SASL DIGEST-MD5 authentication test extension

ugaston

15.05.2008 dcc5438f2d33607c326b1f73669281fc485ad019

SASL DIGEST-MD5 authentication test extension

 opends/tests/staf-tests/functional-tests/shared/data/security/sasl/sasl_startup.ldif

@@ -485,3 +485,145 @@
roomnumber: 3915
userpassword: dogleg

dn: uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com
cn: Test User
sn: User
givenname: Test
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: test-user
userpassword: testleg

dn: o=Proxy Auth Tests, dc=example,dc=com
objectclass: top
objectclass: organization
o: Proxy Auth Tests

dn: ou=Groups, o=Proxy Auth Tests, dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: Groups

dn: cn=Test Group, ou=Groups, o=Proxy Auth Tests, dc=example,dc=com
cn: Test Group
objectclass: top
objectclass: groupofuniquenames
ou: Groups
uniquemember: uid=proxy-priv-group-aci, ou=People, o=Proxy Auth Tests, dc=example,dc=com

dn: ou=People, o=Proxy Auth Tests, dc=example,dc=com
aci: (target="ldap:///uid=proxied-user,ou=People,o=Proxy Auth Tests,dc=example,dc=com")
 (targetattr="*")(version 3.0; acl "SASL Client ACI"; allow (proxy) 
 (userdn="ldap:///uid=proxy-priv-aci,ou=People,o=Proxy Auth Tests,dc=example,dc=com" or 
 userdn="ldap:///uid=proxy-nopriv-aci,ou=People,o=Proxy Auth Tests,dc=example,dc=com" or 
 groupdn="ldap:///cn=Test Group,ou=Groups,o=Proxy Auth Tests,dc=example,dc=com");)
objectclass: top
objectclass: organizationalunit
ou: People

dn: uid=proxied-user, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxied User
sn: User
givenname: Proxied
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxied-user
userpassword: proxyleg
description: This is the user used by those granted proxy-auth access

dn: uid=proxy-priv-aci, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy Privilege & ACI
sn: Privilege & ACI
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-priv-aci
userpassword: proxyleg
ds-privilege-name: proxied-auth
description: This user has proxied-auth privilege and is granted proxied access by ACI

dn: uid=proxy-priv-noaci, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy Privilege & No ACI
sn: Privilege & No ACI
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-priv-noaci
userpassword: proxyleg
ds-privilege-name: proxied-auth
description: This user has proxied-auth privilege but no granted proxied access by ACI

dn: uid=proxy-nopriv-aci, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy No Privilege & ACI
sn: No Privilege & ACI
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-nopriv-aci
userpassword: proxyleg
description: This user has no proxied-auth privilege but is granted proxied access by ACI

dn: uid=proxy-nopriv-noaci, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy No Privilege & No ACI
sn: No Privilege & No ACI
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-nopriv-noaci
userpassword: proxyleg
description: This user has no proxy access

dn: uid=proxy-priv-bypass-acl, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy Privilege & By-pass ACL Privilege
sn: Privilege & By-pass ACL Privilege
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-priv-bypass-acl
userpassword: proxyleg
ds-privilege-name: proxied-auth
ds-privilege-name: bypass-acl
description: This user has proxied-auth and bypass-acl privilege but no granted proxied access by ACI

dn: uid=proxy-priv-group-aci, ou=People, o=Proxy Auth Tests, dc=example,dc=com
cn: Proxy Privilege & Group ACI
sn: Privilege & Group ACI
givenname: Proxy
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Product Testing
ou: People
uid: proxy-priv-group-aci
userpassword: proxyleg
ds-privilege-name: proxied-auth
description: This user has proxied-auth and is member of a group granted proxied access by ACI

 opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml

@@ -48,7 +48,8 @@
            #@TestIssue                 345
            #@TestPurpose               Prepare for SASL DIGEST-MD5 tests.
            #@TestPreamble              none
            #@TestStep                  Admin change password storage scheme to CLEAR.
            #@TestStep                  Admin change password storage scheme to
                                        CLEAR.
            #@TestStep                  User change his password.
            #@TestPostamble             none
            #@TestResult                Success if OpenDS returns 0 
@@ -58,53 +59,59 @@
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
               'Security: SASL DIGEST-MD5: Preamble Step 1 - Admin Changing Pwd Storage to CLEAR'
              'Security: SASL DIGEST-MD5: Preamble Step 1 - Admin Changing \
              Pwd Storage to CLEAR'
            </message>

            <call function="'modifyPwdPolicy'">
                  { 'dsInstanceHost'         : DIRECTORY_INSTANCE_HOST ,
                    'dsInstanceDn'           : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'         : DIRECTORY_INSTANCE_PSWD ,
                    'propertyName'           : 'Default Password Policy' ,
                    'attributeName'          : 'default-password-storage-scheme' ,
                    'attributeValue'         : 'Clear' }
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                'propertyName'   : 'Default Password Policy' ,
                'attributeName'  : 'default-password-storage-scheme' ,
                'attributeValue' : 'Clear'
              }
            </call>
            
            <message>
               'Security: SASL DIGEST-MD5: Preamble Step 2 - Admin Changing Password for three users'
              'Security: SASL DIGEST-MD5: Preamble Step 2 - Admin Changing \
              Password for three users'
            </message>

            <call function="'modifyAnAttribute'">
                  { 'dsInstanceHost'         : DIRECTORY_INSTANCE_HOST ,
                    'dsInstancePort'         : DIRECTORY_INSTANCE_PORT ,
                    'dsInstanceDn'           : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'         : DIRECTORY_INSTANCE_PSWD ,
                    'DNToModify'             : 'uid=jsprinter, ou=People, o=SASL Tests, dc=example,dc=com' ,
                    'attributeName'          : 'userpassword' ,
                    'newAttributeValue'      : 'frogleg' ,
                    'changetype'             : 'replace' }
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : 'uid=jsprinter, ou=People, o=SASL Tests, dc=example,dc=com' ,
                'attributeName'     : 'userpassword' ,
                'newAttributeValue' : 'frogleg' ,
                'changetype'        : 'replace'
              }
            </call>
                
            <call function="'modifyAnAttribute'">
                  { 'dsInstanceHost'         : DIRECTORY_INSTANCE_HOST ,
                    'dsInstancePort'         : DIRECTORY_INSTANCE_PORT ,
                    'dsInstanceDn'           : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'         : DIRECTORY_INSTANCE_PSWD ,
                    'DNToModify'             : 'uid=jwalleye, ou=People, o=SASL Realm Tests, dc=example,dc=com' ,
                    'attributeName'          : 'userpassword' ,
                    'newAttributeValue'      : 'frogleg' ,
                    'changetype'             : 'replace' }
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : 'uid=jwalleye, ou=People, o=SASL Realm Tests, dc=example,dc=com' ,
                'attributeName'     : 'userpassword' ,
                'newAttributeValue' : 'frogleg' ,
                'changetype'        : 'replace'
              }
            </call>
                
            <call function="'modifyAnAttribute'">
                  { 'dsInstanceHost'         : DIRECTORY_INSTANCE_HOST ,
                    'dsInstancePort'         : DIRECTORY_INSTANCE_PORT ,
                    'dsInstanceDn'           : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'         : DIRECTORY_INSTANCE_PSWD ,
                    'DNToModify'             : 'uid=jcarp, ou=People, o=SASL Tests, dc=example,dc=com' ,
                    'attributeName'          : 'userpassword' ,
                    'newAttributeValue'      : 'carpleg' ,
                    'changetype'             : 'replace' }
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : 'uid=jcarp, ou=People, o=SASL Tests, dc=example,dc=com' ,
                'attributeName'     : 'userpassword' ,
                'newAttributeValue' : 'carpleg' ,
                'changetype'        : 'replace'
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
@@ -1845,9 +1852,844 @@
          </sequence>
        </testcase>


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Non-clear Pwd Storage Scheme
            #@TestIssue         
            #@TestPurpose       Test DIGEST-MD5 with reversible pwd storage
                                scheme other than CLEAR.
            #@TestPreamble      none
            #@TestStep          Admin change password storage scheme to 3DES.
            #@TestStep          User change his password.
            #@TestPostamble     none
            #@TestResult        Success if OpenDS returns 0 for all ldap 
                                operations.
        -->
        <testcase name="getTestCaseName('DIGEST-MD5 - Non-clear Pwd Storage')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Non-clear Pwd Storage Scheme'
            </message>
            <message>
              'Security: SASL DIGEST-MD5: Non-clear Pwd Storage Scheme - \
              Admin Changing Pwd Storage to 3DES'
            </message>

            <call function="'modifyPwdPolicy'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                'propertyName'   : 'Default Password Policy' ,
                'attributeName'  : 'default-password-storage-scheme' ,
                'attributeValue' : '3DES'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Non-clear Pwd Storage Scheme - \
              Admin Changing Password for test user'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Non-clear Pwd Storage Scheme - \
              Search with SASL bind request as test user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg' \
                             % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>



       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {no proxy-auth privilege ; 
                                no proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - no proxy-auth privilege
                                - no proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - Proxy-auth {no priv; no aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {no proxy-auth privilege ; no proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {no priv ; no aci}- \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-nopriv-noaci, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {no priv ; no aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>

        

       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {proxy-auth privilege ; 
                                no proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - proxy-auth privilege
                                - no proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - Proxy-auth {priv; no aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {proxy-auth privilege ; no proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; no aci}- \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-priv-noaci, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; no aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        
        

       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {proxy-auth + bypass acl privilege ; 
                                no proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - proxy-auth and bypass-acl privilege
                                - no proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
           "getTestCaseName('DIGEST-MD5 - Proxy-auth {priv + bypass; no aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {proxy-auth + bypass-acl privilege ; no proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv + bypass; no aci}- \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-priv-bypass-acl, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv + bypass; no aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {no proxy-auth privilege ; 
                                proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - no proxy-auth privilege
                                - proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - Proxy-auth {no priv; aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {no proxy-auth privilege ; proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {no priv ; aci}- \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-nopriv-aci, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {no priv ; aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {proxy-auth privilege ; 
                                proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - proxy-auth privilege
                                - proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - Proxy-auth {priv; aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {proxy-auth privilege ; proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; aci}- \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-priv-aci, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        

       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Proxy-auth {proxy-auth privilege ; 
                                group proxy access right}
            #@TestIssue         
            #@TestPurpose       Test proxy authorization, when user has
                                - proxy-auth privilege
                                - group proxy acces right
            #@TestPreamble      User change his password.
            #@TestStep          SASL bind with authzid=proxied-user
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - Proxy-auth {priv; group aci}')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth \
              {proxy-auth privilege ; group proxy access right}'
            </message>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; group aci} - \
              Admin Changing Password for test user'
            </message>
            
            <script>
              proxy_auth = 'ou=People, o=Proxy Auth Tests, dc=example,dc=com'
              proxy_user = 'uid=proxied-user, %s' % proxy_auth
              test_user = 'uid=proxy-priv-group-aci, %s' % proxy_auth
            </script> 
            <call function="'modifyAnAttribute'">
              { 'dsInstanceHost'    : DIRECTORY_INSTANCE_HOST ,
                'dsInstancePort'    : DIRECTORY_INSTANCE_PORT ,
                'dsInstanceDn'      : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd'    : DIRECTORY_INSTANCE_PSWD ,
                'DNToModify'        : test_user,
                'attributeName'     : 'userpassword',
                'newAttributeValue' : 'newleg',
                'changetype'        : 'replace'
              }
            </call>
            
            <message>
              'Security: SASL DIGEST-MD5: Proxy-auth {priv ; group aci} - \
              SASL bind with authzid=proxied-user'
            </message>
            
            <script>
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"authzid=dn:%s\" ' % (test_user, proxy_user)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        


        
        <!--- Test case: Admin set fqdn -->
        <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Set FQDN = fake hostname
            #@TestIssue         
            #@TestPurpose       Admin set FQDN in SASL DIGEST-MD5 mechanism.
            #@TestPreamble      none
            #@TestStep          ldapmodify used to set fqdn.
            #@TestPostamble     none
            #@TestResult        Success if OpenDS returns 0.
        -->
        <testcase name=
                     "getTestCaseName('DIGEST-MD5 - Set FQDN = fake hostname')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
               'Security: SASL DIGEST-MD5: Set FQDN'
            </message>

            <call function="'modifySaslMech'">
                  { 'dsInstanceHost'         : DIRECTORY_INSTANCE_HOST ,
                    'dsInstanceDn'           : DIRECTORY_INSTANCE_DN ,
                    'dsInstancePswd'         : DIRECTORY_INSTANCE_PSWD ,
                    'handlerName'            : 'DIGEST-MD5' ,
                    'propertyName'           : 'server-fqdn' ,
                    'propertyValue'          : 'fqdn-test.com' }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname != fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname != fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - FQDN {hostname!=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname != fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg' \
                             % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>

        
       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname != fqdn ; 
                                digest-uri = ldap/fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn and digest-uri
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname != fqdn, 
                                digest-uri = ldap/fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
            "getTestCaseName('DIGEST-MD5 - FQDN {hostname!=fqdn ; uri=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname!=fqdn ; uri=fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"digest-uri=ldap/fqdn-test.com\" ' % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname != fqdn ; 
                                digest-uri != ldap/fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn and digest-uri
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname != fqdn, 
                                digest-uri != ldap/fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
            "getTestCaseName('DIGEST-MD5 - FQDN {hostname!=fqdn ; uri!=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname!=fqdn ; uri!=fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"digest-uri=ldap/fake-fqdn-test.com\" ' % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        


        <!--- Test case: Admin reset fqdn -->
        <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          Set FQDN = hostname
            #@TestIssue         
            #@TestPurpose       Admin set FQDN in SASL DIGEST-MD5 mechanism.
            #@TestPreamble      none
            #@TestStep          ldapmodify used to set fqdn.
            #@TestPostamble     none
            #@TestResult        Success if OpenDS returns 0.
        -->
        <testcase name="getTestCaseName('DIGEST-MD5 - Set FQDN = hostname')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
               'Security: SASL DIGEST-MD5: Set FQDN'
            </message>

            <call function="'modifySaslMech'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
                'dsInstanceDn'   : DIRECTORY_INSTANCE_DN ,
                'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
                'handlerName'    : 'DIGEST-MD5' ,
                'propertyName'   : 'server-fqdn' ,
                'propertyValue'  : DIRECTORY_INSTANCE_HOST
              }
            </call>
            
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname = fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname = fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
                 "getTestCaseName('DIGEST-MD5 - FQDN {hostname=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname = fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg' \
                             % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>

        
       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname = fqdn ; 
                                digest-uri = ldap/fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn and digest-uri
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname = fqdn, 
                                digest-uri = ldap/fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind succeeds.
        -->
        <testcase name=
            "getTestCaseName('DIGEST-MD5 - FQDN {hostname=fqdn ; uri=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname=fqdn ; uri=fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"digest-uri=ldap/%s\" ' % (test_user,DIRECTORY_INSTANCE_HOST)
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>


       <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker        SASL DIGEST-MD5 Tests
            #@TestName          FQDN {hostname = fqdn ; 
                                digest-uri != ldap/fqdn}
            #@TestIssue         
            #@TestPurpose       Test the use of fqdn and digest-uri
            #@TestPreamble      none
            #@TestStep          SASL bind with hostname = fqdn, 
                                digest-uri != ldap/fqdn
            #@TestPostamble     none
            #@TestResult        Success if sasl bind fails with 49.
        -->
        <testcase name=
            "getTestCaseName('DIGEST-MD5 - FQDN {hostname=fqdn ; uri!=fqdn')">
          <sequence>
            <call function="'testCase_Preamble'"/>
            <message>
              'Security: SASL DIGEST-MD5: FQDN {hostname=fqdn ; uri!=fqdn}'
            </message>
            
            <script>
              test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com' 
              sasl_options = '-o mech=DIGEST-MD5 -o \"authid=dn:%s\" -w newleg \
               -o \"digest-uri=ldap/fake-fqdn-test.com\" ' % test_user 
            </script>
            <call function="'AnonSearchObject'">
              { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
                'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
                'dsBaseDN'       : 'dc=example,dc=com',
                'dsFilter'       : 'objectclass=*',
                'extraParams'    : sasl_options,
                'expectedRC'     : 49
              }
            </call>
                        
            <call function="'testCase_Postamble'"/>
            
          </sequence>
        </testcase>
        

        
        <!--- Test case: DIGEST-MD5 SASL Mechanism -->
       <!---
        <!---
            Place test-specific test information here.
            The tag, TestMarker, must be the same as the tag, TestSuiteName.
            #@TestMarker                SASL DIGEST-MD5 Tests