib/emma.jar"/>
          tofile="${tests.tmp.dir}/coverage-instr/opends/${opends.name}/lib/emma.jar"/>
    <copy file="${project.home}/ext/emma/lib/emma.jar"
          tofile="${tests.tmp.dir}/coverage-instr/dsml/WEB-INF/lib/emma.jar"/>

    <!-- move the original product package to make room for the coverage
         enabled package
     -->
    <move file="${opends.dir}/${opends.name}.zip" tofile="${opends.dir}/${opends.name}.zip.nocov"/>
    <move file="${opends.dir}/${opends.name}-DSML.war" tofile="${opends.dir}/${opends.name}-DSML.war.nocov"/>

    <!-- intrument the OpenDS java archive to gather coverage -->
    <java classpath="${tests.tmp.dir}/coverage-instr/${opends.name}/lib/emma.jar"
    <java classpath="${tests.tmp.dir}/coverage-instr/opends/${opends.name}/lib/emma.jar"
          classname="emma" fork="true">
        <jvmarg value="-Demma.metadata.out.file=${tests.tmp.dir}/coverage-instr/${opends.name}/coverage.em" />
        <jvmarg value="-Demma.metadata.out.file=${tests.tmp.dir}/coverage-instr/opends/${opends.name}/coverage.em" />
        <arg value="instr" />
        <arg value="-m" />
        <arg value="overwrite" />
@@ -432,20 +439,46 @@
        <arg value="-ix" />
        <arg value="com.*" />
        <arg value="-ip" />
        <arg value="${tests.tmp.dir}/coverage-instr/${opends.name}/lib/OpenDS.jar:${tests.tmp.dir}/coverage-instr/${opends.name}/lib/extensions/snmp-mib2605.jar" />
        <arg value="${tests.tmp.dir}/coverage-instr/opends/${opends.name}/lib/OpenDS.jar:${tests.tmp.dir}/coverage-instr/opends/${opends.name}/lib/extensions/snmp-mib2605.jar" />
    </java>

    <!-- Repackage the product with coverage enabled scripts -->
    <zip basedir="${tests.tmp.dir}/coverage-instr" destfile="${opends.dir}/${opends.name}.zip">
    <zipfileset dir="${tests.tmp.dir}/coverage-instr"
    <java classpath="${tests.tmp.dir}/coverage-instr/dsml/WEB-INF/lib/emma.jar"
          classname="emma" fork="true">
        <jvmarg value="-Demma.metadata.out.file=${tests.tmp.dir}/coverage-instr/dsml/WEB-INF/lib/coverage.em" />
        <arg value="instr" />
        <arg value="-m" />
        <arg value="overwrite" />
        <arg value="-ix" />
        <arg value="-org.opends.guitools.*" />
        <arg value="-ix" />
        <arg value="-org.opends.quicksetup.*" />
        <arg value="-ix" />
        <arg value="org.*" />
        <arg value="-ix" />
        <arg value="com.*" />
        <arg value="-ip" />
        <arg value="${tests.tmp.dir}/coverage-instr/dsml/WEB-INF/classes" />
    </java>
    <!-- Repackage OpenDS the product with coverage enabled scripts -->
    <zip basedir="${tests.tmp.dir}/coverage-instr/opends" destfile="${opends.dir}/${opends.name}.zip">
    <zipfileset dir="${tests.tmp.dir}/coverage-instr/opends"
                includes="${opends.name}/setup,${opends.name}/uninstall,${opends.name}/upgrade,${opends.name}/bin/*,${opends.name}/lib/*.sh"
                filemode="755" dirmode="755" />
    </zip>

    <!-- Repackage DSML Gateway the product with coverage enabled scripts -->
    <zip basedir="${tests.tmp.dir}/coverage-instr/dsml" destfile="${opends.dir}/${opends.name}-DSML.war">
    <zipfileset dir="${tests.tmp.dir}/coverage-instr/dsml"
                includes="WEB-INF/**,META-INF/**"/>
    </zip>

    <!-- <delete dir="${tests.tmp.dir}/coverage-instr"/> -->
  </target>
  <target name="restore-pkg" if="coverage.on">
    <delete file="${opends.dir}/${opends.name}.zip"/>
    <move file="${opends.dir}/${opends.name}.zip.nocov" tofile="${opends.dir}/${opends.name}.zip"/>
    <delete file="${opends.dir}/${opends.name}-DSML.war"/>
    <move file="${opends.dir}/${opends.name}-DSML.war.nocov" tofile="${opends.dir}/${opends.name}-DSML.war"/>
  </target>
  <target name="testwithcoverage" depends="coverage-on,coverage-instrument,run,restore-pkg"/>


 opends/tests/staf-tests/shared/functions/security.xml

@@ -23,7 +23,7 @@
 !
 ! CDDL HEADER END
 !
 !      Copyright 2007-2008 Sun Microsystems, Inc.
 !      Copyright 2007-2010 Sun Microsystems, Inc.
 ! -->
<stax>
  <!-- **************************************************** -->
@@ -331,6 +331,97 @@
  
  
  <!-- **************************************************** -->
  <!--                      Add certificate to an attribute -->
  <!-- **************************************************** -->
  <function name="addCertificate">
    <function-prolog>
      This function add certificate to an user attribute
    </function-prolog>
    <function-map-args>
      <function-arg-def name="location" type="optional" default="STAF_REMOTE_HOSTNAME">
        <function-arg-description>
          Location of target host
        </function-arg-description>
      </function-arg-def>
      <function-arg-def name="user_cert_file_rfc" type="required" default="''">
        <function-arg-description>
          Path to certificate RFC file
        </function-arg-description>
      </function-arg-def>
      <function-arg-def name="userdn" type="optional" default="''">
        <function-arg-description>
          User DN to modify
        </function-arg-description>
      </function-arg-def>
      <function-arg-def name="ldif_path" type="required" default="''">
        <function-arg-description>
          Path to the ldif file
        </function-arg-description>
      </function-arg-def>
    </function-map-args>
    <sequence>

      <call function="'getFile'">
            {
              'location'    : STAF_REMOTE_HOSTNAME,
              'filename'    : user_cert_file_rfc
            }
      </call>

      <message>
            'Certificate contents:\n %s' % cmdResult
      </message>

          <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
      <script>
            certList=STAXResult[1].split('\n')
            ret_str = ""
            for line in certList:
              index_cert = line.find("CERTIFICATE")
              if index_cert == -1:
                ret_str+=line.strip()
      </script>

      <script>
            listAttr = []
            listAttr.append('dn: %s' %userdn)
            listAttr.append('changetype: modify')
            listAttr.append('add: objectclass')
            listAttr.append('objectclass:ds-certificate-user')
            listAttr.append('-')
            listAttr.append('add: userCertificate;binary')
            listAttr.append('userCertificate;binary:: %s' % ret_str)
      </script>

          <!-- Write out the ldif -->
      <script>
            addCertificateldif='%s' % (ldif_path)
            outfile = open(addCertificateldif,"w")
            for line in listAttr:
              outfile.write("%s\n" % line)
            outfile.close()
      </script>

      <call function="'modifyEntry'">
            {
            'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST,
            'dsInstancePort'    : DIRECTORY_INSTANCE_PORT,
            'dsInstanceDn'      : DIRECTORY_INSTANCE_DN,
            'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD,
            'entryToBeModified' : addCertificateldif,
            'expectedRC'        :  0
            }
      </call>
    </sequence>
  </function>







  <!-- **************************************************** -->
  <!--                      get MD5 and SHA1 values         -->
  <!-- **************************************************** -->  
  <function name="getFingerprint">
@@ -445,6 +536,12 @@
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
        <function-arg-description>
          Keystore File
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreType" type="optional" default="'JKS'">
        <function-arg-description>
          Keystore type : JKS or PKCS12
@@ -494,7 +591,7 @@
          'subcommand'     : 'create-key-manager-provider' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  customKeyMgr ,
          'optionsString'  :  '--type file-based --set enabled:true --set key-store-file:config/keystore --set key-store-pin:%s --set key-store-type:JKS' % keystorePin,
          'optionsString'  :  '--type file-based --set enabled:true --set key-store-file:%s --set key-store-pin:%s --set key-store-type:JKS' % (keystoreFile,keystorePin),
          'expectedRC'     : 0 
        }
      </call>
@@ -643,6 +740,18 @@
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
        <function-arg-description>
          Keystore file path
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="customKeyMgr" type="optional" default="''">
        <function-arg-description>
          Name for a new key manager
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="certAlias" type="optional" default="'server-cert'">
        <function-arg-description>
          Alias certificate
@@ -666,8 +775,24 @@
      <message>
       'Configure Key Manager Provider'
      </message>
      
      <call function="'dsconfig'">

      <if expr="len(customKeyMgr.strip()) != 0">
        <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'create-key-manager-provider' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  customKeyMgr ,
          'optionsString'  :  '--type file-based --set enabled:true --set key-store-file:%s --set key-store-pin:%s --set key-store-type:JKS' % (keystoreFile,keystorePin),
          'expectedRC'     : 0
        }
        </call>
        <else>
          <call function="'dsconfig'">
        { 'location'        : location,
          'dsPath'          : dsPath,
          'dsInstanceHost'  : dsInstanceHost,
@@ -677,10 +802,12 @@
          'subcommand'      : 'set-key-manager-provider-prop',
          'objectType'      : 'provider-name',
          'objectName'      : keystoreType,
          'optionsString'   : '--set key-store-file:config/keystore --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % keystorePin,
          'optionsString'   : '--set key-store-file:%s --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % (keystoreFile,keystorePin),
          'expectedRC'      : 0
        }
      </call>
          </call>
        </else>
      </if>
      
      <!--- configure Trust Manager Provider -->
      <message>
@@ -711,9 +838,12 @@
      <script>
        option1='--set ssl-cert-nickname:%s' % certAlias
        option2='--set trust-manager-provider:"Blind Trust" '
        option3='--set key-manager-provider:"%s"' % (keystoreType)
        option4='--set allow-start-tls:true' 
        optionsString='%s %s %s %s' % (option1,option2,option3,option4)    
        if customKeyMgr:
          option3='--set key-manager-provider:"%s"' % (customKeyMgr)
        else:
          option3='--set key-manager-provider:"%s"' % (keystoreType)
        option4='--set allow-start-tls:true'
        optionsString='%s %s %s %s' % (option1,option2,option3,option4)
      </script>
      
      <call function="'dsconfig'">
@@ -734,6 +864,322 @@
  </function>
  
  
  <!-- ################################################## -->
  <!--  configure SASL-->
  <!-- ################################################## -->
  <function name="configureSASL">
    <function-prolog>
      This function makes the configuration changes for SASL
    </function-prolog>
    <function-map-args>
      <function-arg-def name="location" type="optional" default="STAF_REMOTE_HOSTNAME">
        <function-arg-description>
          Location of target host
        </function-arg-description>
        <function-arg-property name="type" value="hostname"/>
      </function-arg-def>
      <function-arg-def name="dsPath" type="optional" default="'%s/%s' % (DIRECTORY_INSTANCE_DIR,OPENDSNAME)">
        <function-arg-description>
          Pathname to installation root
        </function-arg-description>
        <function-arg-property name="type" value="filepath"/>
      </function-arg-def>
      <function-arg-def name="dsInstanceHost" type="optional">
        <function-arg-description>
          Directory server hostname or IP address
        </function-arg-description>
        <function-arg-property name="type" value="hostname"/>
      </function-arg-def>
      <function-arg-def name="dsInstanceAdminPort" type="optional" default="'%s' % DIRECTORY_INSTANCE_ADMIN_PORT">
        <function-arg-description>
          Directory server admin port number
        </function-arg-description>
        <function-arg-property name="type" value="Port number"/>
      </function-arg-def>
      <function-arg-def name="dsInstanceDn" type="optional">
        <function-arg-description>
          Bind DN
        </function-arg-description>
      </function-arg-def>
      <function-arg-def name="certAlias" type="optional" default="''">
        <function-arg-description>
          Alias certificate
        </function-arg-description>
        <function-arg-property name="type" value="DN"/>
      </function-arg-def>
      <function-arg-def name="dsInstancePswd" type="optional">
        <function-arg-description>
          Bind password
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
        <function-arg-description>
          Keystore File
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystorePin" type="optional" default="'keystorepass'">
        <function-arg-description>
          Keystore pin
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreType" type="optional" default="'JKS'">
        <function-arg-description>
          Keystore type : JKS or PKCS12
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="createTrustMgr" type="optional" default="False">
        <function-arg-description>
          Create or enable custom key Manager.
        </function-arg-description>
        <function-arg-property name="type" value="enum">
          <function-arg-property-description>
            This argument can only have boolean values
          </function-arg-property-description>
          <function-arg-property-data type="choice" value="True"/>
          <function-arg-property-data type="choice" value="False"/>
        </function-arg-property>
      </function-arg-def>
      <function-arg-def name="createKeyMgr" type="optional" default="False">
        <function-arg-description>
          Create or enable custom key Manager.
        </function-arg-description>
        <function-arg-property name="type" value="enum">
          <function-arg-property-description>
            This argument can only have boolean values
          </function-arg-property-description>
          <function-arg-property-data type="choice" value="True"/>
          <function-arg-property-data type="choice" value="False"/>
        </function-arg-property>
      </function-arg-def>
      <function-arg-def name="KeyMgr" type="optional" default="''">
        <function-arg-description>
          Name for a new key manager
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="trustMgr" type="optional" default="''">
        <function-arg-description>
          Name for a new trust manager
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="truststoreFile" type="optional" default="'config/truststore'">
        <function-arg-description>
          Truststore File
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="truststoreType" type="optional" default="'JKS'">
        <function-arg-description>
          Truststore type : JKS or PKCS12
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="truststorePin" type="optional" default="'truststorepass'">
        <function-arg-description>
          Truststore pin
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="certMapper" type="optional" default="'Subject Equals DN'">
        <function-arg-description>
          Certificate mapper name
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="handlerName" type="optional" default="'EXTERNAL'">
        <function-arg-description>
          SASL mechanism handler name
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="optionSaSL" type="optional" default="''">
        <function-arg-description>
          SASL mechanism handler options
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="optionMapper" type="optional" default="''">
        <function-arg-description>
          Mapping options
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="extraParams" type="optional">
        <function-arg-description>
          Optional extra parameters for specific test cases
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
    </function-map-args>

    <sequence>

    <!--- configure Key Manager Provider -->
      <message>
        'Configure Key Manager Provider'
      </message>

      <if expr="createKeyMgr == True">
        <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'create-key-manager-provider' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  KeyMgr ,
          'optionsString'  :  '--set key-store-file:%s --set key-store-pin:%s --set key-store-type:%s --type file-based --set enabled:true --no-prompt ' % (keystoreFile,keystorePin,truststoreType),
          'expectedRC'     : 0
        }
        </call>
        <else>
          <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-key-manager-provider-prop' ,
          'objectType'     : 'provider-name' ,
          'objectName'     : KeyMgr,
          'optionsString'  : '--set key-store-file:%s --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % (keystoreFile,keystorePin),
          'expectedRC'     : 0
        }
          </call>
        </else>
      </if>

    <!--- configure Trust Manager Provider -->
      <message>
         'Configure Trust Manager Provider'
      </message>

      <if expr="len(trustMgr.strip()) != 0">
        <if expr="createTrustMgr == True">
          <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'create-trust-manager-provider' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  trustMgr ,
          'optionsString'  :  '--set trust-store-file:%s --set trust-store-pin:%s --type file-based  --set trust-store-type:%s --set enabled:true ' %(truststoreFile,truststorePin,truststoreType),
          'expectedRC'     : 0
        }
          </call>
          <else>
            <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-trust-manager-provider-prop' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  trustMgr ,
          'optionsString'  :  '--set trust-store-file:%s --set trust-store-pin:%s --set enabled:true'  %(truststoreFile,truststorePin),
          'expectedRC'     : 0
        }
            </call>
          </else>
        </if>
        <else>
          <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-trust-manager-provider-prop' ,
          'objectType'     : 'provider-name' ,
          'objectName'     : 'Blind Trust',
          'optionsString'  : '--set enabled:true' ,
          'expectedRC'     : 0
        }
          </call>
        </else>
      </if>


      <!--- Enable LDAPS Connection Handler -->
      <message>
       'Enabling LDAPS Connection Handler - Keystore type'
      </message>

      <script>
        option1='--set ssl-cert-nickname:%s' % certAlias
        if trustMgr:
          option2='--set trust-manager-provider:"%s"' % (trustMgr)
        else:
          option2='--set trust-manager-provider:"Blind Trust"'
        option3='--set key-manager-provider:"%s"' % (KeyMgr)
        option4='--set listen-port:%s' % DIRECTORY_INSTANCE_SSL_PORT
        option5='--set enabled:true --set use-ssl:true --set ssl-client-auth-policy:required'
        optionsString='%s %s %s %s %s' % (option1,option2,option3,option4,option5)
      </script>

      <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-connection-handler-prop',
          'objectType'     : 'handler-name' ,
          'objectName'     : 'LDAPS Connection Handler',
          'optionsString'  : optionsString,
          'expectedRC'     : 0
        }
      </call>

      <!--- Setting the mapper -->
      <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-certificate-mapper-prop',
          'objectType'     : 'mapper-name' ,
          'objectName'     : certMapper,
          'optionsString'  : '--set enabled:true --no-prompt %s'%optionMapper,
          'expectedRC'     : 0
        }
      </call>

      <!--- Setting the sasl mechanism -->
      <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort' : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-sasl-mechanism-handler-prop',
          'objectType'     : 'handler-name' ,
          'objectName'     : handlerName,
          'optionsString'  : '--set certificate-mapper:"%s" --set enabled:true --no-prompt %s'%(certMapper,optionSaSL),
          'expectedRC'     : 0
        }
      </call>
    </sequence>
  </function>

  <!-- ################################################## -->  
  <!--  configure SSL  and TLS -->
  <!-- ################################################## -->    
@@ -1129,6 +1575,12 @@
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="customKeyMgr" type="optional" default="''">
        <function-arg-description>
          Name for the key manager
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="keystoreType" type="optional" default="'JKS'">
        <function-arg-description>
          Keystore type : JKS or PKCS12
@@ -1162,6 +1614,21 @@
          'expectedRC'     : 0 
        }
      </call>

      <call function="'dsconfig'">
        { 'location'       : location,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost,
          'dsInstanceAdminPort'    : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'set-connection-handler-prop' ,
          'objectType'     : 'handler-name' ,
          'objectName'     : 'LDAP Connection Handler',
          'optionsString'  : '--reset key-manager-provider --reset trust-manager-provider --reset ssl-cert-nickname',
          'expectedRC'     : 0
        }
      </call>
      
      <!--- Disable SSL Trust Manager Provider -->
      <message>
@@ -1186,8 +1653,23 @@
      <message>
        'Disabling Key Manager Provider'
      </message>
      
      <call function="'dsconfig'">

      <if expr="len(customKeyMgr.strip()) != 0">
        <call function="'dsconfig'">
        { 'location'       : location ,
          'dsPath'         : dsPath ,
          'dsInstanceHost' : dsInstanceHost ,
          'dsInstanceAdminPort'    : dsInstanceAdminPort ,
          'dsInstanceDn'   : dsInstanceDn ,
          'dsInstancePswd' : dsInstancePswd ,
          'subcommand'     : 'delete-key-manager-provider' ,
          'objectType'     : 'provider-name' ,
          'objectName'     :  customKeyMgr ,
          'expectedRC'     : 0
        }
        </call>
        <else>
          <call function="'dsconfig'">
        { 'location'       : location,
          'dsPath'         : dsPath,
          'dsInstanceHost' : dsInstanceHost,
@@ -1200,7 +1682,10 @@
          'optionsString'  : '--set enabled:false',
          'expectedRC'     : 0 
        }
      </call>
          </call>
        </else>
      </if>

    </sequence>
  </function>
  

 opends/tests/staf-tests/shared/functions/utils.xml

@@ -1063,7 +1063,7 @@

        reportCfg = open('%s/logs/report.cfg' % LOGS_ROOT, 'w')
        reportCfg.write('[Main]\n')
        reportCfg.write('product = OpenDS_SE2.4 (Directory)\n')
        reportCfg.write('product = Directory\n')
        if TESTS_TYPE == 'functional-tests':
          reportCfg.write('category = Functional\n')
        else:
@@ -3331,6 +3331,25 @@
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="includeAttrs" 
                        type="optional"
                        default="None">
        <function-arg-description>
          Map containing the attributes configured as include-attributes along
          with their values, e.g.:
          { 'description':['desc1', desc2'], 'telephonenumber':['11-22-33']} 
        </function-arg-description>
        <function-arg-property name="type" value="map"/>
      </function-arg-def>
      <function-arg-def name="expectMissingIncAttrs" 
                        type="optional"
                        default="[]">
        <function-arg-description>
          List of the attributes in includeAttrs expected NOT TO BE FOUND in the
          changelog entry. 
        </function-arg-description>
        <function-arg-property name="type" value="list"/>
      </function-arg-def>
      <function-arg-def name="knownIssue" type="optional" default="None">
        <function-arg-description>
          Known issue. Corresponds to an issue number.
@@ -3342,6 +3361,7 @@
      <script>
        myLocation            = location
        myPath                = dsPath
        myKnownIssue          = knownIssue
        
        # Mandatory attributes in a changeLogEntry
        ecl_DN                = changelogEntry['dn'][0]
@@ -3386,7 +3406,8 @@
      <call function="'searchString'">
        { 'returnString'   : ecl_targetDN,
          'expectedString' : targetDN,
          'searchType'     : 'exact-case-insensitive'
          'searchType'     : 'exact-case-insensitive',
          'knownIssue'     : myKnownIssue
        }
      </call>

@@ -3396,7 +3417,8 @@
      <call function="'searchString'">
        { 'returnString'   : ecl_changeType,
          'expectedString' : changeType,
          'searchType'     : 'exact-case-insensitive'
          'searchType'     : 'exact-case-insensitive',
          'knownIssue'     : myKnownIssue
        }
      </call>

@@ -3408,7 +3430,8 @@
          <call function="'searchString'">
            { 'returnString'   : ecl_changeTime,
              'expectedString' : changeTime,
              'searchType'     : 'exact-case-insensitive'
              'searchType'     : 'exact-case-insensitive',
              'knownIssue'     : myKnownIssue
            }
          </call>
        </sequence>
@@ -3422,7 +3445,8 @@
          <call function="'searchString'">
            { 'returnString'   : ecl_changeNumber,
              'expectedString' : changeNumber,
              'searchType'     : 'exact-case-sensitive'
              'searchType'     : 'exact-case-sensitive',
              'knownIssue'     : myKnownIssue
            }
          </call>
        </sequence>
@@ -3437,7 +3461,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_replicationCSN,
                'expectedString' : replicationCSN,
                'searchType'     : 'exact-case-insensitive'
                'searchType'     : 'exact-case-insensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3446,7 +3471,14 @@
              <message log="1" level="'Error'">
                'No replicationCSN could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3461,7 +3493,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_replicaIdentifier,
                'expectedString' : replicaIdentifier,
                'searchType'     : 'exact-case-sensitive'
                'searchType'     : 'exact-case-sensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3470,7 +3503,14 @@
              <message log="1" level="'Error'">
                'No replicaIdentifier could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3485,7 +3525,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_targetEntryUUID,
                'expectedString' : targetEntryUUID,
                'searchType'     : 'exact-case-insensitive'
                'searchType'     : 'exact-case-insensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3494,7 +3535,14 @@
              <message log="1" level="'Error'">
                'No targetEntryUUID could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3509,7 +3557,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_newRDN,
                'expectedString' : newRDN,
                'searchType'     : 'exact-case-insensitive'
                'searchType'     : 'exact-case-insensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3518,7 +3567,14 @@
              <message log="1" level="'Error'">
                'No newRDN could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3533,7 +3589,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_deleteOldRDN,
                'expectedString' : deleteOldRDN,
                'searchType'     : 'exact-case-sensitive'
                'searchType'     : 'exact-case-sensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3542,7 +3599,14 @@
              <message log="1" level="'Error'">
                'No deleteOldRDN could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3557,7 +3621,8 @@
            <call function="'searchString'">
              { 'returnString'   : ecl_newSuperior,
                'expectedString' : newSuperior,
                'searchType'     : 'exact-case-insensitive'
                'searchType'     : 'exact-case-insensitive',
                'knownIssue'     : myKnownIssue
              }
            </call>
          </sequence>
@@ -3566,7 +3631,14 @@
              <message log="1" level="'Error'">
                'No newSuperior could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
@@ -3641,7 +3713,14 @@
                                'Expected values %s could not be found in %s' \
                                 % (valueList, ecl_valueList) 
                              </message>
                              <call function="'testFailed'"/>
                              <if expr="myKnownIssue == None">
                                <call function="'testFailed'"/>
                                <else>
                                  <call function="'setKnownIssue'">
                                    { 'issueId' : myKnownIssue }
                                  </call>
                                </else>
                              </if>
                            </sequence>
                          </else>
                        </if>
@@ -3651,7 +3730,14 @@
                          <message log="1" level="'Error'">
                            'No %s could be found in the changes' % attr 
                          </message>
                          <call function="'testFailed'"/>
                          <if expr="myKnownIssue == None">
                            <call function="'testFailed'"/>
                            <else>
                              <call function="'setKnownIssue'">
                                { 'issueId' : myKnownIssue }
                              </call>
                            </else>
                          </if>
                        </sequence>
                      </else>
                    </if>                    
@@ -3697,7 +3783,14 @@
                              'Expected change %s could not be found in %s'\
                               % (mod, ecl_changesList) 
                            </message>
                            <call function="'testFailed'"/>
                            <if expr="myKnownIssue == None">
                              <call function="'testFailed'"/>
                              <else>
                                <call function="'setKnownIssue'">
                                  { 'issueId' : myKnownIssue }
                                </call>
                              </else>
                            </if>
                          </sequence>
                        </else>
                      </if>
@@ -3713,12 +3806,280 @@
              <message log="1" level="'Error'">
                'No changes could be found in the changelog entry' 
              </message>
              <call function="'testFailed'"/>
              <if expr="myKnownIssue == None">
                <call function="'testFailed'"/>
                <else>
                  <call function="'setKnownIssue'">
                    { 'issueId' : myKnownIssue }
                  </call>
                </else>
              </if>
            </sequence>
          </else>
        </if>
      </if>
      
      <if expr="includeAttrs">
        <iterate var="attr" in="includeAttrs.keys()">
          <sequence>
            <message>
              'checkChangelogEntry: Checking include-attribute: %s' % attr
            </message>
            <script>
              # included-attributes are preceded by 'target' prefix in the
              # changelog entry, e.g.: 'description' -> 'targetdescription'
              targetAttr    = 'target%s' % attr
              valueList     = includeAttrs[attr]
              ecl_valueList = None
              
              if targetAttr in changelogEntry.keys():
                ecl_valueList = changelogEntry[targetAttr]
                ecl_valueList.sort()
                valueList.sort()
            </script>
            <if expr="ecl_valueList != None">
              <!-- Some value found for (include-attribute) targetAttr -->
              <if expr="attr in expectMissingIncAttrs">
                <sequence>
                  <message log="1" level="'Error'">
                    'Found values %s for %s while NONE expected.' \
                     % (valueList, targetAttr) 
                  </message>
                  <if expr="myKnownIssue == None">
                    <call function="'testFailed'"/>
                    <else>
                      <call function="'setKnownIssue'">
                        { 'issueId' : myKnownIssue }
                      </call>
                    </else>
                  </if>
                </sequence>
                <else>
                  <if expr="valueList == ecl_valueList">
                    <message>
                      'Found expected values for include attribute in %s: \
                      %s' % (targetAttr, valueList)
                    </message>
                    <else>
                      <sequence>
                        <message log="1" level="'Error'">
                          'Expected values %s could not be found in %s: %s' \
                           % (valueList, targetAttr, ecl_valueList) 
                        </message>
                        <if expr="myKnownIssue == None">
                          <call function="'testFailed'"/>
                          <else>
                            <call function="'setKnownIssue'">
                              { 'issueId' : myKnownIssue }
                            </call>
                          </else>
                        </if>
                      </sequence>
                    </else>
                  </if>
                </else>
              </if>
              <else>
                <!-- No (include-attribute) targetAttr found -->
                <if expr="attr in expectMissingIncAttrs">
                  <message>
                    'No %s could be found in the changelog entry, AS EXPECTED' \
                    % targetAttr 
                  </message>
                  <else>
                    <sequence>
                      <message log="1" level="'Error'">
                        'No %s could be found in the changelog entry' % targetAttr 
                      </message>
                      <if expr="myKnownIssue == None">
                        <call function="'testFailed'"/>
                        <else>
                          <call function="'setKnownIssue'">
                            { 'issueId' : myKnownIssue }
                          </call>
                        </else>
                      </if>
                    </sequence>
                  </else>
                </if>
              </else>
            </if>                    
          </sequence>
        </iterate>
      </if>
      
    </sequence>
  </function>

  <!-- PSEARCH -->
  <function name="psearch" scope="local">
    <function-prolog>
      This function performs a psearch request
    </function-prolog>
    <function-map-args>
      <function-arg-def name="location"
                        type="optional"
                        default="STAF_REMOTE_HOSTNAME">
        <function-arg-description>
          Location of target host
        </function-arg-description>
        <function-arg-property name="type" value="hostname"/>
      </function-arg-def>
      <function-arg-def name="dsInstanceHost"
                        type="optional"
                        default="STAF_REMOTE_HOSTNAME">
        <function-arg-description>
          Target directory server  hostname or IP address
        </function-arg-description>
        <function-arg-property name="type" value="hostname" />
      </function-arg-def>
      <function-arg-def name="dsInstancePort" type="required">
        <function-arg-description>
          Directory server  port number
        </function-arg-description>
        <function-arg-property name="type" value="Port number"/>
      </function-arg-def>
      <function-arg-def name="dsInstanceDn" type="required">
        <function-arg-description>
         Directory server  dn
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="dsInstancePswd" type="required">
        <function-arg-description>
          Bind password
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="dsBaseDn" type="required">
        <function-arg-description>
          Specify the base DN for which to perform the verification
        </function-arg-description>
        <function-arg-property name="type" value="dn"/>
      </function-arg-def>
       <function-arg-def name="nbrOfThread" type="optional" default="1">
        <function-arg-description>
          Specify the number of threads to use
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="outputFile" type="optional">
        <function-arg-description>
          Specify the output file path
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="operation" type="optional">
        <function-arg-description>
          Specify the opeation type
        </function-arg-description>
        <function-arg-property name="type" value="string"/>
      </function-arg-def>
      <function-arg-def name="display" type="optional">
        <function-arg-description>
          Optional do not perform any display in terminal
        </function-arg-description>
        <function-arg-property name="type" value="boolean"/>
      </function-arg-def>
      <function-arg-def name="ldif" type="optional">
        <function-arg-description>
          Optional output file in ldif format
        </function-arg-description>
        <function-arg-property name="type" value="boolean"/>
      </function-arg-def>
      <function-arg-def name="expectedRC" type="optional" default="0">
        <function-arg-description>
          Expected return code value. Default value is 0
          Wildcard 'noCheck' to not check the RC
        </function-arg-description>
        <function-arg-property name="type" value="integer"/>
      </function-arg-def>
    </function-map-args>

    <sequence>

      <script>
        if is_windows_platform(location):
          jstaf_jarfile='%s\\bin\\JSTAF.jar' % REMOTE_STAF_ROOT
        else:
          jstaf_jarfile='%s/lib/JSTAF.jar' % REMOTE_STAF_ROOT
      </script>

      <!-- Build the command -->
      <script>
        STAFCmdParamsList=[]
        STAFCmdParams=''

        if dsInstanceHost:
          STAFCmdParamsList.append('-h %s' % dsInstanceHost)

        if dsInstancePort:
          STAFCmdParamsList.append('-p %s' % dsInstancePort)

        if dsInstanceDn:
          STAFCmdParamsList.append('-D %s' % dsInstanceDn)

        if dsBaseDn:
          STAFCmdParamsList.append('-b %s' % dsBaseDn)

        if dsInstancePswd:
          STAFCmdParamsList.append('-w %s' % dsInstancePswd)

        if display:
          STAFCmdParamsList.append('-s')

        if ldif:
          STAFCmdParamsList.append('-l')

        if outputFile:
          STAFCmdParamsList.append('-f %s' % outputFile)

        if nbrOfThread:
          STAFCmdParamsList.append('-n %s' % nbrOfThread)

        if operation:
          STAFCmdParamsList.append('-o %s' % operation)

        STAFCmdParams=' '.join(STAFCmdParamsList)

        STAFCmd='PSearch'

        if is_windows_platform(location):
          separator=';'
        else:
          separator=':'

        ldapjdkPath='%s/ldapjdk' % remote.java
        ldapjdk_jarfile='%s/ldapjdk.jar' % ldapjdkPath
        cp = 'CLASSPATH=%s%s%s%s.' \
        % (ldapjdk_jarfile,separator,jstaf_jarfile,separator)

        env = ['%s' % cp]

      </script>

      <message>
        '%s %s' % (STAFCmd, STAFCmdParams)
      </message>

      <call function="'runCommand'" >
        {
        'name'       : 'PSearch' ,
        'command'    : '%s/bin/java' % JAVA_HOME ,
        'arguments'  : '%s %s' % (STAFCmd, STAFCmdParams) ,
        'location'   : location ,
        'path'       : '%s/ldapjdk' % remote.java ,
        'envCmd'     : env ,
        'expectedRC' : expectedRC
        }
      </call>

      <return>
        STAXResult
      </return>

    </sequence>
  </function>


</stax>

 opends/tests/staf-tests/shared/functions/webcontainer.xml

@@ -23,7 +23,7 @@
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2008-2009 Sun Microsystems, Inc.
 !      Portions Copyright 2008-2010 Sun Microsystems, Inc.
! -->
<stax>
  
@@ -186,7 +186,12 @@
               'remotehost' : '%s' % STAF_REMOTE_HOSTNAME
              }
            </call>

            <call function="'copyFile'">
              { 'srcfile'    : '%s/../../ext/emma/lib/emma.jar' % TESTS_ROOT,
                'destfile'   : '%s/apache-%s-%s/lib/emma.jar' % (wcPath, WC_TYPE, WC_VERSION),
                'remotehost' : '%s' % STAF_REMOTE_HOSTNAME
              }
            </call>
            <if expr="RC != 0">
              <return>RC</return>
            </if>

 opends/tests/staf-tests/shared/java/ldapjdk/PSearch.java

@@ -22,109 +22,129 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2009 Sun Microsystems, Inc.
 *      Copyright 2009-2010 Sun Microsystems, Inc.
 */

import netscape.ldap.util.GetOpt;
import com.ibm.staf.STAFHandle;

public class PSearch {

    public static void main(String[] args) {
        String usage = "Usage: psearch -h <hostname> -p <port> -b <suffix>" + "[-D bindDN] [-w bindPW]" + "-f <fileURL+file name>" + "-l <y>" + "-n <number of thread>" + " -o <add,modify,delete,moddn>";
        String hostname = "localhost";
        int portnumber = 1389; //LDAPv3.DEFAULT_PORT;
        int nbThreads = 1;//number of thread by default        
        // Check for these options. -H means to print out a usage message.
        GetOpt options = new GetOpt("h:p:b:D:w:H:f:n:o:l", args);
  public static void main(String[] args) {
    String usage = "Usage: psearch -h <hostname> -p <port> -b <suffix>" + "[-D bindDN] [-w bindPW]" + "-f <fileURL+file name>" + "-s" + "-n <number of thread>" + " -o <add,modify,delete,moddn>"+ " -l";
    String hostname = "localhost";
    int portnumber = 1389; //LDAPv3.DEFAULT_PORT;
    int nbThreads = 1;//number of thread by default
    // Check for these options. -H means to print out a usage message.
    GetOpt options = new GetOpt("h:p:b:D:w:H:f:n:o:s:l", args);

        // Get the arguments specified for each option.
        String host = options.getOptionParam('h');
        // host
        if (options.hasOption('h')) {
            if (host == null) {
                // usage
                System.out.println(usage);
                System.exit(1);
            } else {
                hostname = host;
            }
        }
        String port = options.getOptionParam('p');
        // If a port number was specified, convert the port value
        // to an integer.
        if (port != null) {
            try {
                portnumber = java.lang.Integer.parseInt(port);
            } catch (java.lang.Exception e) {
                System.out.println("Invalid port number: " + port);
                System.out.println(usage);
                System.exit(1);
            }
        }
        //number of thread
        String nbT = options.getOptionParam('n');
        if (nbT != null) {
            try {
                nbThreads = java.lang.Integer.parseInt(nbT);
            } catch (java.lang.Exception e) {
                System.out.println("Invalid Thread number: " + nbT);
                System.out.println(usage);
                System.exit(1);
            }
        }
        // PSearch suffix
        String suffix = options.getOptionParam('b');

        String bindDN = options.getOptionParam('D');

        String bindPW = options.getOptionParam('w');

        //operations all by default
        String operation = PSearchOperations.ALL;
        if (options.hasOption('o')) {
            String opParam = options.getOptionParam('o');
            if (opParam.equals("add")) {
                operation = PSearchOperations.ADD;
            } else if (opParam.equals("modify")) {
                operation = PSearchOperations.MODIFY;
            } else if (opParam.equals("delete")) {
                operation = PSearchOperations.DELETE;
            } else if (opParam.equals("moddn")) {
                operation = PSearchOperations.MODDN;
            }else if (opParam.equals("all")) {
                operation = PSearchOperations.ALL;;
            } else {
                System.out.println("Invalid operation type: " + opParam);
                System.out.println(usage);
                System.exit(1);
            }
        }

        // to disable the log files
        boolean useFile = false;
        String fileName = "logLile";
        if (options.hasOption('f')) {
            useFile = options.hasOption('f');
            fileName = options.getOptionParam('f');
        }
        // to enable system out logs
        boolean output = options.hasOption('l');

        System.out.println("Connecting to " + hostname + ":" + portnumber +
                " as \"" + bindDN + "\"" +
                " on suffix \"" + suffix + "\"" +
                " on operation \"" + operation + "\"" +
                " use file: \"" + useFile + "\" output: \"" + output + "\"");
        //start all thread
        for (int i = 0; i < nbThreads; i++) {
            PSearchOperations ps = new PSearchOperations(i, hostname, portnumber, bindDN, bindPW, suffix);
            if (useFile) {
                ps.useLogFile(useFile);
                ps.setLogFile(fileName);
            }
            ps.setOutput(output);
            ps.setOperation(operation);
            ps.start();
        }
    // Get the arguments specified for each option.
    String host = options.getOptionParam('h');
    // host
    if (options.hasOption('h')) {
      if (host == null) {
        // usage
        System.out.println(usage);
        System.exit(1);
      } else {
        hostname = host;
      }
    }
    String port = options.getOptionParam('p');
    // If a port number was specified, convert the port value
    // to an integer.
    if (port != null) {
      try {
        portnumber = java.lang.Integer.parseInt(port);
      } catch (java.lang.Exception e) {
        System.out.println("Invalid port number: " + port);
        System.out.println(usage);
        System.exit(1);
      }
    }
    //number of thread
    String nbT = options.getOptionParam('n');
    if (nbT != null) {
      try {
        nbThreads = java.lang.Integer.parseInt(nbT);
      } catch (java.lang.Exception e) {
        System.out.println("Invalid Thread number: " + nbT);
        System.out.println(usage);
        System.exit(1);
      }
    }
    // PSearch suffix
    String suffix = options.getOptionParam('b');

    String bindDN = options.getOptionParam('D');

    String bindPW = options.getOptionParam('w');

    //operations all by default
    String operation = PSearchOperations.ALL;
    if (options.hasOption('o')) {
      String opParam = options.getOptionParam('o');
      if (opParam.equals("add")) {
        operation = PSearchOperations.ADD;
      } else if (opParam.equals("modify")) {
        operation = PSearchOperations.MODIFY;
      } else if (opParam.equals("delete")) {
        operation = PSearchOperations.DELETE;
      } else if (opParam.equals("moddn")) {
        operation = PSearchOperations.MODDN;
      } else if (opParam.equals("all")) {
        operation = PSearchOperations.ALL;
        ;
      } else {
        System.out.println("Invalid operation type: " + opParam);
        System.out.println(usage);
        System.exit(1);
      }
    }

    // to disable the log files
    boolean useFile = false;
    String fileName = "logLile";
    if (options.hasOption('f')) {
      useFile = options.hasOption('f');
      fileName = options.getOptionParam('f');
    }

    // to enable diff format
    boolean ldifFormat = options.hasOption('l');

    // to enable system out logs
    boolean output = options.hasOption('s');

    System.out.println("Connecting to " + hostname + ":" + portnumber +
            " as \"" + bindDN + "\"" +
            " on suffix \"" + suffix + "\"" +
            " on operation \"" + operation + "\"" +
            " use file: \"" + useFile + "\" output: \"" + output + "\"");
    //start all thread


    for (int i = 0; i < nbThreads; i++) {
      PSearchOperations ps = new PSearchOperations(i, hostname, portnumber, bindDN, bindPW, suffix);
      if (useFile) {
        ps.useLogFile(useFile);
        ps.setLogFile(fileName);
      }
      ps.setOutput(output);
      ps.setLdifFormat(ldifFormat);
      ps.setOperation(operation);
      ps.start();
    }
    
        try {
      STAFHandle handle = new STAFHandle("PSearch listener");
      handle.submit2(hostname, "SEM", "PULSE EVENT PSearch/Ready");
      handle.submit2(hostname, "SEM", "WAIT EVENT PSearch tests/Completed");
      handle.submit2(hostname, "SEM", "DELETE EVENT PSearch tests/Completed");
      System.exit(0);
    } catch (Exception e) {
      System.out.println("STAF Handle fail");
    }

  }
}

 opends/tests/staf-tests/shared/java/ldapjdk/PSearchOperations.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2009 Sun Microsystems, Inc.
 *      Copyright 2009-2010 Sun Microsystems, Inc.
 */

import java.io.File;
@@ -57,6 +57,7 @@
    private int threadId;
    private String fileName;
    private boolean output;
    private boolean ldifFormat;
    private boolean logFile;
    private String operation;
    /**
@@ -77,6 +78,7 @@
        this.threadId = id;
        this.output = false;
        this.logFile = false;
        this.ldifFormat = false;
        //by default all operation
        this.operation = ALL;

@@ -121,6 +123,10 @@
        this.operation = operation;
    }

    public void setLdifFormat(boolean ldifFormat) {
        this.ldifFormat = ldifFormat;
    }

    /**
     *Connect to server.
     */
@@ -129,7 +135,8 @@
            connection = new LDAPConnection();            
            connection.connect(3, hostname, portnumber, "", "");
            connection.authenticate(3, bindDN, bindPW);
            write("[Thread id: " + threadId + "] \n" + getDate() + connection);
            if(!ldifFormat)
              write("[Thread id: " + threadId + "] \n" + getDate() + connection);
        } catch (LDAPException ex) {
            System.out.println("[Thread id: " + threadId + "]Connection :" + ex.getMessage());
            System.exit(0);
@@ -263,20 +270,25 @@
            Enumeration attrs = attrSet.getAttributes();
            if (entry.getDN().contains("break")) {
                String message = "\n[Thread id: " + threadId + "] " + getDate() + " [BREAK]";
                write(message);
                if(!ldifFormat)
                  write(message);
                System.exit(0);
            } else if (entry.getDN().contains("stop")) {
                try {
                    connection.disconnect();
                    String message = "\n[Thread id: " + threadId + "] " + getDate() + "[STOP]";
                    write(message);
                    if(!ldifFormat)
                      write(message);
                    System.exit(0);
                } catch (LDAPException ex) {
                    System.out.println("[Thread id: " + threadId + "]run :" + ex.getLDAPErrorMessage());
                }
            }
            String message = "[Thread id: " + threadId + "] " + getDate() + " [" + controlName(arr[4]) + "]";
            write("\n" + message);
           if(!ldifFormat)
             write("\n" + message);
           else
             write("\n");
            String dn = "dn: " + entry.getDN();
            write(dn);
            while (attrs.hasMoreElements()) {

 opends/tests/staf-tests/shared/java/ldapjndi/addAnEntry.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2008 Sun Microsystems, Inc.
 *      Copyright 2008-2010 Sun Microsystems, Inc.
 */

import java.util.Hashtable;
@@ -115,7 +115,10 @@
          attrToComplete = new BasicAttribute(attributeName);
          attributeSet.add(attrToComplete);
        }
        attrToComplete.add(attributeValue);
        if (attributeValue != null) {
          attributeValue = attributeValue.replaceAll("QUOT","\\\"");
          attrToComplete.add(attributeValue);
        }
      }
      k++;
    }

 opends/tests/staf-tests/shared/staf/staf-controller.cfg

@@ -21,7 +21,10 @@
# CDDL HEADER END
#
#
#      Copyright 2007-2009 Sun Microsystems, Inc.
#      Copyright 2007-2010 Sun Microsystems, Inc.

# Change default data directory
SET DATADIR {STAF/Config/STAFRoot}/data-${local.hostname}

# Turn on tracing of internal errors and deprecated options
trace enable tracepoints "error deprecated"
@@ -32,23 +35,20 @@
# Set default local trust
trust machine local://local level 5
trust level 5 machine tcp://localhost
# this is required for the Zip Service to be able to expand archives

# This is required for the Zip Service to be able to expand archives
trust level 5 user anonymous

# Default Service Loader Service
serviceloader library STAFDSLS

# LOG SERVICE CONFIGURATION
SERVICE Log LIBRARY STAFLog \
  PARMS "Directory {STAF/Config/STAFRoot}/logs"

# ZIP SERVICE CONFIGURATION
SERVICE Zip LIBRARY STAFZip

# STAX SERVICE CONFIGURATION
SERVICE Stax LIBRARY JSTAF \
  EXECUTE ${staf.install.dir}/${stax.name}/STAX.jar \
  OPTION JVMNAME=stafJVM-${local.hostname}  \
  OPTION JVMNAME=staxJVM-${local.hostname}  \
  OPTION J2=-Xms1g -Xmx1g \
    -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled \
    -XX:+CMSClassUnloadingEnabled -XX:NewSize=500m -XX:MaxNewSize=500m \
@@ -58,15 +58,18 @@

# EVENT SERVICE CONFIGURATION
SERVICE Event LIBRARY JSTAF \
  EXECUTE ${staf.install.dir}/${event.name}/STAFEvent.jar
  EXECUTE ${staf.install.dir}/${event.name}/STAFEvent.jar \
  OPTION JVMNAME=eventJVM-${local.hostname}

# EVENTMANAGER SERVICE CONFIGURATION
SERVICE EventManager LIBRARY JSTAF \
  EXECUTE ${staf.install.dir}/${eventmanager.name}/STAFEventManager.jar
  EXECUTE ${staf.install.dir}/${eventmanager.name}/STAFEventManager.jar \
  OPTION JVMNAME=eventmanagerJVM-${local.hostname}

# EMAIL SERVICE CONFIGURATION
SERVICE Email LIBRARY JSTAF \
  EXECUTE ${staf.install.dir}/${email.name}/STAFEmail.jar \
  OPTION JVMNAME=emailJVM-${local.hostname}  \
  PARMS "MAILSERVER ${email.server.host} PORT ${email.server.port}"

SET MAXQUEUESIZE 10000

 opends/tests/staf-tests/shared/staf/staf-slave.cfg

@@ -21,7 +21,10 @@
# CDDL HEADER END
#
#
#      Copyright 2008 Sun Microsystems, Inc.
#      Copyright 2008-2010 Sun Microsystems, Inc.

# Change default data directory
SET DATADIR {STAF/Config/STAFRoot}/data-${remote.hostname}

# Turn on tracing of internal errors and deprecated options
trace enable tracepoints "error deprecated"

 opends/tests/staf-tests/shared/tests/runTestJob.xml

@@ -997,8 +997,8 @@
      <iterate var="thisChild" in="listOfChildren2">
        <sequence>
          <script>
            srcFile = '%s/logs/MACHINE/%s/GLOBAL/STAX_Job_%s.log' \
                      % (STAFRoot,STAF_LOCAL_HOSTNAME,thisChild)
            srcFile = '%s/data-%s/service/log/MACHINE/%s/GLOBAL/STAX_Job_%s.log' \
                      % (STAFRoot,STAF_LOCAL_HOSTNAME,STAF_LOCAL_HOSTNAME,thisChild)
            destFile = '%s/staf-logs/STAX_Job_%s.txt' \
                       % (LOGS_ROOT,thisChild)
          </script>
@@ -1012,8 +1012,8 @@
          </process>

          <script>
            srcFile = '%s/logs/MACHINE/%s/GLOBAL/STAX_Job_%s_User.log' \
                      % (STAFRoot,STAF_LOCAL_HOSTNAME,thisChild)
            srcFile = '%s/data-%s/service/log/MACHINE/%s/GLOBAL/STAX_Job_%s_User.log' \
                      % (STAFRoot,STAF_LOCAL_HOSTNAME,STAF_LOCAL_HOSTNAME,thisChild)
            destFile = '%s/staf-logs/STAX_Job_%s_User.txt' \
                       % (LOGS_ROOT,thisChild)
          </script>

 opends/tests/staf-tests/shared/tests/runTests.xml

@@ -71,7 +71,7 @@
        starttime = time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(TESTS_TIMESTAMP))
        reportCfg = open('%s/logs/report.cfg' % LOGS_ROOT, 'w')
        reportCfg.write('[Main]\n')
        reportCfg.write('product = OpenDS_SE2.4 (Directory)\n')
        reportCfg.write('product = Directory\n')
        if TESTS_TYPE == 'functional-tests':
          reportCfg.write('category = Functional\n')
        else:

 opends/tests/staf-tests/stress-tests/testcases/import_ldif/import_ldif_bin_attr_10m.xml

@@ -23,7 +23,7 @@
 !
 ! CDDL HEADER END
 !
 !      Copyright 2009 Sun Microsystems, Inc.
 !      Copyright 2009-2010 Sun Microsystems, Inc.
 ! -->
<stax>

@@ -343,7 +343,7 @@
            </sequence>
          </testcase>

          <testcase name="getTestCaseName('Rebuild all indexes online')">
          <testcase name="getTestCaseName('Rebuild all indexes offline')">
            <sequence>
              <call function="'testCase_Preamble'"/>

@@ -363,18 +363,17 @@
              </call>

              <message>
                'Import Ldif: Binary Attribute: Rebuild all indexes online'
                'Import Ldif: Binary Attribute: Rebuild all indexes offline'
              </message>

              <call function="'rebuildIndexWithScript'">
                {
                'dsBaseDN'            : 'dc=com' ,
                'dsRebuildAll'        : 'True'
                'dsRebuildAll'        : 'True' ,
                'knownIssue'          : '6928546'
                }
              </call>



              <script>
                returnString = STAXResult[0][1]
                msgIndexLocation1 = 'Index l.presence phase two processing completed'

 opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/DbHandlerTest.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 *      Copyright 2006-2010 Sun Microsystems, Inc.
 */
package org.opends.server.replication.server;

@@ -30,6 +30,7 @@
import java.net.ServerSocket;

import org.opends.server.TestCaseUtils;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.replication.ReplicationTestCase;
import org.opends.server.replication.common.ChangeNumber;
import org.opends.server.replication.common.ChangeNumberGenerator;
@@ -37,13 +38,29 @@
import org.testng.annotations.Test;
import static org.testng.Assert.*;
import static org.opends.server.TestCaseUtils.*;
import static org.opends.server.loggers.debug.DebugLogger.debugEnabled;
import static org.opends.server.loggers.debug.DebugLogger.getTracer;

/**
 * Test the dbHandler class
 */
public class DbHandlerTest extends ReplicationTestCase
{
  @Test()
  // The tracer object for the debug logger
  private static final DebugTracer TRACER = getTracer();
  /**
   * Utility - log debug message - highlight it is from the test and not
   * from the server code. Makes easier to observe the test steps.
   */
  private void debugInfo(String tn, String s)
  {
    if (debugEnabled())
    {
      TRACER.debugInfo("** TEST " + tn + " ** " + s);
    }
  }

  @Test(enabled=true)
  void testDbHandlerTrim() throws Exception
  {
    File testRoot = null;
@@ -265,7 +282,7 @@
   * The clear feature is used when a replication server receives a request
   * to reset the generationId of a given domain.
   */
  @Test()
  @Test(enabled=true)
  void testDbHandlerClear() throws Exception
  {
    File testRoot = null;
@@ -345,4 +362,255 @@
        TestCaseUtils.deleteDirectory(testRoot);
    }
  }
  /**
   * Test the logic that manages counter records in the DbHandler in order to
   * optimize the counting of record in the replication changelog db.
   * @throws Exception
   */
  @Test(enabled=true)
  void testDbCounts() throws Exception
  {
    // It's worth testing with 2 different setting for counterRecord
    // - a counter record is put every 10 Update msg in the db - just a unit
    //   setting.
    // - a counter record is put every 1000 Update msg in the db - something
    //   closer to real setting.
    // In both cases, we want to test the counting algorithm, 
    // - when start and stop are before the first counter record, 
    // - when start and stop are before and after the first counter record, 
    // - when start and stop are after the first counter record, 
    // - when start and stop are before and after more than one counter record, 
    // After a purge.
    // After shutdowning/closing and reopening the db.
    testDBCount(40, 10);
    testDBCount(4000, 1000);
  }

  private void testDBCount(int max, int counterWindow) throws Exception
  {
    String tn = "testDBCount("+max+","+counterWindow+")";
    debugInfo(tn, "Starting test");

    File testRoot = null;
    ReplicationServer replicationServer = null;
    ReplicationDbEnv dbEnv = null;
    DbHandler handler = null;
    ReplicationIterator ri = null;
    int actualCnt = 0;
    String testcase;
    try
    {
      TestCaseUtils.startServer();

      //  find  a free port for the replicationServer
      ServerSocket socket = TestCaseUtils.bindFreePort();
      int changelogPort = socket.getLocalPort();
      socket.close();

      // configure a ReplicationServer.
      ReplServerFakeConfiguration conf =
        new ReplServerFakeConfiguration(changelogPort, null, 0,
            2, 0, 100000, null);
      replicationServer = new ReplicationServer(conf);

      // create or clean a directory for the dbHandler
      String buildRoot = System.getProperty(TestCaseUtils.PROPERTY_BUILD_ROOT);
      String path = buildRoot + File.separator + "build" + File.separator +
      "unit-tests" + File.separator + "dbHandlercp";
      testRoot = new File(path);
      if (testRoot.exists())
      {
        TestCaseUtils.deleteDirectory(testRoot);
      }
      testRoot.mkdirs();

      dbEnv = new ReplicationDbEnv(path, replicationServer);

      // Create the handler
      handler =
        new DbHandler( 1, TEST_ROOT_DN_STRING,
            replicationServer, dbEnv, 10);
      handler.setCounterWindowSize(counterWindow);

      // Populate the db with 'max' msg
      int mySeqnum = 1;
      ChangeNumber cnarray[] = new ChangeNumber[2*(max+1)];
      long now = System.currentTimeMillis();
      for (int i=1; i<=max; i++)
      {        
        cnarray[i] = new ChangeNumber(now+i, mySeqnum, 1);
        mySeqnum+=2;
        DeleteMsg update1 = new DeleteMsg(TEST_ROOT_DN_STRING, cnarray[i], "uid");
        handler.add(update1);
      }
      handler.flush();

      // Test first and last
      ChangeNumber cn1 = handler.getFirstChange();
      assertEquals(cn1, cnarray[1], "First change");
      ChangeNumber cnlast = handler.getLastChange();
      assertEquals(cnlast, cnarray[max], "Last change");

      // Test count in different subcases trying to handle all special cases
      // regarding the 'counter' record and 'count' algorithm
      testcase="FROM change1 TO change1 ";
      actualCnt = handler.getCount(cnarray[1], cnarray[1]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 1, testcase);

      testcase="FROM change1 TO change2 ";
      actualCnt = handler.getCount(cnarray[1], cnarray[2]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 2, testcase);

      testcase="FROM change1 TO counterWindow="+(counterWindow);
      actualCnt = handler.getCount(cnarray[1], cnarray[counterWindow]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, counterWindow, testcase);

      testcase="FROM change1 TO counterWindow+1="+(counterWindow+1);
      actualCnt = handler.getCount(cnarray[1], cnarray[counterWindow+1]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, counterWindow+1, testcase);
      
      testcase="FROM change1 TO 2*counterWindow="+(2*counterWindow);
      actualCnt = handler.getCount(cnarray[1], cnarray[2*counterWindow]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 2*counterWindow, testcase);

      testcase="FROM change1 TO 2*counterWindow+1="+((2*counterWindow)+1);
      actualCnt = handler.getCount(cnarray[1], cnarray[(2*counterWindow)+1]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, (2*counterWindow)+1, testcase);

      testcase="FROM change2 TO change5 ";
      actualCnt = handler.getCount(cnarray[2], cnarray[5]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 4, testcase);

      testcase="FROM counterWindow+2 TO counterWindow+5 ";
      actualCnt = handler.getCount(cnarray[(counterWindow+2)], cnarray[(counterWindow+5)]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 4, testcase);

      testcase="FROM change2 TO counterWindow+5 ";
      actualCnt = handler.getCount(cnarray[2], cnarray[(counterWindow+5)]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, counterWindow+4, testcase);

      testcase="FROM counterWindow+4 TO counterWindow+4 ";
      actualCnt = handler.getCount(cnarray[(counterWindow+4)], cnarray[(counterWindow+4)]);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, 1, testcase);

      // Now test with changes older than first or newer than last
      ChangeNumber olderThanFirst = null;
      ChangeNumber newerThanLast =
        new ChangeNumber(System.currentTimeMillis() + (2*(max+1)), 100, 1);

      // Now we want to test with start and stop outside of the db
      
      testcase="FROM our first generated change TO now (> newest change in the db)";
      actualCnt = handler.getCount(cnarray[1], newerThanLast);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, max, testcase);

      testcase="FROM null (start of time) TO now (> newest change in the db)";
      actualCnt = handler.getCount(olderThanFirst, newerThanLast);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, max, testcase);

      // Now we want to test that after closing and reopening the db, the
      // counting algo is well reinitialized and when new messages are added
      // the new counter are correctly generated.
      debugInfo(tn,"SHUTDOWN handler and recreate");
      handler.shutdown();
      
      handler =
        new DbHandler( 1, TEST_ROOT_DN_STRING,
            replicationServer, dbEnv, 10);
      handler.setCounterWindowSize(counterWindow);

      // Test first and last
      cn1 = handler.getFirstChange();
      assertEquals(cn1, cnarray[1], "First change");
      cnlast = handler.getLastChange();
      assertEquals(cnlast, cnarray[max], "Last change");

      testcase="FROM our first generated change TO now (> newest change in the db)";
      actualCnt = handler.getCount(cnarray[1], newerThanLast);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, max, testcase);

      // Populate the db with 'max' msg
      for (int i=max+1; i<=(2*max); i++)
      {        
        cnarray[i] = new ChangeNumber(now+i, mySeqnum, 1);
        mySeqnum+=2;
        DeleteMsg update1 = new DeleteMsg(TEST_ROOT_DN_STRING, cnarray[i], "uid");
        handler.add(update1);
      }
      handler.flush();

      // Test first and last
      cn1 = handler.getFirstChange();
      assertEquals(cn1, cnarray[1], "First change");
      cnlast = handler.getLastChange();
      assertEquals(cnlast, cnarray[2*max], "Last change");

      testcase="FROM our first generated change TO now (> newest change in the db)";
      actualCnt = handler.getCount(cnarray[1], newerThanLast);
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, (2*max), testcase);
      
      //
      
      handler.setPurgeDelay(100);
      sleep(4000);
      int totalCount = handler.getCount(null, null);
      debugInfo(tn,testcase + " After purge, total count=" + totalCount);
      
      testcase="AFTER PURGE (first, last)=";
      debugInfo(tn,testcase + handler.getFirstChange() + handler.getLastChange());
      assertEquals(handler.getLastChange(), cnarray[2*max], "Last=");
           
      testcase="AFTER PURGE ";
      actualCnt = handler.getCount(cnarray[1], newerThanLast);
      int expectedCnt;
      if (totalCount>1)
      {
        expectedCnt = ((handler.getLastChange().getSeqnum()
                    - handler.getFirstChange().getSeqnum() + 1)/2)+1;
      }
      else
      {
        expectedCnt = 1;
      }
      debugInfo(tn,testcase + " actualCnt=" + actualCnt);
      assertEquals(actualCnt, expectedCnt, testcase);

      // Clear ...
      debugInfo(tn,"clear:");
      handler.clear();

      // Check the db is cleared.
      assertEquals(null, handler.getFirstChange());
      assertEquals(null, handler.getLastChange());
      debugInfo(tn,"Success");

    }
    finally
    {
      if (ri!=null)
        ri.releaseCursor();
      if (handler != null)
        handler.shutdown();
      if (dbEnv != null)
        dbEnv.shutdown();
      if (replicationServer != null)
        replicationServer.remove();
      if (testRoot != null)
        TestCaseUtils.deleteDirectory(testRoot);
    }
  }
}