external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 29eaff4a | patch | commit | ignore whitespace

smaguin

02.57.2007 a67b0bf8d7be9ceda0b480cbb27b7bf0229b7122

new client_auth testsuite

7 files added

	opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml	106 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml	635 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml	204 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml	219 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml	471 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml	264 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml	471 ●●●●● patch \| view \| raw \| blame \| history

 opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml

New file
@@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="client_auth"/>

  <function name="client_auth">

    <sequence>

      <block name="'client_auth'">
      
        <sequence>
  
          <script>
            CurrentTestPath['group']='security'
            CurrentTestPath['suite']=STAXCurrentBlock
          </script>

          <call function="'testSuite_Preamble'"/>


          <import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
            file="'%s/testcases/security/security_setup.xml' % (TESTS_DIR)"/>
          <call function="'security_setup'"/>         
  
            <!--  client authentication setup -->

          <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/client_auth_setup.xml' % (TESTS_DIR)"/>
          <call function="'client_auth_setup'" />

				
            <!-- fingerprint certificates mapper -->
        <!--
          <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/fingerprint.xml' % (TESTS_DIR)"/>
          <call function="'fingerprint'" />
                -->
  
          <!-- subject DN to user attribut certificate mapper -->
			
             <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/subject_dn_mapper.xml' % (TESTS_DIR)"/>
          <call function="'subject_dn_mapper'" />

            <!-- subject attribute  to user attribut certificate mapper -->
			
             <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/subject_attribute_mapper.xml' % (TESTS_DIR)"/>
          <call function="'subject_attribute_mapper'" />
		
            <!-- subject equals dn certificate mapper -->
		
             <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/equal_dn_mapper.xml' % (TESTS_DIR)"/>
          <call function="'equal_dn_mapper'" />
	
          <!--  client authentication teardown -->
          <import machine="'%s' % STAF_LOCAL_HOSTNAME"
            file="'%s/testcases/security/client_auth/client_auth_teardown.xml' % (TESTS_DIR)"/>
          <call function="'client_auth_teardown'" />
			


          <import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
            file="'%s/testcases/security/security_cleanup.xml' % (TESTS_DIR)"/>
          <call function="'security_cleanup'"/>											

			
          <call function="'testSuite_Postamble'"/>

        </sequence>
   
      </block>
   
    </sequence>

  </function>

</stax>

 opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml

New file
@@ -0,0 +1,635 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>
  
  <defaultcall function="client_auth_setup"/>
	
  <function name="client_auth_setup" scope="local">      

    <sequence>
                   
       <!--- Test Case : Server Certificate configuration -->
       <!---
            #@TestMarker              Setup Tests
            #@TestName                 Create certificates for server and client
            #@TestIssue                   
            #@TestPurpose             Create server and client certificates
            #@TestPreamble           none
            #@TestStep                  Generate server and client certificates.
            #@TestStep                  Self-sign the certificates.
            #@TestPostamble          none
            #@TestResult                Success if OpenDS returns 0 for all operations
        -->
		  
        <!-- Generate Server Cert -->
		
    <testcase name="'Security: client_auth:  Setup. certificates configuration'">
      <sequence>
        <script>
          USER_1_CERT="client-cert-1"
          USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)     			
          USER_2_CERT="client-cert-2"
          USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
          KEYPASS="password"
          STOREPASS="password"
          SERVER_KEYPASS="servercert"
          SERVER_STOREPASS="servercert"
          CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
          CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
        </script>
        
 
      <message>
           '---- Generating Server Certicate -----'
      </message>
		
      <!-- create a server certificate -->           
		    
      <call function="'genCertificate'">
         { 'certAlias'        : 'server-cert' ,
            'dname'           : "uid=server,%s" % (DIRECTORY_INSTANCE_SFX),
            'keystore'        : 'keystore',
            'storepass'       : SERVER_STOREPASS,
            'keypass'         : SERVER_KEYPASS,
            'storetype'        : 'JKS' }
      </call>  
		  
      <!-- Self-Sign Server Cert    -->

      <message>
               '---- Self-Signing Server Certicate  ---- '
      </message>

      <call function="'SelfSignCertificate'">
          { 'certAlias'        : 'server-cert' ,
            'storepass'       : SERVER_STOREPASS,
            'keypass'         : SERVER_KEYPASS,
             'keystore'        : 'keystore',
             'storetype'       : 'JKS' }
      </call>
 
        <!-- Create folder on local host where are store client keystore and certificate-->
      <message>
                'Create folder %s' % (CERT_TMP)
      </message>  
			
      <call function="'createFolder'">
          { 'location' : '%s' % (DIRECTORY_INSTANCE_HOST), 
             'foldername' : '%s' % (CERT_TMP) }
      </call>		
      <call function="'checktestRC'">
           { 'returncode' : RC ,
           'result'     : STAXResult }
      </call>			
			  
      <message>
               '---- Generating client Certicate : %s ---- ' % (USER_1_CERT)
      </message>
			  
      <!-- create a client certificate  : USER_1_CERT -->           		 
      <call function="'genCertificate'">
           { 'certAlias'        : '%s' % USER_1_CERT,  
            'dname'           : '%s' % (USER_1_DN),
            'storepass'       : '%s' % (STOREPASS),
            'keystore'        : '%s' % (CLIENT_KEYSTORE),
            'keypass'         : '%s' % (KEYPASS),
            'storetype'        : 'JKS' }
      </call> 
			   
      <!-- Self-Sign client Certificate : USER_1_CERT    -->
      <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_1_CERT)</message>
      
      <call function="'SelfSignCertificate'">
           { 'certAlias'        :  '%s' % USER_1_CERT,
              'storepass'      : '%s' % (STOREPASS),
              'keypass'         : '%s' % (KEYPASS),
              'keystore'        : '%s' % (CLIENT_KEYSTORE),
              'storetype'    : 'JKS' }
      </call>

      <!-- create a client certificate  : USER_2_CERT -->           
      <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>
			  
      <call function="'genCertificate'">
              { 'certAlias'        : '%s' % USER_2_CERT,
                'dname'           : '%s' % (USER_2_DN),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),
                'keypass'         : '%s' % (KEYPASS),
                'storetype'        : 'JKS' }
      </call> 
			  
     <!-- Self-Sign client Certificate : USER_2_CERT    -->
      <message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>

      <call function="'SelfSignCertificate'">
           { 'certAlias'        :  '%s' % USER_2_CERT,
              'storepass'       : '%s' % (STOREPASS),
              'keypass'         : '%s' % (KEYPASS),
              'keystore'        : '%s' % (CLIENT_KEYSTORE),
              'storetype'      : 'JKS' } 
      </call>
                                    
			  			  			  			      
      <call function="'testCase_Postamble'"/>
     </sequence>
    </testcase>
		  
		  			 
       <!--- Test Case : export client and server certificates -->
       <!---
            #@TestMarker              Setup Tests
            #@TestName                Export and Import Certificates
            #@TestIssue                   
            #@TestPurpose             Export  and import client and server certificates
            #@TestPreamble           none
            #@TestStep                  Export client and server certificates
            #@TestStep                  Import the certificates in the server and clients Database
            #@TestPostamble          none
            #@TestResult                Success if OpenDS returns 0 for all operations
        -->
		  
   <testcase name="'Security: client_auth:  setup. Export and Import certificates'">
      <sequence>
          <script>
				
          CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
          CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
    				
          USER_1_CERT="client-cert-1"
          USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
          USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)				  
          USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)        
          USER_2_CERT="client-cert-2"
          USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
          USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)				  
          USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)                
          SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)
  				
          KEYPASS="password"
          STOREPASS="password"
          SERVER_KEYPASS="servercert"
          SERVER_STOREPASS="servercert"				
          </script>
		
			  
      <call function="'testCase_Preamble'"/>
		 
			  	
            <!-- Export the server Cert -->

      <message>'----  Export the  Server Certicate ----'</message>	  
			  
      <call function="'ExportCertificate'">
                    { 'certAlias'        : 'server-cert' ,
                    'outputfile'        : '%s' % (SERVER_CERT_FILE),
                    'storepass'       : SERVER_STOREPASS,
                    'storetype'        : 'JKS' }
      </call>	

            <!-- export client certificate : USER_1_CERT -->
      <message> '----  Export the  client certificate : : %s ---- ' % (USER_1_CERT)</message>
              
      <call function="'ExportCertificate'">
             { 'certAlias'        : '%s' % USER_1_CERT,
                'outputfile'        : '%s' % (USER_1_CERT_FILE),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),		   
                'storetype'        : 'JKS' }				
      </call>			
		  		  			 
            <!-- export client certificate  RFC format : USER_1_CERT -->
      <message> '----  Export the  client certificate in RFC : : %s ---- ' % (USER_1_CERT)</message>
            
			  
      <call function="'ExportCertificate'">
             { 'certAlias'        : '%s' % USER_1_CERT,
                'outputfile'        : '%s' % (USER_1_CERT_FILE_RFC),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),
                'format'           : 'rfc',		   
                'storetype'        : 'JKS' }				
      </call>
		
     <!-- export client certificate : USER_2_CERT -->
          
      <message>'----  Export the  client certificate : : %s ---- ' % (USER_2_CERT)</message>
    	  
      <call function="'ExportCertificate'">
            { 'certAlias'        :'%s' % USER_2_CERT,
                'outputfile'        : '%s' % (USER_2_CERT_FILE),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),
                'storetype'        : 'JKS' }				
      </call>

            <!-- export client certificate RFC format : USER_2_CERT -->
          
      <message>'----  Export the  client certificate in RFC format : : %s ---- ' % (USER_2_CERT)</message>
    	  
      <call function="'ExportCertificate'">
            { 'certAlias'        :'%s' % USER_2_CERT,
                'outputfile'        : '%s' % (USER_2_CERT_FILE_RFC),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),
                'format'           : 'rfc',		  
                'storetype'        : 'JKS' }				
      </call>
	  			
              <!-- Import the server Certificate under the client database -->

            <message>
               '----  Import the  Server Certificate under the client keystore----'
            </message>	  
		  
            <call function="'ImportCertificate'">
                { 'certAlias'        : 'server-cert' ,
                'inputfile'        : '%s' % (SERVER_CERT_FILE),
                'storepass'       : '%s' % (STOREPASS),
                'keystore'        : '%s' % (CLIENT_KEYSTORE),
                'storetype'        : 'JKS' }
            </call>
			
              <!-- Import the client Certificates under the server keystore  -->
    
      <message> '----  Import the  client Certificates %s under the server keystore----' % (USER_1_CERT)</message>
       
		  
      <call function="'ImportCertificate'">
                { 'certAlias'        : '%s' % (USER_1_CERT),
                'inputfile'        : '%s' % (USER_1_CERT_FILE),
                'storepass'       : SERVER_STOREPASS,
                'storetype'        : 'JKS' }
      </call>
			  
      <message> '----  Import the  client Certificates %s under the server keystore----' % (USER_2_CERT)</message> 	  
			 
      <call function="'ImportCertificate'">
                { 'certAlias'        : '%s' % (USER_2_CERT),
                'inputfile'        : '%s' % (USER_2_CERT_FILE),
                'storepass'       : SERVER_STOREPASS,
                'storetype'        : 'JKS' }
      </call>
            			  			  			  
            
      <call function="'testCase_Postamble'"/>
     </sequence>
   </testcase>
		   
		  
       <!--- Test Case : configure SSL and StartTLS -->
       <!---
            #@TestMarker              Setup Tests
            #@TestName                Configure SSL and startTLS
            #@TestIssue                   
            #@TestPurpose             Configure SSL and StartTLS
            #@TestPreamble           none
            #@TestStep                  Configure SSL
            #@TestStep                   Configure StartTLS
            #@TestPostamble          none
            #@TestResult                Success if OpenDS returns 0 for all operations
        -->
		  
		
    <testcase name="'Security: client_auth: setup. Configure SSL and StartTLS'">
     <sequence>
		  
      <call function="'testCase_Preamble'"/>
      <!-- Configure SSL-->

      <message>
               '----  Configure SSL ----'
      </message>	  

     <!--- Enable Key Manager Provider -->
      <message>
       'Enabling Key Manager Provider'
      </message>
      <call function="'modifyEntry'">
              {  'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,		  
                'entryToBeModified' : '%s/security/client_auth/setup/enable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
      </call>

		 
     <!--- Enable Trust Manager Provider -->
      <message>
         'Enabling Trust Manager Provider'
      </message>

      <call function="'modifyEntry'">
               {  'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,	
                'entryToBeModified' : '%s/security/client_auth/setup/enable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
      </call>


      <!--- Enable LDAPS Connection Handler -->
      <message>
       'Enabling LDAPS Connection Handler - Port number'
      </message>

      <call function="'modifyEntry'">
             {  'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,	
                'entryToBeModified' : '%s/security/ldaps_port.ldif' % (logsRemoteDataDir) }
      </call>

      <!--  Enabling LDAPS Connection Handler - Keystore type -->
      <message>
       'Enabling LDAPS Connection Handler - Keystore type'
      </message>

      <call function="'modifyEntry'">
             {  'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,	
                'entryToBeModified' : '%s/security/client_auth/setup/enable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
      </call>
	

        <!--- Enable StartTLS -->
        <message>
         'Enabling StartTLS'
        </message>

      <call function="'addEntry'">
           {  'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'entryToBeAdded'  : '%s/security/client_auth/setup/enable_startTLS.ldif' % (logsRemoteDataDir) }
      </call>
	
		 		 		
      <!--- Initial Search With SSL -->
      <message>
               'Security: Client_auth:  Searching with SSL Connection'
      </message>

      <call function="'ldapSearchWithScript'">
              { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,
                'dsScope'           :  'base',
                'dsFilter'         : 'objectclass=*' ,
                'dsUseSSL'         : ' ',
                'dsTrustAll' : ' ' }
      </call>
	  

      <!--- Initial Search With startTLS-->
      <message>
               'Security: Client_auth:  Searching with StartTLS Connection'
      </message>

      <call function="'ldapSearchWithScript'">
              { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,
                'dsScope'           :  'base',
                'dsFilter'         : 'objectclass=*' ,
                'dsUseStartTLS'        : ' ',
                'dsTrustAll' : ' ' }
      </call>

			    			  			  
      <call function="'testCase_Postamble'"/>
     </sequence>
    </testcase>
	
  	  
       <!--- Test Case : Create users entries with userCertificates -->
       <!---
            #@TestMarker              Setup Tests
            #@TestName                Create users entries
            #@TestIssue                   
            #@TestPurpose             Create users entries
            #@TestPreamble           none
            #@TestStep                  Create users entries with usercertificates
            #@TestPostamble          none
            #@TestResult                Success if OpenDS returns 0 for all operations
        -->
		  
		
    <testcase name="'Security: client_auth: setup. Create users entries'">
      <sequence>
      
      <call function="'testCase_Preamble'"/>
      <!-- Create users entries--> 
      <script>
            CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
				
            USER_1_CERT="client-cert-1"
            USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
            USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)		  
            USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
            USER_2_CERT="client-cert-2"
            USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
            USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)		  
            USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
            SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)

            user1LdifFileName='user1_cert.ldif'
            user2LdifFileName='user2_cert.ldif'		  
            remoteUser1LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user1LdifFileName)
            remoteUser2LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user2LdifFileName)		  
            localUser1LdifFile='%s/%s' % (logsTempDir,user1LdifFileName)
            localUser2LdifFile='%s/%s' % (logsTempDir,user2LdifFileName)
      </script>
  
      <!-- Create USER_1_DN -->       
      <message> '----  Create User entry : %s----' % USER_1_DN</message>	  
        
        <script>
            listAttr = []   
            listAttr.append('objectclass:top')
            listAttr.append('objectclass:organizationalperson')
            listAttr.append('objectclass:inetorgperson')
            listAttr.append('objectclass:person')
            listAttr.append('objectclass:ds-certificate-user') 			 
            listAttr.append('objectclass:strongAuthenticationUser')
            listAttr.append('userCertificate;binary:  bad_certificate')			 
            listAttr.append('givenname:%s' % USER_1_CERT)
            listAttr.append('sn:%s' % USER_1_CERT)
            listAttr.append('cn:%s' % USER_1_CERT)
      </script>      
		  
      <call function="'addAnEntry'">
           { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
              'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
              'dsInstanceDn'    : DIRECTORY_INSTANCE_DN ,
              'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
              'DNToAdd'   : USER_1_DN,
              'listAttributes' : listAttr }
        </call>
   
		  
    <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
      <script>
              cert_file = open(USER_1_CERT_FILE_RFC,"r")
              ret_str = ""
              for line in cert_file.readlines():
                  index_cert = line.find("CERTIFICATE")
                  if index_cert == -1:
                    line=line.strip()
                    ret_str = ret_str + line
      </script>
     <script>
             listAttr = []  
             listAttr.append('dn: %s' % USER_1_DN)
             listAttr.append('changetype: modify')
             listAttr.append('replace: userCertificate;binary')
             listAttr.append('userCertificate;binary:: %s' % ret_str)
      </script>  
		  		  
     <!-- Write out the ldif -->
      <script>
        outfile = open(localUser1LdifFile,"w")
          
        for line in listAttr:
          outfile.write("%s\n" % line)
          
        outfile.close()
      </script>		  

      <!-- Copy the ldif file containing user certificate to remote host -->
      <message>'Copy ldif (%s) file to user entry %s  to %s' % (localUser1LdifFile,USER_1_DN,remoteUser1LdifFile)</message>
      <call function="'copyFile'">
        { 'location'   : STAXServiceMachine,
          'srcfile'    : localUser1LdifFile,
          'destfile'   : remoteUser1LdifFile,
          'remotehost' : STAF_REMOTE_HOSTNAME }
      </call>		    

      <call function="'modifyEntry'">
               { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                    'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                    'dsInstanceDn'  : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                    'entryToBeModified'   : '%s' % remoteUser1LdifFile }
        </call>
	 
      <!-- Create USER_2_DN : this used contains the objectclass  ds-certificate-user -->
		              
       <message>'----  Create User entry : %s----' % USER_2_DN </message>
       <message>'----  This user contains an objectclass ds-certificate-user' </message>
    
        <script>
            listAttr = []   
            listAttr.append('objectclass:top')
            listAttr.append('objectclass:organizationalperson')
            listAttr.append('objectclass:inetorgperson')
            listAttr.append('objectclass:person')
            listAttr.append('objectclass:ds-certificate-user') 			 
            listAttr.append('objectclass:strongAuthenticationUser')
            listAttr.append('userCertificate;binary:  bad_certificate')			 
            listAttr.append('givenname:%s' % USER_2_CERT)
            listAttr.append('sn:%s' % USER_2_CERT)
            listAttr.append('cn:%s' % USER_2_CERT)
      </script>      
              
      <call function="'addAnEntry'">
           { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
             'DNToAdd'    : USER_2_DN,
             'listAttributes' : listAttr }
      </call>
            	

   
      <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
      <script>
              cert_file = open(USER_2_CERT_FILE_RFC,"r")
              ret_str = ""
              for line in cert_file.readlines():
                  index_cert = line.find("CERTIFICATE")
                  if index_cert == -1:
                    line=line.strip()
                    ret_str = ret_str + line
      </script>
		  
    <!-- Modify the user Entry to store the certificates -->	  

      <script>
             listAttr = []  
             listAttr.append('dn: %s' % USER_2_DN)
             listAttr.append('changetype: modify')
             listAttr.append('replace: userCertificate;binary')
             listAttr.append('userCertificate;binary:: %s' % ret_str)
      </script>  
		  		  
     <!-- Write out the ldif -->
      <script>
        outfile = open(localUser2LdifFile,"w")
          
        for line in listAttr:
          outfile.write("%s\n" % line)
          
        outfile.close()
      </script>		  

      <!-- Copy the ldif file containing user certificate to remote host -->
      <message>'Copy ldif (%s) file to user entry %s  to %s' % (localUser2LdifFile,USER_2_DN,remoteUser2LdifFile)</message>
      <call function="'copyFile'">
        { 'location'   : STAXServiceMachine,
          'srcfile'    : localUser2LdifFile,
          'destfile'   : remoteUser2LdifFile,
          'remotehost' : STAF_REMOTE_HOSTNAME }
      </call>		    

      <call function="'modifyEntry'">
               { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                    'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                    'dsInstanceDn'  : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                    'entryToBeModified'   : '%s' % remoteUser2LdifFile }
        </call>

		  		  
      <call function="'testCase_Postamble'"/>
    </sequence>
    </testcase>
          		
</sequence>
</function>

</stax>

 opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml

New file
@@ -0,0 +1,204 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>

  <defaultcall function="client_auth_teardown"/>

  <function name="client_auth_teardown">

     <sequence>

     <!--- Test Case : client_auth Teardown -->
     <!---
            Place suite-specific test information here.
            #@TestSuiteName            Teardown Tests
            #@TestSuitePurpose        Unconfigure JKS keystore and the secure port.
            #@TestSuiteGroup           Security JKS Teardown Tests
            #@TestScript                   teardown_client_auth.xml
      -->
     <!--- Delete Branch through SSL port -->
     <testcase name="'Security: client_auth: teardown'">
        <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker                Teardown Tests
            #@TestName                  JKS Teardown Test 
            #@TestIssue                 413
            #@TestPurpose               Unconfigure JKS keystore.
            #@TestPreamble              none
            #@TestStep                  Delete entries that were used for the JKS tests.
            #@TestStep                  Unconfigure JKS keystore.
            #@TestStep                  Remove JKS keystore.
            #@TestStep                  Test search with unsecure port.
            #@TestPostamble             none
            #@TestResult                Success if OpenDS returns 0 for all operations
         -->
       <sequence>
          <call function="'testCase_Preamble'"/>

          <script>
                  CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
                  USER_1_CERT="client-cert-1"
                  USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
                  USER_2_CERT="client-cert-2"
                  USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
           </script>			   
            <!--- Unconfigure  SSL -->
			  
			  
           <!--- Disable LDAPS Connection Handler -->
           <message>
             'Disabling LDAPS Connection Handler'
          </message>

          <call function="'modifyEntry'">
               { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'entryToBeModified' : '%s/security/client_auth/teardown/disable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
         </call>

     
         <!--- Disable SSL Trust Manager Provider -->
         <message>   'Disabling SSL Trust Manager Provider' </message>

         <call function="'modifyEntry'">
               { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'entryToBeModified' : '%s/security/client_auth/teardown/disable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
         </call>



         <!--- Disable Key Manager Provider -->
         <message>
          'Disabling Key Manager Provider'
         </message>

         <call function="'modifyEntry'">
               { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
               'entryToBeModified' : '%s/security/client_auth/teardown/disable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
         </call>

      
			
			   
         <!--- Disable StartTLS -->
         <message>
           'Disabling StartTLS'
         </message>

         <call function="'modifyEntry'">
                 { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                'entryToBeModified' : '%s/security/client_auth/teardown/disable_startTLS.ldif' % (logsRemoteDataDir) }
         </call>

			  
              <!-- remove client certificates keystore -->
            <message>
                'Delete folder %s' % (CERT_TMP)
            </message>  
			
            <call function="'deleteFolder'">
            { 'location' : '%s' % (DIRECTORY_INSTANCE_HOST), 
              'foldername' : '%s' % (CERT_TMP) }
            </call>	
			  
            <!--- Remove JKS Keystore -->
            <message>
               'Security: client_auth:  Removing JKS Keystore'
            </message>

            <call function="'deleteFile'">
              { 'location' : STAF_REMOTE_HOSTNAME,
                'filename' : '%s/../config/keystore' % OPENDS_BINPATH }
            </call>

            <call function="'checkRC'">
                { 'returncode' : RC ,
                  'result'     : STAXResult }
            </call>
      
            <!--- Search With Unsecure Port -->
            <message>
               'Security: client_auth: Postamble. Searching with Unsecure Connection'
            </message>

            <call function="'SearchObject'">				
              { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'     : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                'dsBaseDN'        :  DIRECTORY_INSTANCE_SFX ,
                'dsScope'           :  'base',
                'dsFilter'             : 'objectclass=*' }
            </call>

            <call function="'DeleteEntry'">
                   { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                       'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                       'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                       'dsBaseDN'      : USER_1_DN}
             </call>
	  
            <call function="'checktestRC'">
                { 'returncode' : RC ,
                  'result'     : STAXResult }
            </call>
			  			  
            <call function="'DeleteEntry'">
                   { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
                      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,
                       'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                       'dsInstancePswd'   : DIRECTORY_INSTANCE_PSWD ,
                       'dsBaseDN'      : USER_2_DN}
             </call>
            <call function="'checktestRC'">
                { 'returncode' : RC ,
                  'result'     : STAXResult }
            </call>
			  	
            <call function="'testCase_Postamble'"/>
          </sequence>
        </testcase>

     </sequence>

  </function>

</stax>

 opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml

New file
@@ -0,0 +1,219 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>
  
<defaultcall function="equal_dn_mapper"/>
<function name="equal_dn_mapper" scope="local">      

<sequence>
                               
       <!--- Test Case : setup -->
       <!---
    #@TestMarker              Setup Tests
    #@TestName                Set the SASL EXTERNAL mechanism to Subject Equal DN 
    #@TestIssue                   
    #@TestPurpose            Set the SASL EXTERNAL mechanism to Subject EqualN
    #@TestPreamble           none
    #@TestStep                  Set the SASL EXTERNAL mechanism to Subject Equal DN 
    #@TestPostamble          none
    #@TestResult                Success if OpenDS returns 0 for all operations
      -->
		  
    
  <testcase name="'Security: client_auth:  setup - equal_dn_mapper'">

      <sequence>
      <call function="'testCase_Preamble'"/>

      <message>
             '----  Configure the SASL EXTERNAL mechanism -----'
      </message>			
		
      <call function="'modifyAnAttribute'">
          { 'dsInstanceHost'       :  DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'      : DIRECTORY_INSTANCE_PSWD ,
             'DNToModify'           :  'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
             'attributeName'        : 'ds-cfg-certificate-mapper-dn',
             'newAttributeValue'  : 'cn=Subject Equals DN,cn=Certificate Mappers,cn=config',
             'changetype' : 'replace' }
      </call>
   
		             
      <call function="'testCase_Postamble'"/>
    </sequence>
  </testcase>
  
  
<!---
    #@TestMarker             Equal DN mapping
    #@TestName               Mapping on DN
    #@TestIssue                   
    #@TestPurpose           Use the Equal DN certificate mapper
   #@TestPurpose            The mapping will be done on entry DN
   #@TestStep                  Two users entries are used to validate this mapper
    #@TestPreamble          none
    #@TestPostamble         none
    #@TestResult               Success if OpenDS returns 0 for all operations
      -->
    
  <testcase name="'Security: client_auth: Equal DN mapping '">
    <sequence>
   <script>

    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)               
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                      		
    </script>
    <call function="'testCase_Preamble'"/>
   
		
    <!--  Check mapping is working -->         
    <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
		
    <!-- bound as USER_1_DN -->		
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
         STAXCode = RC
         ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			           

    <!-- bound as USER_2_DN -->
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
         STAXCode = RC
         ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_2_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			           		           

    <!-- bound as USER_1_DN -->		
   <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>		
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    

     <script>
           STAXCode = RC
           ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>				
	           
     <!-- bound as USER_2_DN -->
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
     <script>
           STAXCode = RC
           ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_2_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>	
		
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>
  
</sequence>
</function>

</stax>

 opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml

New file
@@ -0,0 +1,471 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>
  
<defaultcall function="fingerprint_mapper"/>
<function name="fingerprint_mapper" scope="local">      

<sequence>
                               
       <!--- Test Case : setup -->
       <!---
    #@TestMarker              Setup Tests
    #@TestName                Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
    #@TestIssue                   
    #@TestPurpose            Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
    #@TestPreamble           none
    #@TestStep                  Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
    #@TestStep                  keep the default ds-cfg-certificate-subject-attribute-type which is ds-certificate-subject-dn
    #@TestPostamble          none
    #@TestResult                Success if OpenDS returns 0 for all operations
      -->
		  
    
  <testcase name="'Security: client_auth:  setup - fingerprint_mapper'">

   <sequence>
    <call function="'testCase_Preamble'"/>

    <message>
             '----  Configure the SASL EXTERNAL mechanism -----'
    </message>			
		
    <call function="'modifyAnAttribute'">
          { 'dsInstanceHost'       :  DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'      : DIRECTORY_INSTANCE_PSWD ,
             'DNToModify'           :  'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
             'attributeName'        : 'ds-cfg-certificate-mapper-dn',
             'newAttributeValue'  : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
             'changetype' : 'replace' }
    </call>
 
    <call function="'testCase_Postamble'"/>
  </sequence>
 </testcase>
  
  
<!---
#@TestMarker             Subject DN mapping to default user attribut 
#@TestName               Mapping on ds-certificated-subject-dn attribute
#@TestIssue                   
#@TestPurpose           Use the Subject DN to User Attribute certificate mapper
#@TestPurpose           Map the subject of a client certificate and a specified attribute in user entries
#@TestPurpose           The mapping will be done on the default attribut ds-certificate-subject-dn
#@TestStep                 Two users entries are used to validate this mapper
#@TestStep                 USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
#@TestStep                 USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
#@TestStep                 The certificate mapping will work only with the USER_1_CERT client certificate
#@TestPreamble          none
#@TestPostamble         none
#@TestResult               Success if OpenDS returns 0 for all operations
 -->
    
  <testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
    <sequence>
   <script>

    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)              
 
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                      		
    </script>
    <call function="'testCase_Preamble'"/>
   
    <message>'----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_1_DN</message>
    <message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
     
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'     : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'        : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'       : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'            : USER_1_DN,
    'attributeName'         : 'ds-certificate-subject-dn',
    'newAttributeValue'    : USER_1_DN,
    'changetype'              : 'add' }
    </call>          
   

	
   <message> '----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_2_DN</message>
   <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
 
 
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : USER_2_DN,
    'attributeName'       : 'ds-certificate-subject-dn',
    'newAttributeValue'  : 'uid=bad-certificate',
    'changetype'            : 'add' }
    </call>               
  

		
    <!--  Check mapping is working -->         
    <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
		
    <!-- bound as USER_1_DN -->			
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
      'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
      'dsKeyStorePassword'   :  STOREPASS,
       'dsUseSSL'             :  ' ',
       'dsUseSASLExternal'   :  ' ',
       'dsCertNickname'       : USER_1_CERT,
       'dsTrustStorePath'       : CLIENT_KEYSTORE,
       'dsKeyStorePath'        : CLIENT_KEYSTORE,
       'dsReportAuthzID'   : ' ',
       'dsScope'                 : 'base' }
     </call>    
		
     <script>
      STAXCode = RC
      ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			        	          
		 
    <!-- No bound expected -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'               : 49 }
     </call>    
		        
		
    <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>		
		
    <!-- bound as USER_1_DN -->		
    <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'            :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
          STAXCode = RC
          ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			        	           


     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
      'expected'               : 49 }
     </call>    
		
		
     <!--  Restore initial users configuration -->   
		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'ds-certificate-subject-dn',
    'newAttributeValue'  : USER_1_DN,             
    'changetype' : 'delete'}
     </call>             
 
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_2_DN,
    'attributeName' : 'ds-certificate-subject-dn',
    'newAttributeValue'  : 'uid=bad-certificate',       
    'changetype' : 'delete'}
     </call>             

		
					
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>

<!---
#@TestMarker             Subject DN mapping to the user attribute's description
#@TestName               Mapping on the attribute description
#@TestIssue                   
#@TestPurpose           Use the Subject DN to User Attribute certificate mapper
#@TestPurpose           Map the subject of a client certificate and a specified attribute in user entries
#@TestPurpose           The mapping will be done on the attribute description
#@TestStep                 Two users entries are used to validate this mapper
#@TestStep                 USER_1_DN doesn't contains attribute description
#@TestStep                 USER_2_DN contains an attribute description  with the USER_2_CERT client certificate
#@TestPreamble          none
#@TestPostamble         none
#@TestResult               Success if OpenDS returns 0 for all operations
  -->
    
  <testcase name="'Security: client_auth: subject dn mapping on attribut description'">
    <sequence>
   <script>
    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)              
 
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    KEYPASS="servercert"
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                 
     
    </script>
	
    <call function="'testCase_Preamble'"/>

    <message>'----- Configure  the mapping to be done on the attribute description' </message>
      		
    <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',	
    'attributeName'      : 'ds-cfg-certificate-subject-attribute-type',
    'newAttributeValue'  : 'description',
    'changetype' : 'replace' }
    </call>

    <message>'----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_1_DN</message>      
		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'description',
    'newAttributeValue'  : 'bad_cert',
    'changetype' : 'add' }
    </call>
		          

   <message> '----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_2_DN</message>
   <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>

     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : USER_2_DN,
    'attributeName'      : 'description',
    'newAttributeValue'  : USER_2_DN,
    'changetype' : 'add' }
    </call>          
  
 
	 
	 
    <!--  Check mapping is working -->              
     <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
		
     <!-- No mapping expected -->		
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'                : 49 }
     </call>    
		

     <!-- bound as USER_2_DN -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
	
     <script>
       STAXCode = RC
       ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
       { 'string2find' : USER_2_DN ,
         'mainString'    : ldapSearchResult ,
         'nbExpected'    : 1
       }
    </call>			        			           
		
     <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
		
     <!-- No mapping expected -->	
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'                : 49 }
     </call>    
		

     <!-- bound as USER_2_DN  -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
			           		
     <script>
         STAXCode = RC
         ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
         { 'string2find' : USER_2_DN ,
           'mainString'    : ldapSearchResult ,
           'nbExpected'    : 1
         }
    </call>			
		
		
    <!--  Restore initial users configuration -->   

		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'description',
    'newAttributeValue'  : 'bad_cert',
    'changetype' : 'delete'}
    </call>             


				      
    <call function="'modifyAnAttribute'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
        'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
        'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
        'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
        'DNToModify'      : USER_2_DN,
        'attributeName' : 'description',
        'newAttributeValue'  :  USER_2_DN,
        'changetype' : 'delete'}
     </call>             
		
 
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>    
  
</sequence>
</function>

</stax>
	

 opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml

New file
@@ -0,0 +1,264 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>
  
<defaultcall function="subject_attribute_mapper"/>
<function name="subject_attribute_mapper" scope="local">      

<sequence>
                               
       <!--- Test Case : setup -->
       <!---
    #@TestMarker              Setup Tests
    #@TestName                Set the SASL EXTERNAL mechanism to Subject attribute  to User Attribute
    #@TestIssue                   
    #@TestPurpose            Set the SASL EXTERNAL mechanism to Subject attribute to User Attribute
    #@TestPreamble           none
    #@TestStep                  Map attributes from the certificate subject to attributes in user entries
    #@TestPostamble          none
    #@TestResult                Success if OpenDS returns 0 for all operations
      -->
		  
    
  <testcase name="'Security: client_auth:  setup - subject_attribute_mapper'">

      <sequence>
      <call function="'testCase_Preamble'"/>

      <message>
             '----  Configure the SASL EXTERNAL mechanism with Subject Attribute to User Attribute mapper -----'
      </message>			
		
      <call function="'modifyAnAttribute'">
          { 'dsInstanceHost'       :  DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'      : DIRECTORY_INSTANCE_PSWD ,
             'DNToModify'           :  'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
             'attributeName'        : 'ds-cfg-certificate-mapper-dn',
             'newAttributeValue'  : 'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
             'changetype' : 'replace' }
      </call>
   
		            
     <message>
             '----  Configure the Subject Attribute to User Attribute mapper -----'
      </message>	
     <script>
             listAttr = []  
             listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:cn:cn')
             listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:e:mail')		 
      </script>  		  		 

      <call function="'testCase_Postamble'"/>
    </sequence>
  </testcase>
  
  
<!---
    #@TestMarker             Subject Attributes mapping to user attribute 
    #@TestName               Use only one attribute mapping
    #@TestIssue                   
    #@TestPurpose            Map attributes from the certificate subject to attributes in user entries
    #@TestStep                  the subject certificate is defined with the format : uid=client-cert-1,SUFFIX
    #@TestStep                  The mapping will be done on the attribute uid from the cerficate subject      
    #@TestStep                  and the attribute 'description' of the user's entry
    #@TestPreamble          none
    #@TestPostamble         none
    #@TestResult               Success if OpenDS returns 0 for all operations
      -->
    
  <testcase name="'Security: client_auth: subject attribute mapping'">
    <sequence>
   <script>

    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)              
 
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                      		
    </script>
    <call function="'testCase_Preamble'"/>
 
    <message>
             '----  Configure the Subject Attribute to User Attribute mapper -----'
      </message>			 
      <message>'---- Add a new mapping rule from attribute "uid"  from certificate subject and attribute "description" of the user entry'</message>	
      <call function="'modifyAnAttribute'">
          { 'dsInstanceHost'       :  DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'      : DIRECTORY_INSTANCE_PSWD ,
             'DNToModify'           :  'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
             'attributeName'        : 'ds-cfg-certificate-subject-attribute-mapping',
             'newAttributeValue'  : 'uid:description',
             'changetype' : 'replace' }
      </call>
		   
				  
    <message>'----- Configure the attribute description  for user %s ---' % USER_1_DN</message>
    <message>'----- the attribute description will map with the attribute "uid" of the certificate subject'</message>
     
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'     : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'        : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'       : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'            : USER_1_DN,
    'attributeName'         : 'description',
    'newAttributeValue'    : USER_1_CERT,
    'changetype'              : 'add' }
    </call>      

	
     <message>'----- Configure the attribute description  for user %s ---' % USER_2_DN</message>
     <message>'----- the attribute description contains invalid value'</message>
     <message>'----- it will not map with the attribute "uid" of the certificate subject'</message>
 
 
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : USER_2_DN,
    'attributeName'       : 'description',
    'newAttributeValue'  : 'bad-certificate',
    'changetype'            : 'add' }
    </call>               
        
		
    <!--  Check mapping is working -->         
 
   <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>		
		
   <!-- bound as USER_1_DN -->				
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
           STAXCode = RC
           ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			           

   <!-- No mapping expected -->		
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'               : 49 }
     </call>    
		
		

   <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>		
		
   <!-- bound as USER_1_DN -->				
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
           STAXCode = RC
           ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			           

   <!-- No mapping expected -->		
     <call function="'ldapSearchWithScript'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
          'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
          'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'               : 49 }
     </call>    
		

							
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>

</sequence>
</function>

</stax>

 opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml

New file
@@ -0,0 +1,471 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE stax SYSTEM "../../../stax.dtd">
<!--
 ! CDDL HEADER START
 !
 ! The contents of this file are subject to the terms of the
 ! Common Development and Distribution License, Version 1.0 only
 ! (the "License").  You may not use this file except in compliance
 ! with the License.
 !
 ! You can obtain a copy of the license at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE
 ! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 ! See the License for the specific language governing permissions
 ! and limitations under the License.
 !
 ! When distributing Covered Code, include this CDDL HEADER in each
 ! file and include the License file at
 ! trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 ! add the following below this CDDL HEADER, with the fields enclosed
 ! by brackets "[]" replaced with your own identifying information:
 !      Portions Copyright [yyyy] [name of copyright owner]
 !
 ! CDDL HEADER END
 !
 !      Portions Copyright 2006-2007 Sun Microsystems, Inc.
 ! -->
<stax>
  
<defaultcall function="subject_dn_mapper"/>
<function name="subject_dn_mapper" scope="local">      

<sequence>
                               
       <!--- Test Case : setup -->
       <!---
    #@TestMarker              Setup Tests
    #@TestName                Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
    #@TestIssue                   
    #@TestPurpose            Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
    #@TestPreamble           none
    #@TestStep                  Set the SASL EXTERNAL mechanism to Subject DN to User Attribute
    #@TestStep                  keep the default ds-cfg-certificate-subject-attribute-type which is ds-certificate-subject-dn
    #@TestPostamble          none
    #@TestResult                Success if OpenDS returns 0 for all operations
      -->
		  
    
  <testcase name="'Security: client_auth:  setup - Subject_dn_mapper'">

   <sequence>
    <call function="'testCase_Preamble'"/>

    <message>
             '----  Configure the SASL EXTERNAL mechanism -----'
    </message>			
		
    <call function="'modifyAnAttribute'">
          { 'dsInstanceHost'       :  DIRECTORY_INSTANCE_HOST ,
             'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
             'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
             'dsInstancePswd'      : DIRECTORY_INSTANCE_PSWD ,
             'DNToModify'           :  'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
             'attributeName'        : 'ds-cfg-certificate-mapper-dn',
             'newAttributeValue'  : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
             'changetype' : 'replace' }
    </call>
 
    <call function="'testCase_Postamble'"/>
  </sequence>
 </testcase>
  
  
<!---
#@TestMarker             Subject DN mapping to default user attribut 
#@TestName               Mapping on ds-certificated-subject-dn attribute
#@TestIssue                   
#@TestPurpose           Use the Subject DN to User Attribute certificate mapper
#@TestPurpose           Map the subject of a client certificate and a specified attribute in user entries
#@TestPurpose           The mapping will be done on the default attribut ds-certificate-subject-dn
#@TestStep                 Two users entries are used to validate this mapper
#@TestStep                 USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
#@TestStep                 USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
#@TestStep                 The certificate mapping will work only with the USER_1_CERT client certificate
#@TestPreamble          none
#@TestPostamble         none
#@TestResult               Success if OpenDS returns 0 for all operations
 -->
    
  <testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
    <sequence>
   <script>

    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)              
 
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                      		
    </script>
    <call function="'testCase_Preamble'"/>
   
    <message>'----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_1_DN</message>
    <message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
     
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'     : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'        : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'       : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'            : USER_1_DN,
    'attributeName'         : 'ds-certificate-subject-dn',
    'newAttributeValue'    : USER_1_DN,
    'changetype'              : 'add' }
    </call>          
   

	
   <message> '----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_2_DN</message>
   <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
 
 
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'         : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : USER_2_DN,
    'attributeName'       : 'ds-certificate-subject-dn',
    'newAttributeValue'  : 'uid=bad-certificate',
    'changetype'            : 'add' }
    </call>               
  

		
    <!--  Check mapping is working -->         
    <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
		
    <!-- bound as USER_1_DN -->			
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
      'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
      'dsKeyStorePassword'   :  STOREPASS,
       'dsUseSSL'             :  ' ',
       'dsUseSASLExternal'   :  ' ',
       'dsCertNickname'       : USER_1_CERT,
       'dsTrustStorePath'       : CLIENT_KEYSTORE,
       'dsKeyStorePath'        : CLIENT_KEYSTORE,
       'dsReportAuthzID'   : ' ',
       'dsScope'                 : 'base' }
     </call>    
		
     <script>
      STAXCode = RC
      ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			        	          
		 
    <!-- No bound expected -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'               : 49 }
     </call>    
		        
		
    <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>		
		
    <!-- bound as USER_1_DN -->		
    <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'            :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
		
     <script>
          STAXCode = RC
          ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
             { 'string2find' : USER_1_DN ,
                'mainString'    : ldapSearchResult ,
                'nbExpected'    : 1
             }
    </call>			        	           


     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
      'expected'               : 49 }
     </call>    
		
		
     <!--  Restore initial users configuration -->   
		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'ds-certificate-subject-dn',
    'newAttributeValue'  : USER_1_DN,             
    'changetype' : 'delete'}
     </call>             
 
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_2_DN,
    'attributeName' : 'ds-certificate-subject-dn',
    'newAttributeValue'  : 'uid=bad-certificate',       
    'changetype' : 'delete'}
     </call>             

		
					
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>

<!---
#@TestMarker             Subject DN mapping to the user attribute's description
#@TestName               Mapping on the attribute description
#@TestIssue                   
#@TestPurpose           Use the Subject DN to User Attribute certificate mapper
#@TestPurpose           Map the subject of a client certificate and a specified attribute in user entries
#@TestPurpose           The mapping will be done on the attribute description
#@TestStep                 Two users entries are used to validate this mapper
#@TestStep                 USER_1_DN doesn't contains attribute description
#@TestStep                 USER_2_DN contains an attribute description  with the USER_2_CERT client certificate
#@TestPreamble          none
#@TestPostamble         none
#@TestResult               Success if OpenDS returns 0 for all operations
  -->
    
  <testcase name="'Security: client_auth: subject dn mapping on attribut description'">
    <sequence>
   <script>
    USER_1_CERT="client-cert-1"
    USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)              
 
    USER_2_CERT="client-cert-2"
    USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)			       
    KEYPASS="servercert"
    STOREPASS="password"
    CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
    CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)                 
     
    </script>
	
    <call function="'testCase_Preamble'"/>

    <message>'----- Configure  the mapping to be done on the attribute description' </message>
      		
    <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',	
    'attributeName'      : 'ds-cfg-certificate-subject-attribute-type',
    'newAttributeValue'  : 'description',
    'changetype' : 'replace' }
    </call>

    <message>'----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_1_DN</message>      
		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'description',
    'newAttributeValue'  : 'bad_cert',
    'changetype' : 'add' }
    </call>
		          

   <message> '----- Configure the attribute ds-certificate-subject-dn  for user %s ---' % USER_2_DN</message>
   <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>

     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'          : USER_2_DN,
    'attributeName'      : 'description',
    'newAttributeValue'  : USER_2_DN,
    'changetype' : 'add' }
    </call>          
  
 
	 
	 
    <!--  Check mapping is working -->              
     <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
		
     <!-- No mapping expected -->		
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'                : 49 }
     </call>    
		

     <!-- bound as USER_2_DN -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_SSL_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseSSL'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
	
     <script>
       STAXCode = RC
       ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
       { 'string2find' : USER_2_DN ,
         'mainString'    : ldapSearchResult ,
         'nbExpected'    : 1
       }
    </call>			        			           
		
     <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
		
     <!-- No mapping expected -->	
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_1_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base',
          'expected'                : 49 }
     </call>    
		

     <!-- bound as USER_2_DN  -->
     <call function="'ldapSearchWithScript'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
      'dsInstancePort'   : DIRECTORY_INSTANCE_PORT ,		 
          'dsBaseDN'         : DIRECTORY_INSTANCE_SFX,		 
      'dsFilter'        : 'objectclass=*'   ,
          'dsKeyStorePassword'   :  STOREPASS,
          'dsUseStartTLS'             :  ' ',
          'dsUseSASLExternal'   :  ' ',
          'dsCertNickname'       : USER_2_CERT,
          'dsTrustStorePath'       : CLIENT_KEYSTORE,
          'dsKeyStorePath'        : CLIENT_KEYSTORE,
          'dsReportAuthzID'   : ' ',
          'dsScope'                 : 'base' }
     </call>    
			           		
     <script>
         STAXCode = RC
         ldapSearchResult = STAXResult[0][1]
     </script>
     <call function="'CheckMatches'">
         { 'string2find' : USER_2_DN ,
           'mainString'    : ldapSearchResult ,
           'nbExpected'    : 1
         }
    </call>			
		
		
    <!--  Restore initial users configuration -->   

		
     <call function="'modifyAnAttribute'">
    { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
    'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
    'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
    'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
    'DNToModify'      : USER_1_DN,
    'attributeName' : 'description',
    'newAttributeValue'  : 'bad_cert',
    'changetype' : 'delete'}
    </call>             


				      
    <call function="'modifyAnAttribute'">
        { 'dsInstanceHost'   : DIRECTORY_INSTANCE_HOST ,
        'dsInstancePort'       : DIRECTORY_INSTANCE_PORT ,
        'dsInstanceDn'          : DIRECTORY_INSTANCE_DN ,
        'dsInstancePswd'     : DIRECTORY_INSTANCE_PSWD ,
        'DNToModify'      : USER_2_DN,
        'attributeName' : 'description',
        'newAttributeValue'  :  USER_2_DN,
        'changetype' : 'delete'}
     </call>             
		
 
    <call function="'testCase_Postamble'"/>      
    </sequence>
  </testcase>    
  
</sequence>
</function>

</stax>

New file
			@@ -0,0 +1,106 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "../../../stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="client_auth"/>

			<function name="client_auth">

			<sequence>

			<block name="'client_auth'">

			<sequence>

			<script>
			CurrentTestPath['group']='security'
			CurrentTestPath['suite']=STAXCurrentBlock
			</script>

			<call function="'testSuite_Preamble'"/>


			<import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
			file="'%s/testcases/security/security_setup.xml' % (TESTS_DIR)"/>
			<call function="'security_setup'"/>

			<!-- client authentication setup -->

			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/client_auth_setup.xml' % (TESTS_DIR)"/>
			<call function="'client_auth_setup'" />


			<!-- fingerprint certificates mapper -->
			<!--
			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/fingerprint.xml' % (TESTS_DIR)"/>
			<call function="'fingerprint'" />
			-->

			<!-- subject DN to user attribut certificate mapper -->

			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/subject_dn_mapper.xml' % (TESTS_DIR)"/>
			<call function="'subject_dn_mapper'" />

			<!-- subject attribute to user attribut certificate mapper -->

			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/subject_attribute_mapper.xml' % (TESTS_DIR)"/>
			<call function="'subject_attribute_mapper'" />

			<!-- subject equals dn certificate mapper -->

			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/equal_dn_mapper.xml' % (TESTS_DIR)"/>
			<call function="'equal_dn_mapper'" />

			<!-- client authentication teardown -->
			<import machine="'%s' % STAF_LOCAL_HOSTNAME"
			file="'%s/testcases/security/client_auth/client_auth_teardown.xml' % (TESTS_DIR)"/>
			<call function="'client_auth_teardown'" />



			<import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
			file="'%s/testcases/security/security_cleanup.xml' % (TESTS_DIR)"/>
			<call function="'security_cleanup'"/>


			<call function="'testSuite_Postamble'"/>

			</sequence>

			</block>

			</sequence>

			</function>

			</stax>

New file
			@@ -0,0 +1,635 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "../../../stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="client_auth_setup"/>

			<function name="client_auth_setup" scope="local">

			<sequence>

			<!--- Test Case : Server Certificate configuration -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Create certificates for server and client
			#@TestIssue
			#@TestPurpose Create server and client certificates
			#@TestPreamble none
			#@TestStep Generate server and client certificates.
			#@TestStep Self-sign the certificates.
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<!-- Generate Server Cert -->

			<testcase name="'Security: client_auth: Setup. certificates configuration'">
			<sequence>
			<script>
			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			KEYPASS="password"
			STOREPASS="password"
			SERVER_KEYPASS="servercert"
			SERVER_STOREPASS="servercert"
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
			</script>


			<message>
			'---- Generating Server Certicate -----'
			</message>

			<!-- create a server certificate -->

			<call function="'genCertificate'">
			{ 'certAlias' : 'server-cert' ,
			'dname' : "uid=server,%s" % (DIRECTORY_INSTANCE_SFX),
			'keystore' : 'keystore',
			'storepass' : SERVER_STOREPASS,
			'keypass' : SERVER_KEYPASS,
			'storetype' : 'JKS' }
			</call>

			<!-- Self-Sign Server Cert -->

			<message>
			'---- Self-Signing Server Certicate ---- '
			</message>

			<call function="'SelfSignCertificate'">
			{ 'certAlias' : 'server-cert' ,
			'storepass' : SERVER_STOREPASS,
			'keypass' : SERVER_KEYPASS,
			'keystore' : 'keystore',
			'storetype' : 'JKS' }
			</call>

			<!-- Create folder on local host where are store client keystore and certificate-->
			<message>
			'Create folder %s' % (CERT_TMP)
			</message>

			<call function="'createFolder'">
			{ 'location' : '%s' % (DIRECTORY_INSTANCE_HOST),
			'foldername' : '%s' % (CERT_TMP) }
			</call>
			<call function="'checktestRC'">
			{ 'returncode' : RC ,
			'result' : STAXResult }
			</call>

			<message>
			'---- Generating client Certicate : %s ---- ' % (USER_1_CERT)
			</message>

			<!-- create a client certificate : USER_1_CERT -->
			<call function="'genCertificate'">
			{ 'certAlias' : '%s' % USER_1_CERT,
			'dname' : '%s' % (USER_1_DN),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'keypass' : '%s' % (KEYPASS),
			'storetype' : 'JKS' }
			</call>

			<!-- Self-Sign client Certificate : USER_1_CERT -->
			<message>'---- Self-Signing client Certificate : %s ---- ' % (USER_1_CERT)</message>

			<call function="'SelfSignCertificate'">
			{ 'certAlias' : '%s' % USER_1_CERT,
			'storepass' : '%s' % (STOREPASS),
			'keypass' : '%s' % (KEYPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'storetype' : 'JKS' }
			</call>

			<!-- create a client certificate : USER_2_CERT -->
			<message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>

			<call function="'genCertificate'">
			{ 'certAlias' : '%s' % USER_2_CERT,
			'dname' : '%s' % (USER_2_DN),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'keypass' : '%s' % (KEYPASS),
			'storetype' : 'JKS' }
			</call>

			<!-- Self-Sign client Certificate : USER_2_CERT -->
			<message>'---- Self-Signing client Certificate : %s ---- ' % (USER_2_CERT)</message>

			<call function="'SelfSignCertificate'">
			{ 'certAlias' : '%s' % USER_2_CERT,
			'storepass' : '%s' % (STOREPASS),
			'keypass' : '%s' % (KEYPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'storetype' : 'JKS' }
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!--- Test Case : export client and server certificates -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Export and Import Certificates
			#@TestIssue
			#@TestPurpose Export and import client and server certificates
			#@TestPreamble none
			#@TestStep Export client and server certificates
			#@TestStep Import the certificates in the server and clients Database
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<testcase name="'Security: client_auth: setup. Export and Import certificates'">
			<sequence>
			<script>

			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)

			USER_1_CERT="client-cert-1"
			USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
			USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
			USER_2_CERT="client-cert-2"
			USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
			USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)

			KEYPASS="password"
			STOREPASS="password"
			SERVER_KEYPASS="servercert"
			SERVER_STOREPASS="servercert"
			</script>


			<call function="'testCase_Preamble'"/>


			<!-- Export the server Cert -->

			<message>'---- Export the Server Certicate ----'</message>

			<call function="'ExportCertificate'">
			{ 'certAlias' : 'server-cert' ,
			'outputfile' : '%s' % (SERVER_CERT_FILE),
			'storepass' : SERVER_STOREPASS,
			'storetype' : 'JKS' }
			</call>

			<!-- export client certificate : USER_1_CERT -->
			<message> '---- Export the client certificate : : %s ---- ' % (USER_1_CERT)</message>

			<call function="'ExportCertificate'">
			{ 'certAlias' : '%s' % USER_1_CERT,
			'outputfile' : '%s' % (USER_1_CERT_FILE),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'storetype' : 'JKS' }
			</call>

			<!-- export client certificate RFC format : USER_1_CERT -->
			<message> '---- Export the client certificate in RFC : : %s ---- ' % (USER_1_CERT)</message>


			<call function="'ExportCertificate'">
			{ 'certAlias' : '%s' % USER_1_CERT,
			'outputfile' : '%s' % (USER_1_CERT_FILE_RFC),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'format' : 'rfc',
			'storetype' : 'JKS' }
			</call>

			<!-- export client certificate : USER_2_CERT -->

			<message>'---- Export the client certificate : : %s ---- ' % (USER_2_CERT)</message>

			<call function="'ExportCertificate'">
			{ 'certAlias' :'%s' % USER_2_CERT,
			'outputfile' : '%s' % (USER_2_CERT_FILE),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'storetype' : 'JKS' }
			</call>

			<!-- export client certificate RFC format : USER_2_CERT -->

			<message>'---- Export the client certificate in RFC format : : %s ---- ' % (USER_2_CERT)</message>

			<call function="'ExportCertificate'">
			{ 'certAlias' :'%s' % USER_2_CERT,
			'outputfile' : '%s' % (USER_2_CERT_FILE_RFC),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'format' : 'rfc',
			'storetype' : 'JKS' }
			</call>

			<!-- Import the server Certificate under the client database -->

			<message>
			'---- Import the Server Certificate under the client keystore----'
			</message>

			<call function="'ImportCertificate'">
			{ 'certAlias' : 'server-cert' ,
			'inputfile' : '%s' % (SERVER_CERT_FILE),
			'storepass' : '%s' % (STOREPASS),
			'keystore' : '%s' % (CLIENT_KEYSTORE),
			'storetype' : 'JKS' }
			</call>

			<!-- Import the client Certificates under the server keystore -->

			<message> '---- Import the client Certificates %s under the server keystore----' % (USER_1_CERT)</message>


			<call function="'ImportCertificate'">
			{ 'certAlias' : '%s' % (USER_1_CERT),
			'inputfile' : '%s' % (USER_1_CERT_FILE),
			'storepass' : SERVER_STOREPASS,
			'storetype' : 'JKS' }
			</call>

			<message> '---- Import the client Certificates %s under the server keystore----' % (USER_2_CERT)</message>

			<call function="'ImportCertificate'">
			{ 'certAlias' : '%s' % (USER_2_CERT),
			'inputfile' : '%s' % (USER_2_CERT_FILE),
			'storepass' : SERVER_STOREPASS,
			'storetype' : 'JKS' }
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!--- Test Case : configure SSL and StartTLS -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Configure SSL and startTLS
			#@TestIssue
			#@TestPurpose Configure SSL and StartTLS
			#@TestPreamble none
			#@TestStep Configure SSL
			#@TestStep Configure StartTLS
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->


			<testcase name="'Security: client_auth: setup. Configure SSL and StartTLS'">
			<sequence>

			<call function="'testCase_Preamble'"/>
			<!-- Configure SSL-->

			<message>
			'---- Configure SSL ----'
			</message>

			<!--- Enable Key Manager Provider -->
			<message>
			'Enabling Key Manager Provider'
			</message>
			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/setup/enable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
			</call>


			<!--- Enable Trust Manager Provider -->
			<message>
			'Enabling Trust Manager Provider'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/setup/enable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
			</call>


			<!--- Enable LDAPS Connection Handler -->
			<message>
			'Enabling LDAPS Connection Handler - Port number'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/ldaps_port.ldif' % (logsRemoteDataDir) }
			</call>

			<!-- Enabling LDAPS Connection Handler - Keystore type -->
			<message>
			'Enabling LDAPS Connection Handler - Keystore type'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/setup/enable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
			</call>


			<!--- Enable StartTLS -->
			<message>
			'Enabling StartTLS'
			</message>

			<call function="'addEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeAdded' : '%s/security/client_auth/setup/enable_startTLS.ldif' % (logsRemoteDataDir) }
			</call>


			<!--- Initial Search With SSL -->
			<message>
			'Security: Client_auth: Searching with SSL Connection'
			</message>

			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsScope' : 'base',
			'dsFilter' : 'objectclass=*' ,
			'dsUseSSL' : ' ',
			'dsTrustAll' : ' ' }
			</call>


			<!--- Initial Search With startTLS-->
			<message>
			'Security: Client_auth: Searching with StartTLS Connection'
			</message>

			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsScope' : 'base',
			'dsFilter' : 'objectclass=*' ,
			'dsUseStartTLS' : ' ',
			'dsTrustAll' : ' ' }
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!--- Test Case : Create users entries with userCertificates -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Create users entries
			#@TestIssue
			#@TestPurpose Create users entries
			#@TestPreamble none
			#@TestStep Create users entries with usercertificates
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->


			<testcase name="'Security: client_auth: setup. Create users entries'">
			<sequence>

			<call function="'testCase_Preamble'"/>
			<!-- Create users entries-->
			<script>
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)

			USER_1_CERT="client-cert-1"
			USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
			USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
			USER_2_CERT="client-cert-2"
			USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
			USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)

			user1LdifFileName='user1_cert.ldif'
			user2LdifFileName='user2_cert.ldif'
			remoteUser1LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user1LdifFileName)
			remoteUser2LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user2LdifFileName)
			localUser1LdifFile='%s/%s' % (logsTempDir,user1LdifFileName)
			localUser2LdifFile='%s/%s' % (logsTempDir,user2LdifFileName)
			</script>

			<!-- Create USER_1_DN -->
			<message> '---- Create User entry : %s----' % USER_1_DN</message>

			<script>
			listAttr = []
			listAttr.append('objectclass:top')
			listAttr.append('objectclass:organizationalperson')
			listAttr.append('objectclass:inetorgperson')
			listAttr.append('objectclass:person')
			listAttr.append('objectclass:ds-certificate-user')
			listAttr.append('objectclass:strongAuthenticationUser')
			listAttr.append('userCertificate;binary: bad_certificate')
			listAttr.append('givenname:%s' % USER_1_CERT)
			listAttr.append('sn:%s' % USER_1_CERT)
			listAttr.append('cn:%s' % USER_1_CERT)
			</script>

			<call function="'addAnEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToAdd' : USER_1_DN,
			'listAttributes' : listAttr }
			</call>


			<!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
			<script>
			cert_file = open(USER_1_CERT_FILE_RFC,"r")
			ret_str = ""
			for line in cert_file.readlines():
			index_cert = line.find("CERTIFICATE")
			if index_cert == -1:
			line=line.strip()
			ret_str = ret_str + line
			</script>
			<script>
			listAttr = []
			listAttr.append('dn: %s' % USER_1_DN)
			listAttr.append('changetype: modify')
			listAttr.append('replace: userCertificate;binary')
			listAttr.append('userCertificate;binary:: %s' % ret_str)
			</script>

			<!-- Write out the ldif -->
			<script>
			outfile = open(localUser1LdifFile,"w")

			for line in listAttr:
			outfile.write("%s\n" % line)

			outfile.close()
			</script>

			<!-- Copy the ldif file containing user certificate to remote host -->
			<message>'Copy ldif (%s) file to user entry %s to %s' % (localUser1LdifFile,USER_1_DN,remoteUser1LdifFile)</message>
			<call function="'copyFile'">
			{ 'location' : STAXServiceMachine,
			'srcfile' : localUser1LdifFile,
			'destfile' : remoteUser1LdifFile,
			'remotehost' : STAF_REMOTE_HOSTNAME }
			</call>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s' % remoteUser1LdifFile }
			</call>

			<!-- Create USER_2_DN : this used contains the objectclass ds-certificate-user -->

			<message>'---- Create User entry : %s----' % USER_2_DN </message>
			<message>'---- This user contains an objectclass ds-certificate-user' </message>

			<script>
			listAttr = []
			listAttr.append('objectclass:top')
			listAttr.append('objectclass:organizationalperson')
			listAttr.append('objectclass:inetorgperson')
			listAttr.append('objectclass:person')
			listAttr.append('objectclass:ds-certificate-user')
			listAttr.append('objectclass:strongAuthenticationUser')
			listAttr.append('userCertificate;binary: bad_certificate')
			listAttr.append('givenname:%s' % USER_2_CERT)
			listAttr.append('sn:%s' % USER_2_CERT)
			listAttr.append('cn:%s' % USER_2_CERT)
			</script>

			<call function="'addAnEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToAdd' : USER_2_DN,
			'listAttributes' : listAttr }
			</call>



			<!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
			<script>
			cert_file = open(USER_2_CERT_FILE_RFC,"r")
			ret_str = ""
			for line in cert_file.readlines():
			index_cert = line.find("CERTIFICATE")
			if index_cert == -1:
			line=line.strip()
			ret_str = ret_str + line
			</script>

			<!-- Modify the user Entry to store the certificates -->

			<script>
			listAttr = []
			listAttr.append('dn: %s' % USER_2_DN)
			listAttr.append('changetype: modify')
			listAttr.append('replace: userCertificate;binary')
			listAttr.append('userCertificate;binary:: %s' % ret_str)
			</script>

			<!-- Write out the ldif -->
			<script>
			outfile = open(localUser2LdifFile,"w")

			for line in listAttr:
			outfile.write("%s\n" % line)

			outfile.close()
			</script>

			<!-- Copy the ldif file containing user certificate to remote host -->
			<message>'Copy ldif (%s) file to user entry %s to %s' % (localUser2LdifFile,USER_2_DN,remoteUser2LdifFile)</message>
			<call function="'copyFile'">
			{ 'location' : STAXServiceMachine,
			'srcfile' : localUser2LdifFile,
			'destfile' : remoteUser2LdifFile,
			'remotehost' : STAF_REMOTE_HOSTNAME }
			</call>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s' % remoteUser2LdifFile }
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			</sequence>
			</function>

			</stax>

New file
			@@ -0,0 +1,204 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="client_auth_teardown"/>

			<function name="client_auth_teardown">

			<sequence>

			<!--- Test Case : client_auth Teardown -->
			<!---
			Place suite-specific test information here.
			#@TestSuiteName Teardown Tests
			#@TestSuitePurpose Unconfigure JKS keystore and the secure port.
			#@TestSuiteGroup Security JKS Teardown Tests
			#@TestScript teardown_client_auth.xml
			-->
			<!--- Delete Branch through SSL port -->
			<testcase name="'Security: client_auth: teardown'">
			<!---
			Place test-specific test information here.
			The tag, TestMarker, must be the same as the tag, TestSuiteName.
			#@TestMarker Teardown Tests
			#@TestName JKS Teardown Test
			#@TestIssue 413
			#@TestPurpose Unconfigure JKS keystore.
			#@TestPreamble none
			#@TestStep Delete entries that were used for the JKS tests.
			#@TestStep Unconfigure JKS keystore.
			#@TestStep Remove JKS keystore.
			#@TestStep Test search with unsecure port.
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->
			<sequence>
			<call function="'testCase_Preamble'"/>

			<script>
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			</script>
			<!--- Unconfigure SSL -->


			<!--- Disable LDAPS Connection Handler -->
			<message>
			'Disabling LDAPS Connection Handler'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/teardown/disable_ldaps_conn_handler.ldif' % (logsRemoteDataDir) }
			</call>


			<!--- Disable SSL Trust Manager Provider -->
			<message> 'Disabling SSL Trust Manager Provider' </message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/teardown/disable_trust_mgr_provider.ldif' % (logsRemoteDataDir) }
			</call>



			<!--- Disable Key Manager Provider -->
			<message>
			'Disabling Key Manager Provider'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/teardown/disable_key_mgr_provider.ldif' % (logsRemoteDataDir) }
			</call>




			<!--- Disable StartTLS -->
			<message>
			'Disabling StartTLS'
			</message>

			<call function="'modifyEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'entryToBeModified' : '%s/security/client_auth/teardown/disable_startTLS.ldif' % (logsRemoteDataDir) }
			</call>


			<!-- remove client certificates keystore -->
			<message>
			'Delete folder %s' % (CERT_TMP)
			</message>

			<call function="'deleteFolder'">
			{ 'location' : '%s' % (DIRECTORY_INSTANCE_HOST),
			'foldername' : '%s' % (CERT_TMP) }
			</call>

			<!--- Remove JKS Keystore -->
			<message>
			'Security: client_auth: Removing JKS Keystore'
			</message>

			<call function="'deleteFile'">
			{ 'location' : STAF_REMOTE_HOSTNAME,
			'filename' : '%s/../config/keystore' % OPENDS_BINPATH }
			</call>

			<call function="'checkRC'">
			{ 'returncode' : RC ,
			'result' : STAXResult }
			</call>

			<!--- Search With Unsecure Port -->
			<message>
			'Security: client_auth: Postamble. Searching with Unsecure Connection'
			</message>

			<call function="'SearchObject'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX ,
			'dsScope' : 'base',
			'dsFilter' : 'objectclass=*' }
			</call>

			<call function="'DeleteEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'dsBaseDN' : USER_1_DN}
			</call>

			<call function="'checktestRC'">
			{ 'returncode' : RC ,
			'result' : STAXResult }
			</call>

			<call function="'DeleteEntry'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'dsBaseDN' : USER_2_DN}
			</call>
			<call function="'checktestRC'">
			{ 'returncode' : RC ,
			'result' : STAXResult }
			</call>

			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			</sequence>

			</function>

			</stax>

New file
			@@ -0,0 +1,219 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "../../../stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="equal_dn_mapper"/>
			<function name="equal_dn_mapper" scope="local">

			<sequence>

			<!--- Test Case : setup -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Set the SASL EXTERNAL mechanism to Subject Equal DN
			#@TestIssue
			#@TestPurpose Set the SASL EXTERNAL mechanism to Subject EqualN
			#@TestPreamble none
			#@TestStep Set the SASL EXTERNAL mechanism to Subject Equal DN
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->


			<testcase name="'Security: client_auth: setup - equal_dn_mapper'">

			<sequence>
			<call function="'testCase_Preamble'"/>

			<message>
			'---- Configure the SASL EXTERNAL mechanism -----'
			</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
			'attributeName' : 'ds-cfg-certificate-mapper-dn',
			'newAttributeValue' : 'cn=Subject Equals DN,cn=Certificate Mappers,cn=config',
			'changetype' : 'replace' }
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!---
			#@TestMarker Equal DN mapping
			#@TestName Mapping on DN
			#@TestIssue
			#@TestPurpose Use the Equal DN certificate mapper
			#@TestPurpose The mapping will be done on entry DN
			#@TestStep Two users entries are used to validate this mapper
			#@TestPreamble none
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<testcase name="'Security: client_auth: Equal DN mapping '">
			<sequence>
			<script>

			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			STOREPASS="password"
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
			</script>
			<call function="'testCase_Preamble'"/>


			<!-- Check mapping is working -->
			<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>

			<!-- bound as USER_1_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- bound as USER_2_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_2_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- bound as USER_1_DN -->
			<message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- bound as USER_2_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>
			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_2_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			</sequence>
			</function>

			</stax>

New file
			@@ -0,0 +1,471 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "../../../stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="fingerprint_mapper"/>
			<function name="fingerprint_mapper" scope="local">

			<sequence>

			<!--- Test Case : setup -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
			#@TestIssue
			#@TestPurpose Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
			#@TestPreamble none
			#@TestStep Set the SASL EXTERNAL mechanism to fingerprint certificate mapper
			#@TestStep keep the default ds-cfg-certificate-subject-attribute-type which is ds-certificate-subject-dn
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->


			<testcase name="'Security: client_auth: setup - fingerprint_mapper'">

			<sequence>
			<call function="'testCase_Preamble'"/>

			<message>
			'---- Configure the SASL EXTERNAL mechanism -----'
			</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
			'attributeName' : 'ds-cfg-certificate-mapper-dn',
			'newAttributeValue' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
			'changetype' : 'replace' }
			</call>

			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!---
			#@TestMarker Subject DN mapping to default user attribut
			#@TestName Mapping on ds-certificated-subject-dn attribute
			#@TestIssue
			#@TestPurpose Use the Subject DN to User Attribute certificate mapper
			#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
			#@TestPurpose The mapping will be done on the default attribut ds-certificate-subject-dn
			#@TestStep Two users entries are used to validate this mapper
			#@TestStep USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
			#@TestStep USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
			#@TestStep The certificate mapping will work only with the USER_1_CERT client certificate
			#@TestPreamble none
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
			<sequence>
			<script>

			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)

			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			STOREPASS="password"
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
			</script>
			<call function="'testCase_Preamble'"/>

			<message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
			<message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_1_DN,
			'attributeName' : 'ds-certificate-subject-dn',
			'newAttributeValue' : USER_1_DN,
			'changetype' : 'add' }
			</call>



			<message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
			<message>'------ ds-certificate-subject-dn contains an invalid DN'</message>


			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_2_DN,
			'attributeName' : 'ds-certificate-subject-dn',
			'newAttributeValue' : 'uid=bad-certificate',
			'changetype' : 'add' }
			</call>



			<!-- Check mapping is working -->
			<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>

			<!-- bound as USER_1_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- No bound expected -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>


			<message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>

			<!-- bound as USER_1_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>


			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>


			<!-- Restore initial users configuration -->

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_1_DN,
			'attributeName' : 'ds-certificate-subject-dn',
			'newAttributeValue' : USER_1_DN,
			'changetype' : 'delete'}
			</call>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_2_DN,
			'attributeName' : 'ds-certificate-subject-dn',
			'newAttributeValue' : 'uid=bad-certificate',
			'changetype' : 'delete'}
			</call>



			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			<!---
			#@TestMarker Subject DN mapping to the user attribute's description
			#@TestName Mapping on the attribute description
			#@TestIssue
			#@TestPurpose Use the Subject DN to User Attribute certificate mapper
			#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
			#@TestPurpose The mapping will be done on the attribute description
			#@TestStep Two users entries are used to validate this mapper
			#@TestStep USER_1_DN doesn't contains attribute description
			#@TestStep USER_2_DN contains an attribute description with the USER_2_CERT client certificate
			#@TestPreamble none
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<testcase name="'Security: client_auth: subject dn mapping on attribut description'">
			<sequence>
			<script>
			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)

			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			KEYPASS="servercert"
			STOREPASS="password"
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)

			</script>

			<call function="'testCase_Preamble'"/>

			<message>'----- Configure the mapping to be done on the attribute description' </message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
			'attributeName' : 'ds-cfg-certificate-subject-attribute-type',
			'newAttributeValue' : 'description',
			'changetype' : 'replace' }
			</call>

			<message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_1_DN,
			'attributeName' : 'description',
			'newAttributeValue' : 'bad_cert',
			'changetype' : 'add' }
			</call>


			<message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
			<message>'------ ds-certificate-subject-dn contains an invalid DN'</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_2_DN,
			'attributeName' : 'description',
			'newAttributeValue' : USER_2_DN,
			'changetype' : 'add' }
			</call>




			<!-- Check mapping is working -->
			<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>

			<!-- No mapping expected -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>


			<!-- bound as USER_2_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_2_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>

			<!-- No mapping expected -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>


			<!-- bound as USER_2_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_2_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>


			<!-- Restore initial users configuration -->


			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_1_DN,
			'attributeName' : 'description',
			'newAttributeValue' : 'bad_cert',
			'changetype' : 'delete'}
			</call>



			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_2_DN,
			'attributeName' : 'description',
			'newAttributeValue' : USER_2_DN,
			'changetype' : 'delete'}
			</call>


			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			</sequence>
			</function>

			</stax>

New file
			@@ -0,0 +1,264 @@
			<?xml version="1.0" encoding="UTF-8" standalone="no"?>
			<!DOCTYPE stax SYSTEM "../../../stax.dtd">
			<!--
			! CDDL HEADER START
			!
			! The contents of this file are subject to the terms of the
			! Common Development and Distribution License, Version 1.0 only
			! (the "License"). You may not use this file except in compliance
			! with the License.
			!
			! You can obtain a copy of the license at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE
			! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! When distributing Covered Code, include this CDDL HEADER in each
			! file and include the License file at
			! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			! add the following below this CDDL HEADER, with the fields enclosed
			! by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CDDL HEADER END
			!
			! Portions Copyright 2006-2007 Sun Microsystems, Inc.
			! -->
			<stax>

			<defaultcall function="subject_attribute_mapper"/>
			<function name="subject_attribute_mapper" scope="local">

			<sequence>

			<!--- Test Case : setup -->
			<!---
			#@TestMarker Setup Tests
			#@TestName Set the SASL EXTERNAL mechanism to Subject attribute to User Attribute
			#@TestIssue
			#@TestPurpose Set the SASL EXTERNAL mechanism to Subject attribute to User Attribute
			#@TestPreamble none
			#@TestStep Map attributes from the certificate subject to attributes in user entries
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->


			<testcase name="'Security: client_auth: setup - subject_attribute_mapper'">

			<sequence>
			<call function="'testCase_Preamble'"/>

			<message>
			'---- Configure the SASL EXTERNAL mechanism with Subject Attribute to User Attribute mapper -----'
			</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
			'attributeName' : 'ds-cfg-certificate-mapper-dn',
			'newAttributeValue' : 'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
			'changetype' : 'replace' }
			</call>


			<message>
			'---- Configure the Subject Attribute to User Attribute mapper -----'
			</message>
			<script>
			listAttr = []
			listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:cn:cn')
			listAttr.append('cn=ds-cfg-certificate-subject-attribute-mapping:e:mail')
			</script>

			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>


			<!---
			#@TestMarker Subject Attributes mapping to user attribute
			#@TestName Use only one attribute mapping
			#@TestIssue
			#@TestPurpose Map attributes from the certificate subject to attributes in user entries
			#@TestStep the subject certificate is defined with the format : uid=client-cert-1,SUFFIX
			#@TestStep The mapping will be done on the attribute uid from the cerficate subject
			#@TestStep and the attribute 'description' of the user's entry
			#@TestPreamble none
			#@TestPostamble none
			#@TestResult Success if OpenDS returns 0 for all operations
			-->

			<testcase name="'Security: client_auth: subject attribute mapping'">
			<sequence>
			<script>

			USER_1_CERT="client-cert-1"
			USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)

			USER_2_CERT="client-cert-2"
			USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
			STOREPASS="password"
			CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
			CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
			</script>
			<call function="'testCase_Preamble'"/>

			<message>
			'---- Configure the Subject Attribute to User Attribute mapper -----'
			</message>
			<message>'---- Add a new mapping rule from attribute "uid" from certificate subject and attribute "description" of the user entry'</message>
			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : 'cn=Subject Attribute to User Attribute,cn=Certificate Mappers,cn=config',
			'attributeName' : 'ds-cfg-certificate-subject-attribute-mapping',
			'newAttributeValue' : 'uid:description',
			'changetype' : 'replace' }
			</call>


			<message>'----- Configure the attribute description for user %s ---' % USER_1_DN</message>
			<message>'----- the attribute description will map with the attribute "uid" of the certificate subject'</message>

			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_1_DN,
			'attributeName' : 'description',
			'newAttributeValue' : USER_1_CERT,
			'changetype' : 'add' }
			</call>


			<message>'----- Configure the attribute description for user %s ---' % USER_2_DN</message>
			<message>'----- the attribute description contains invalid value'</message>
			<message>'----- it will not map with the attribute "uid" of the certificate subject'</message>


			<call function="'modifyAnAttribute'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
			'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
			'DNToModify' : USER_2_DN,
			'attributeName' : 'description',
			'newAttributeValue' : 'bad-certificate',
			'changetype' : 'add' }
			</call>


			<!-- Check mapping is working -->

			<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>

			<!-- bound as USER_1_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- No mapping expected -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseSSL' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>



			<message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>

			<!-- bound as USER_1_DN -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_1_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base' }
			</call>

			<script>
			STAXCode = RC
			ldapSearchResult = STAXResult[0][1]
			</script>
			<call function="'CheckMatches'">
			{ 'string2find' : USER_1_DN ,
			'mainString' : ldapSearchResult ,
			'nbExpected' : 1
			}
			</call>

			<!-- No mapping expected -->
			<call function="'ldapSearchWithScript'">
			{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
			'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
			'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
			'dsFilter' : 'objectclass=*' ,
			'dsKeyStorePassword' : STOREPASS,
			'dsUseStartTLS' : ' ',
			'dsUseSASLExternal' : ' ',
			'dsCertNickname' : USER_2_CERT,
			'dsTrustStorePath' : CLIENT_KEYSTORE,
			'dsKeyStorePath' : CLIENT_KEYSTORE,
			'dsReportAuthzID' : ' ',
			'dsScope' : 'base',
			'expected' : 49 }
			</call>



			<call function="'testCase_Postamble'"/>
			</sequence>
			</testcase>

			</sequence>
			</function>

			</stax>