From 65ea66b68c4ad6905110f6a8a1a310031d57c315 Mon Sep 17 00:00:00 2001
From: Valery Kharseko <vharseko@3a-systems.ru>
Date: Wed, 08 Jul 2026 17:16:00 +0000
Subject: [PATCH] Fix and enable the AlternateRootDN ACI test (#706)
---
opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java | 27 ++++++++++++++++++++++++---
1 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java b/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java
similarity index 82%
rename from opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java
rename to opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java
index 3cc6833..5a22986 100644
--- a/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDN.java
+++ b/opendj-server-legacy/src/test/java/org/opends/server/authorization/dseecompat/AlternateRootDNTestCase.java
@@ -13,6 +13,7 @@
*
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2013-2016 ForgeRock AS.
+ * Portions Copyright 2026 3A Systems, LLC
*/
package org.opends.server.authorization.dseecompat;
@@ -29,7 +30,7 @@
/** This class tests ACI behavior using alternate root bind DNs. */
@SuppressWarnings("javadoc")
-public class AlternateRootDN extends AciTestCase {
+public class AlternateRootDNTestCase extends AciTestCase {
private static final String user1="uid=user.1,ou=People,o=test";
private static final String user3="uid=user.3,ou=People,o=test";
@@ -43,6 +44,17 @@
"(version 3.0; acl \"proxy" + user3 + "\";" +
"allow (proxy) userdn=\"ldap:///" + user3 + "\";)";
+ /**
+ * The proxy right for a proxied authorization control is evaluated against
+ * the entry being authorized as - here the root DN entries under cn=config -
+ * so it must be granted through a global ACI.
+ */
+ private static final
+ String globalProxyACI = "(target = \"ldap:///cn=Root DNs,cn=config\")" +
+ "(targetattr = \"*\")" +
+ "(version 3.0; acl \"global proxy " + user3 + "\";" +
+ "allow (proxy) userdn=\"ldap:///" + user3 + "\";)";
+
/** Need an ACI to allow proxy control. */
private static final
String controlACI = "(targetcontrol=\"" + OID_PROXIED_AUTH_V2 + "\")" +
@@ -64,6 +76,7 @@
@BeforeMethod
public void clearBackend() throws Exception {
deleteAttrFromEntry(user1, "aci");
+ deleteAttrFromEntry(user3, "aci");
deleteAttrFromAdminEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
}
@@ -113,8 +126,15 @@
*/
@Test
public void testAlternateProxyDNs() throws Exception {
- String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI, controlACI);
+ String aciLdif=makeAddLDIF("aci", user1, rootDNACI, proxyACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
+ // The targetcontrol ACI for the proxied authorization control is
+ // evaluated against the entry of the authenticated user (user3), not
+ // against the search target, so it must be placed on that entry.
+ String controlAciLdif=makeAddLDIF("aci", user3, controlACI);
+ LDIFModify(controlAciLdif, DIR_MGR_DN, PWD);
+ String globalAciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN, globalProxyACI);
+ LDIFAdminModify(globalAciLdif, DIR_MGR_DN, PWD);
String adminDNResults =
LDAPSearchParams(user3, PWD, adminDN, null, null,
user1, pwdFilter, ATTR_USER_PASSWORD);
@@ -128,11 +148,12 @@
Map<String, String> attrMap1 = getAttrMap(adminRootDNResults);
assertTrue(attrMap1.containsKey(ATTR_USER_PASSWORD));
String rootDNResults =
- LDAPSearchParams(user3, PWD, adminDN, null, null,
+ LDAPSearchParams(user3, PWD, rootDN, null, null,
user1, pwdFilter, ATTR_USER_PASSWORD);
assertNotEquals(rootDNResults, "");
Map<String, String> attrMap2 = getAttrMap(rootDNResults);
assertTrue(attrMap2.containsKey(ATTR_USER_PASSWORD));
deleteAttrFromEntry(user1, "aci");
+ deleteAttrFromEntry(user3, "aci");
}
}
--
Gitblit v1.10.0