external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 4f024fc2 | patch | commit | ignore whitespace

Remove ACI roledn bind rule keyword. Issue #1577.

dugan

18.09.2007 f8fda0d8fcc71d68e644dcb21fcb282edc0fdc2c

Remove ACI roledn bind rule keyword.
Issue #1577.

1 files deleted

4 files modified

	opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java	9 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/authorization/dseecompat/RoleDN.java	164 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java	19 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/messages/AciMessages.java	16 ●●●●● patch \| view \| raw \| blame \| history
	opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java	38 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java

@@ -486,7 +486,7 @@
                                          EnumBindRuleKeyword keyword,
                                          EnumBindRuleType op)
            throws AciException  {
        KeywordBindRule rule;
        KeywordBindRule rule=null;
        switch (keyword) {
            case USERDN:
            {
@@ -495,8 +495,11 @@
            }
            case ROLEDN:
            {
                rule = RoleDN.decode(expr, op);
                break;
                //The roledn keyword is not supported. Throw an exception with
                //a message if it is seen in the ACI.
                int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
                String message = getMessage(msgID, expr);
                throw new AciException(msgID, message);
            }
            case GROUPDN:
            {

 opends/src/server/org/opends/server/authorization/dseecompat/RoleDN.java

File was deleted

 opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java

@@ -157,14 +157,11 @@
                    return new UserAttr (userAttrType, type, parentInheritance);
                }
                case ROLEDN: {
                    //Even though parent inheritance is invalid for the ROLEDN
                    //keyword, we are going to up a simple parent inheritance
                    //class so that most of the evaluate methods in this class
                    //can be re-used. The true boolean means to skip parsing,
                    //except for a quick validation parse.
                    ParentInheritance parentInheritance =
                            new ParentInheritance(vals[0], true);
                     return new UserAttr(userAttrType, type, parentInheritance);
                  //The roledn keyword is not supported. Throw an exception with
                  //a message if it is seen in the expression.
                  int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
                  String message = getMessage(msgID, expression);
                  throw new AciException(msgID, message);
                }
         }
         return new UserAttr(vals[0], vals[1], userAttrType, type);
@@ -383,7 +380,8 @@
    /**
     * This method evaluates the user attribute type and calls the correct
     * evalaution method. The three user attribute types that can be selected
     * are ROLEDN, USERDN or GROUPDN.
     * are USERDN or GROUPDN.
     *
     * @param e The entry to use in the evaluation.
     * @param evalCtx The evaluation context to use in the evaluation.
     * @param attributeType The attribute type to use in the evaluation.
@@ -398,9 +396,6 @@
                                       attributeType);
                break;
            }
            case ROLEDN:
                result=RoleDN.evaluate(e, evalCtx, attributeType);
                break;
            case GROUPDN: {
                result=GroupDN.evaluate(e, evalCtx, attributeType);
                break;

 opends/src/server/org/opends/server/messages/AciMessages.java

@@ -747,7 +747,7 @@
  public static final int MSGID_ACI_TARGETATTR_INVALID_OP_USER_ATTR =
       CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 74;

      /**
  /**
   * The message ID for the message that will be used if a targetattr
   * keyword expression performs both an inequality operation using
   * operational attribute types. This takes one argument, which is the
@@ -756,6 +756,14 @@
  public static final int MSGID_ACI_TARGATTR_INVALID_OP_ATTR_INEQUALITY =
       CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 75;

  /**
   * The message ID for the message that will be used if a roledn
   * keyword expression is parsed. The roledn keyword is not supported.
   * This takes one argument, which is the roledn expression string.
   */
  public static final int MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED =
       CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 76;

    /**
     * Associates a set of generic messages with the message IDs defined in
     * this class.
@@ -1189,5 +1197,11 @@
              "targetattr expression value \"%s\" is invalid because" +
              " the expression performs an inequality operation using " +
              "operational attribute types");

      registerMessage(MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED,
              "The provided Access Control Instruction (ACI) expression " +
              "value \"%s\" is invalid because it contains" +
              " the roledn keyword, which is not supported,  replace it with " +
              "the groupdn keyword");
    }
}

 opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java

@@ -225,9 +225,6 @@
  private static final String BIND_RULE_USERDN_TOP_LEVEL_CN_ADMINS = "userdn=\"ldap:///dc=example,dc=com??one?(cn=*admin*)\"";  // TODO: this might be invalid?
  private static final String BIND_RULE_GROUPDN_GROUP_1 =
                                    "groupdn=\"ldap:///" + OU_GROUP_1_DN + "\"";
   private static final String BIND_RULE_ROLEDN_GROUP_1 =
                                     "roledn=\"ldap:///" + OU_GROUP_1_DN + "\"";

  private static final String BIND_RULE_IP_LOCALHOST = "ip=\"127.0.0.1\"";
  private static final String BIND_RULE_IP_LOCALHOST_WITH_MASK = "ip=\"127.0.0.1+255.255.255.254\"";
  private static final String BIND_RULE_IP_LOCALHOST_SUBNET = "ip=\"127.0.0.*\"";
@@ -263,10 +260,6 @@
  private static final String BIND_RULE_GROUPDN_1 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
  private static final String BIND_RULE_GROUPDN_2 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
  private static final String BIND_RULE_GROUPDN_3 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com || ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";
  private static final String BIND_RULE_ROLEDN_1 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
  private static final String BIND_RULE_ROLEDN_2 =  "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
  private static final String BIND_RULE_ROLEDN_3 =  "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com || ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";

  private static final String BIND_RULE_USERDN_FILTER = "userdn=\"ldap:///dc=example,dc=com??one?(|(ou=eng)(ou=acct))\"";

  //bind rule user attr ACIs
@@ -275,8 +268,6 @@
  private static final String BIND_RULE_USERATTR_URL = "userattr=\"cn#LDAPURL\"";
  private static final String BIND_RULE_USERATTR_GROUPDN = "userattr=\"manager#GROUPDN\"";
  private static final String BIND_RULE_USERATTR_GROUPDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#GROUPDN\"";
  private static final String BIND_RULE_USERATTR_ROLEDN = "userattr=\"manager#ROLEDN\"";
  private static final String BIND_RULE_USERATTR_ROLEDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#ROLEDN\"";
  private static final String BIND_RULE_USERATTR_USERDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#USERDN\"";
  private static final String BIND_RULE_USERATTR_GROUPDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#GROUPDN\"";
  private static final String BIND_RULE_USERATTR_VALUE = "userattr=\"manager#a manager\"";
@@ -375,10 +366,6 @@
          buildAciValue("name", "allow search to group1 groupdn", "targetattr",
                        "*", "allow(search, read)", BIND_RULE_GROUPDN_GROUP_1);

  private static final String ALLOW_SEARCH_TO_GROUP1_ROLEDN =
          buildAciValue("name", "allow search to group1 roledn", "targetattr",
                        "*", "allow(search, read)", BIND_RULE_ROLEDN_GROUP_1);

  private static final String ALLOW_SEARCH_TO_ADMIN =
          buildAciValue("name", "allow search to admin", "targetattr", "*", "allow(search, read)", BIND_RULE_USERDN_ADMIN);

@@ -668,16 +655,11 @@
    buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_1),
    buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_2),
    buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_3),
    buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_1),
    buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_2),
    buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_3),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_1),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_URL),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_1),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN_1),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_INHERITANCE),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_INHERITANCE),
    buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_VALUE),
@@ -747,6 +729,8 @@
         buildAciValue("targetattr", "*", "allows (read, write, add, delete, search, compare, selfwrite, all)", BIND_RULE_USERDN_SELF),
         buildAciValue("name", "bad groupdn url", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap:///bogus\""),
         buildAciValue("name", "bad groupdn url2", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap1:///bogus\""),
         //Roledn keyword is not supported anymore.
         buildAciValue("name", "unsupported roledn", "targetattr", "*", "allow (all)", "roledn=\"ldap:///cn=foo, dc=bar\""),
// </PASSES>
  };

@@ -1136,11 +1120,7 @@
 private static final String ACI_PROXY_MOVED_ENTRY =
                   makeAddAciLdif(SALES_USER_1, ALLOW_PROXY_TO_MOVED_ENTRY);

//ACI used in testing the groupdn/roledn bind rule keywords.

 private static final
 String GROUP1_ROLEDN_MODS =  makeAddAciLdif(OU_LEAF_DN,
                                         ALLOW_SEARCH_TO_GROUP1_ROLEDN);
//ACI used in testing the groupdn bind rule keywords.

   private static final
 String GROUP1_GROUPDN_MODS =  makeAddAciLdif(OU_LEAF_DN,
@@ -1908,8 +1888,8 @@


  /**
  * Test group and role bind rule ACI keywords. Both groupdn and roledn keywords
  * funnel through the same code so the results should be the same.
  * Test group  bind rule ACI keywords.
   *
  * @throws Throwable
 */
    @Test()
@@ -1927,17 +1907,11 @@
                                     null, null, null);
        try {
            addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW);
            modEntries(GROUP1_ROLEDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
            modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
            String userResults = ldapSearch(userParam.getLdapSearchArgs());
            Assert.assertFalse(userResults.equals(""));
            String adminResults = ldapSearch(adminParam.getLdapSearchArgs());
            Assert.assertTrue(adminResults.equals(""));
            deleteAttrFromEntry(OU_LEAF_DN, "aci", true);
            modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
            userResults = ldapSearch(userParam.getLdapSearchArgs());
            Assert.assertFalse(userResults.equals(""));
            adminResults = ldapSearch(adminParam.getLdapSearchArgs());
            Assert.assertTrue(adminResults.equals(""));
        } catch(Throwable e) {
                throw e;
        }

			@@ -486,7 +486,7 @@
			EnumBindRuleKeyword keyword,
			EnumBindRuleType op)
			throws AciException {
			KeywordBindRule rule;
			KeywordBindRule rule=null;
			switch (keyword) {
			case USERDN:
			{
			@@ -495,8 +495,11 @@
			}
			case ROLEDN:
			{
			rule = RoleDN.decode(expr, op);
			break;
			//The roledn keyword is not supported. Throw an exception with
			//a message if it is seen in the ACI.
			int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
			String message = getMessage(msgID, expr);
			throw new AciException(msgID, message);
			}
			case GROUPDN:
			{

			@@ -157,14 +157,11 @@
			return new UserAttr (userAttrType, type, parentInheritance);
			}
			case ROLEDN: {
			//Even though parent inheritance is invalid for the ROLEDN
			//keyword, we are going to up a simple parent inheritance
			//class so that most of the evaluate methods in this class
			//can be re-used. The true boolean means to skip parsing,
			//except for a quick validation parse.
			ParentInheritance parentInheritance =
			new ParentInheritance(vals[0], true);
			return new UserAttr(userAttrType, type, parentInheritance);
			//The roledn keyword is not supported. Throw an exception with
			//a message if it is seen in the expression.
			int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
			String message = getMessage(msgID, expression);
			throw new AciException(msgID, message);
			}
			}
			return new UserAttr(vals[0], vals[1], userAttrType, type);
			@@ -383,7 +380,8 @@
			/**
			* This method evaluates the user attribute type and calls the correct
			* evalaution method. The three user attribute types that can be selected
			* are ROLEDN, USERDN or GROUPDN.
			* are USERDN or GROUPDN.
			*
			* @param e The entry to use in the evaluation.
			* @param evalCtx The evaluation context to use in the evaluation.
			* @param attributeType The attribute type to use in the evaluation.
			@@ -398,9 +396,6 @@
			attributeType);
			break;
			}
			case ROLEDN:
			result=RoleDN.evaluate(e, evalCtx, attributeType);
			break;
			case GROUPDN: {
			result=GroupDN.evaluate(e, evalCtx, attributeType);
			break;

			@@ -747,7 +747,7 @@
			public static final int MSGID_ACI_TARGETATTR_INVALID_OP_USER_ATTR =
			CATEGORY_MASK_ACCESS_CONTROL \| SEVERITY_MASK_SEVERE_WARNING \| 74;

			/**
			/**
			* The message ID for the message that will be used if a targetattr
			* keyword expression performs both an inequality operation using
			* operational attribute types. This takes one argument, which is the
			@@ -756,6 +756,14 @@
			public static final int MSGID_ACI_TARGATTR_INVALID_OP_ATTR_INEQUALITY =
			CATEGORY_MASK_ACCESS_CONTROL \| SEVERITY_MASK_SEVERE_WARNING \| 75;

			/**
			* The message ID for the message that will be used if a roledn
			* keyword expression is parsed. The roledn keyword is not supported.
			* This takes one argument, which is the roledn expression string.
			*/
			public static final int MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED =
			CATEGORY_MASK_ACCESS_CONTROL \| SEVERITY_MASK_SEVERE_WARNING \| 76;

			/**
			* Associates a set of generic messages with the message IDs defined in
			* this class.
			@@ -1189,5 +1197,11 @@
			"targetattr expression value \"%s\" is invalid because" +
			" the expression performs an inequality operation using " +
			"operational attribute types");

			registerMessage(MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED,
			"The provided Access Control Instruction (ACI) expression " +
			"value \"%s\" is invalid because it contains" +
			" the roledn keyword, which is not supported, replace it with " +
			"the groupdn keyword");
			}
			}

			@@ -225,9 +225,6 @@
			private static final String BIND_RULE_USERDN_TOP_LEVEL_CN_ADMINS = "userdn=\"ldap:///dc=example,dc=com??one?(cn=admin)\""; // TODO: this might be invalid?
			private static final String BIND_RULE_GROUPDN_GROUP_1 =
			"groupdn=\"ldap:///" + OU_GROUP_1_DN + "\"";
			private static final String BIND_RULE_ROLEDN_GROUP_1 =
			"roledn=\"ldap:///" + OU_GROUP_1_DN + "\"";

			private static final String BIND_RULE_IP_LOCALHOST = "ip=\"127.0.0.1\"";
			private static final String BIND_RULE_IP_LOCALHOST_WITH_MASK = "ip=\"127.0.0.1+255.255.255.254\"";
			private static final String BIND_RULE_IP_LOCALHOST_SUBNET = "ip=\"127.0.0.*\"";
			@@ -263,10 +260,6 @@
			private static final String BIND_RULE_GROUPDN_1 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
			private static final String BIND_RULE_GROUPDN_2 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com \|\| ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
			private static final String BIND_RULE_GROUPDN_3 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com \|\| ldap:///cn=SomeOtherGroup,dc=example,dc=com \|\| ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";
			private static final String BIND_RULE_ROLEDN_1 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
			private static final String BIND_RULE_ROLEDN_2 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com \|\| ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
			private static final String BIND_RULE_ROLEDN_3 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com \|\| ldap:///cn=SomeOtherGroup,dc=example,dc=com \|\| ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";

			private static final String BIND_RULE_USERDN_FILTER = "userdn=\"ldap:///dc=example,dc=com??one?(\|(ou=eng)(ou=acct))\"";

			//bind rule user attr ACIs
			@@ -275,8 +268,6 @@
			private static final String BIND_RULE_USERATTR_URL = "userattr=\"cn#LDAPURL\"";
			private static final String BIND_RULE_USERATTR_GROUPDN = "userattr=\"manager#GROUPDN\"";
			private static final String BIND_RULE_USERATTR_GROUPDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#GROUPDN\"";
			private static final String BIND_RULE_USERATTR_ROLEDN = "userattr=\"manager#ROLEDN\"";
			private static final String BIND_RULE_USERATTR_ROLEDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#ROLEDN\"";
			private static final String BIND_RULE_USERATTR_USERDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#USERDN\"";
			private static final String BIND_RULE_USERATTR_GROUPDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#GROUPDN\"";
			private static final String BIND_RULE_USERATTR_VALUE = "userattr=\"manager#a manager\"";
			@@ -375,10 +366,6 @@
			buildAciValue("name", "allow search to group1 groupdn", "targetattr",
			"*", "allow(search, read)", BIND_RULE_GROUPDN_GROUP_1);

			private static final String ALLOW_SEARCH_TO_GROUP1_ROLEDN =
			buildAciValue("name", "allow search to group1 roledn", "targetattr",
			"*", "allow(search, read)", BIND_RULE_ROLEDN_GROUP_1);

			private static final String ALLOW_SEARCH_TO_ADMIN =
			buildAciValue("name", "allow search to admin", "targetattr", "*", "allow(search, read)", BIND_RULE_USERDN_ADMIN);

			@@ -668,16 +655,11 @@
			buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_1),
			buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_2),
			buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_3),
			buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_1),
			buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_2),
			buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_3),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_1),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_URL),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_1),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN_1),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_INHERITANCE),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_INHERITANCE),
			buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_VALUE),
			@@ -747,6 +729,8 @@
			buildAciValue("targetattr", "*", "allows (read, write, add, delete, search, compare, selfwrite, all)", BIND_RULE_USERDN_SELF),
			buildAciValue("name", "bad groupdn url", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap:///bogus\""),
			buildAciValue("name", "bad groupdn url2", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap1:///bogus\""),
			//Roledn keyword is not supported anymore.
			buildAciValue("name", "unsupported roledn", "targetattr", "*", "allow (all)", "roledn=\"ldap:///cn=foo, dc=bar\""),
			// </PASSES>
			};

			@@ -1136,11 +1120,7 @@
			private static final String ACI_PROXY_MOVED_ENTRY =
			makeAddAciLdif(SALES_USER_1, ALLOW_PROXY_TO_MOVED_ENTRY);

			//ACI used in testing the groupdn/roledn bind rule keywords.

			private static final
			String GROUP1_ROLEDN_MODS = makeAddAciLdif(OU_LEAF_DN,
			ALLOW_SEARCH_TO_GROUP1_ROLEDN);
			//ACI used in testing the groupdn bind rule keywords.

			private static final
			String GROUP1_GROUPDN_MODS = makeAddAciLdif(OU_LEAF_DN,
			@@ -1908,8 +1888,8 @@


			/**
			* Test group and role bind rule ACI keywords. Both groupdn and roledn keywords
			* funnel through the same code so the results should be the same.
			* Test group bind rule ACI keywords.
			*
			* @throws Throwable
			*/
			@Test()
			@@ -1927,17 +1907,11 @@
			null, null, null);
			try {
			addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW);
			modEntries(GROUP1_ROLEDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
			modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
			String userResults = ldapSearch(userParam.getLdapSearchArgs());
			Assert.assertFalse(userResults.equals(""));
			String adminResults = ldapSearch(adminParam.getLdapSearchArgs());
			Assert.assertTrue(adminResults.equals(""));
			deleteAttrFromEntry(OU_LEAF_DN, "aci", true);
			modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
			userResults = ldapSearch(userParam.getLdapSearchArgs());
			Assert.assertFalse(userResults.equals(""));
			adminResults = ldapSearch(adminParam.getLdapSearchArgs());
			Assert.assertTrue(adminResults.equals(""));
			} catch(Throwable e) {
			throw e;
			}