dirsrvtests/tests ldap/ldif
by William Brown
dirsrvtests/tests/tickets/ticket48354_test.py | 109 ++++++++++++++++++++++++++
ldap/ldif/template-baseacis.ldif.in | 2
2 files changed, 110 insertions(+), 1 deletion(-)
New commits:
commit 3c2cd48b7d2cb0579f7de6d460bcd0c9bb1157bd
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Jun 21 11:11:52 2016 +1000
Ticket 48354 - Review of default ACI in the directory server
Bug Description: By default we provide a default ACI that allows reading of the
default ACI
Fix Description: Change the default, and add a test to detect regresion of this.
https://fedorahosted.org/389/ticket/48354
Author: wibrown
Review by: nhosoi (Thanks!)
diff --git a/dirsrvtests/tests/tickets/ticket48354_test.py b/dirsrvtests/tests/tickets/ticket48354_test.py
new file mode 100644
index 0000000..53e1316
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48354_test.py
@@ -0,0 +1,109 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = False
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop(60)
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+
+def _attr_present(conn, name):
+ results = conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(%s=*)' % name, [name,])
+ if DEBUGGING:
+ print(results)
+ if len(results) > 0:
+ return True
+ return False
+
+def test_ticket48354(topology):
+ """
+ Test that we cannot view ACIs, userPassword, or certain other attributes as anonymous.
+ """
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+ # Do an anonymous bind
+ conn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ conn.simple_bind_s()
+
+ # Make sure that we cannot see:
+ # * userPassword
+ assert(not _attr_present(conn, 'userPassword'))
+ # * aci
+ assert(not _attr_present(conn, 'aci'))
+ # * anything else?
+
+ conn.unbind_s()
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/ldif/template-baseacis.ldif.in b/ldap/ldif/template-baseacis.ldif.in
index 089fb1f..4575921 100644
--- a/ldap/ldif/template-baseacis.ldif.in
+++ b/ldap/ldif/template-baseacis.ldif.in
@@ -1,5 +1,5 @@
dn: %ds_suffix%
changetype: modify
add: aci
-aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
+aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
7 years, 9 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_add.c | 7 +++++--
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 7 +++++--
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 7 +++++--
3 files changed, 15 insertions(+), 6 deletions(-)
New commits:
commit 4c2656d088ee09c4ee5bc31d4c54b4f43075ce69
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Jun 20 15:22:45 2016 -0700
Ticket #48892 - Wrong result code display in audit-failure log
Bug Description: Although a command line returns an error code 32,
audit-failure-log logs -1.
Fix Description: In the backend code, if a target entry does not
exist, -1 was internally set to ldap_result_code. The code was
interpreted to LDAP_NO_SUCH_OBJECT in the frontend before returning
to the client. But the audit-failure-log logged the internal code.
This patch fixes it.
https://fedorahosted.org/389/ticket/48892
Reviewed by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index 088f80c..7eb8fe9 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -1339,8 +1339,11 @@ common_return:
done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_DN_ENTRY);
done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_UNIQUEID_ENTRY);
done_with_pblock_entry(pb,SLAPI_ADD_PARENT_ENTRY);
- if(ldap_result_code!=-1)
- {
+ if (ldap_result_code == -1) {
+ /* Reset to LDAP_NO_SUCH_OBJECT*/
+ ldap_result_code = LDAP_NO_SUCH_OBJECT;
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+ } else {
if (not_an_error) {
/* This is mainly used by urp. Solved conflict is not an error.
* And we don't want the supplier to halt sending the updates. */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index fecd3b8..37225cd 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -946,8 +946,11 @@ common_return:
modify_term(&ruv_c, be);
}
- if(ldap_result_code!=-1)
- {
+ if (ldap_result_code == -1) {
+ /* Reset to LDAP_NO_SUCH_OBJECT*/
+ ldap_result_code = LDAP_NO_SUCH_OBJECT;
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+ } else {
if (not_an_error) {
/* This is mainly used by urp. Solved conflict is not an error.
* And we don't want the supplier to halt sending the updates. */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index fd74d5f..c0cd2ab 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -1476,8 +1476,11 @@ common_return:
modify_term(&ruv_c, be);
}
- if (ldap_result_code!=-1)
- {
+ if (ldap_result_code == -1) {
+ /* Reset to LDAP_NO_SUCH_OBJECT*/
+ ldap_result_code = LDAP_NO_SUCH_OBJECT;
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+ } else {
if (not_an_error) {
/* This is mainly used by urp. Solved conflict is not an error.
* And we don't want the supplier to halt sending the updates. */
7 years, 9 months
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5_total.c | 4 +---
ldap/servers/slapd/extendop.c | 20 ++++++++++++++++++--
ldap/servers/slapd/plugin.c | 8 --------
3 files changed, 19 insertions(+), 13 deletions(-)
New commits:
commit f6f9aa34e133ed3919879abaee294562d549250f
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Jun 20 12:52:06 2016 -0700
Revert "Ticket 48837 - Replication: total init aborted"
Description:
1) Reverting commit e6ba94f61c4105403c46c76cd192061955bfd71b
2) Removing the unnecessary error message added in the Ticket 48770 patch.
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c
index 12b244d..0512dfa 100644
--- a/ldap/servers/plugins/replication/repl5_total.c
+++ b/ldap/servers/plugins/replication/repl5_total.c
@@ -866,7 +866,7 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb)
rc, connid, opid);
}
- if (rc) {
+ if (LDAP_SUCCESS != rc) {
/* just disconnect from the supplier. bulk import is stopped when
connection object is destroyed */
slapi_pblock_get (pb, SLAPI_CONNECTION, &conn);
@@ -880,8 +880,6 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb)
{
slapi_entry_free (e);
}
- } else {
- rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
}
return rc;
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
index 5459f9e..978c92f 100644
--- a/ldap/servers/slapd/extendop.c
+++ b/ldap/servers/slapd/extendop.c
@@ -344,6 +344,13 @@ do_extended( Slapi_PBlock *pb )
if (rc == SLAPI_PLUGIN_EXTENDEDOP && p != NULL) {
slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c calling plugin ... \n");
+ /*
+ * Return values:
+ * SLAPI_PLUGIN_EXTENDED_SENT_RESULT: The result is already sent to the client.
+ * There is nothing to do further.
+ * SLAPI_PLUGIN_EXTENDED_NOT_HANDLED: Unsupported extended operation
+ * LDAP codes (e.g., LDAP_SUCCESS): The result is not sent yet. Call send_ldap_result.
+ */
rc = plugin_call_exop_plugins( pb, p);
slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c called exop, got %d \n", rc);
@@ -356,7 +363,7 @@ do_extended( Slapi_PBlock *pb )
if ( be == NULL ) {
slapi_log_error(SLAPI_LOG_FATAL, NULL, "extendop.c plugin_extended_op_getbackend was unable to retrieve a backend!!!\n");
- rc = SLAPI_PLUGIN_EXTENDED_NO_BACKEND_AVAILABLE;
+ rc = LDAP_OPERATIONS_ERROR;
} else {
/* We need to make a new be pb here because when you set SLAPI_BACKEND
* you overwrite the plg parts of the pb. So if we re-use pb
@@ -370,6 +377,13 @@ do_extended( Slapi_PBlock *pb )
if (txn_rc) {
slapi_log_error(SLAPI_LOG_FATAL, NULL, "exendop.c Failed to start be_txn for plugin_call_exop_plugins %d\n", txn_rc);
} else {
+ /*
+ * Return values:
+ * SLAPI_PLUGIN_EXTENDED_SENT_RESULT: The result is already sent to the client.
+ * There is nothing to do further.
+ * SLAPI_PLUGIN_EXTENDED_NOT_HANDLED: Unsupported extended operation
+ * LDAP codes (e.g., LDAP_SUCCESS): The result is not sent yet. Call send_ldap_result.
+ */
rc = plugin_call_exop_plugins( pb, p );
slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c called betxn exop, got %d \n", rc);
if (rc == LDAP_SUCCESS || rc == SLAPI_PLUGIN_EXTENDED_SENT_RESULT) {
@@ -399,7 +413,9 @@ do_extended( Slapi_PBlock *pb )
lderr = LDAP_PROTOCOL_ERROR; /* no plugin handled the op */
errmsg = "unsupported extended operation";
} else {
- slapi_log_error(SLAPI_LOG_FATAL, NULL, "extendop.c failed with result %d \n", rc);
+ if (rc != LDAP_SUCCESS) {
+ slapi_log_error(SLAPI_LOG_FATAL, NULL, "extendop.c failed with result %d \n", rc);
+ }
errmsg = NULL;
lderr = rc;
}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index de907d8..1736377 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -543,14 +543,6 @@ plugin_call_exop_plugins( Slapi_PBlock *pb, struct slapdplugin *p )
slapi_pblock_set( pb, SLAPI_PLUGIN, p );
set_db_default_result_handlers( pb );
rc = (*p->plg_exhandler)( pb );
- if (LDAP_SUCCESS == rc) {
- /*
- * Some plugin may return LDAP_SUCCESS in the success case.
- * It is translated to SLAPI_PLUGIN_EXTENDED_SENT_RESULT to
- * reduce the unnecessary error logs.
- */
- rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
- }
return (rc);
}
7 years, 9 months
2 commits - dirsrvtests/tests ldap/servers
by Ludwig Krispenz
dirsrvtests/tests/tickets/ticket48366_test.py | 214 ++++++++++++++++++++++++++
ldap/servers/plugins/acl/acl.c | 13 -
ldap/servers/plugins/acl/acl.h | 2
ldap/servers/plugins/acl/acllist.c | 2
ldap/servers/plugins/acl/aclplugin.c | 10 +
5 files changed, 233 insertions(+), 8 deletions(-)
New commits:
commit 4d154353b014576b9630d63d3ed7b5e5676f13bf
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Tue Feb 16 10:52:57 2016 +0100
Ticket #48366 - proxyauth does not work bound as directory manager
Description: when binding as directory manager always full access is granted, even if a proxyauthzid is presnt
Fix: when evaluating if access control can be skipped check for proxy auth
Ticket: https://fedorahosted.org/389/ticket/48366
Reviewed by: Noriko, Thanks
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index be2b805..ba6b774 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -287,7 +287,7 @@ acl_access_allowed(
/* Check for things we need to skip */
TNF_PROBE_0_DEBUG(acl_skipaccess_start,"ACL","");
- if ( acl_skip_access_check ( pb, e )) {
+ if ( acl_skip_access_check ( pb, e, access )) {
slapi_log_error (loglevel, plugin_name,
"conn=%" NSPRIu64 " op=%d (main): Allow %s on entry(%s)"
": root user\n",
@@ -921,7 +921,7 @@ acl_read_access_allowed_on_entry (
** If it's the root, or acl is off or the entry is a rootdse,
** Then you have the privilege to read it.
*/
- if ( acl_skip_access_check ( pb, e ) ) {
+ if ( acl_skip_access_check ( pb, e, access ) ) {
char *n_edn = slapi_entry_get_ndn ( e );
slapi_log_error (SLAPI_LOG_ACL, plugin_name,
"Root access (%s) allowed on entry(%s)\n",
@@ -1227,7 +1227,7 @@ acl_read_access_allowed_on_attr (
n_edn = slapi_entry_get_ndn ( e );
/* If it's the root or acl is off or rootdse, he has all the priv */
- if ( acl_skip_access_check ( pb, e ) ) {
+ if ( acl_skip_access_check ( pb, e, access ) ) {
slapi_log_error (SLAPI_LOG_ACL, plugin_name,
"Root access (%s) allowed on entry(%s)\n",
acl_access2str(access),
@@ -4053,14 +4053,17 @@ acl__get_attrEval ( struct acl_pblock *aclpb, char *attr )
*
*/
int
-acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e )
+acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e, int access )
{
int rv, isRoot, accessCheckDisabled;
void *conn = NULL;
Slapi_Backend *be;
+ struct acl_pblock *aclpb = NULL;
slapi_pblock_get ( pb, SLAPI_REQUESTOR_ISROOT, &isRoot );
- if ( isRoot ) return ACL_TRUE;
+ /* need to check if root is proying another user */
+ aclpb = acl_get_aclpb ( pb, ACLPB_PROXYDN_PBLOCK );
+ if ( isRoot && ((access &SLAPI_ACL_PROXY) || !aclpb)) return ACL_TRUE;
/* See if this is local request */
slapi_pblock_get ( pb, SLAPI_CONNECTION, &conn);
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index da39cbc..6e3198f 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -822,7 +822,7 @@ void acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb,
const char *dn, int copy_from_aclcb);
int acl_create_aclpb_pool ();
void acl_destroy_aclpb_pool ();
-int acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e );
+int acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e, int access );
int aclext_alloc_lockarray ();
void aclext_free_lockarray();
diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c
index d604e37..cc0e9b3 100644
--- a/ldap/servers/plugins/acl/acllist.c
+++ b/ldap/servers/plugins/acl/acllist.c
@@ -611,7 +611,7 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
char *basedn = NULL;
int index;
- if ( acl_skip_access_check ( pb, NULL ) ) {
+ if ( acl_skip_access_check ( pb, NULL, 0 ) ) {
return;
}
diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c
index d90996e..50de2cc 100644
--- a/ldap/servers/plugins/acl/aclplugin.c
+++ b/ldap/servers/plugins/acl/aclplugin.c
@@ -110,14 +110,22 @@ aclplugin_preop_search ( Slapi_PBlock *pb )
Slapi_DN *sdn = NULL;
int optype;
int isRoot;
+ int isProxy = 0;
int rc = 0;
+ char *errtxt = NULL;
+ char *proxy_dn = NULL;
TNF_PROBE_0_DEBUG(aclplugin_preop_search_start ,"ACL","");
slapi_pblock_get ( pb, SLAPI_OPERATION_TYPE, &optype );
slapi_pblock_get ( pb, SLAPI_REQUESTOR_ISROOT, &isRoot );
- if ( isRoot ) {
+ if (LDAP_SUCCESS == proxyauth_get_dn(pb, &proxy_dn, &errtxt) && proxy_dn) {
+ isProxy = 1;
+ slapi_ch_free_string(&proxy_dn);
+ }
+
+ if ( isRoot && !isProxy) {
TNF_PROBE_1_DEBUG(aclplugin_preop_search_end ,"ACL","",
tnf_string,isroot,"");
return rc;
commit 59e45a75a8ba2995b5ddb33a42fc017ecf3d17a3
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Fri Jun 17 13:49:05 2016 +0200
add testcase for ticket 48366 - proxyauth for root
diff --git a/dirsrvtests/tests/tickets/ticket48366_test.py b/dirsrvtests/tests/tickets/ticket48366_test.py
new file mode 100644
index 0000000..fb2dd97
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48366_test.py
@@ -0,0 +1,214 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2015 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from ldap.controls.simple import ProxyAuthzControl
+
+log = logging.getLogger(__name__)
+
+installation_prefix = None
+
+PROXY_USER_DN = 'cn=proxy,ou=people,%s' % SUFFIX
+TEST_USER_DN = 'cn=test,ou=people,%s' % SUFFIX
+USER_PW = 'password'
+
+
+# subtrees used in test
+SUBTREE_GREEN = "ou=green,%s" % SUFFIX
+SUBTREE_RED = "ou=red,%s" % SUFFIX
+SUBTREES = (SUBTREE_GREEN, SUBTREE_RED)
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ global installation_prefix
+
+ if installation_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation_prefix
+
+ standalone = DirSrv(verbose=False)
+
+ # Args for the standalone instance
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+
+ # Get the status of the instance and restart it if it exists
+ instance_standalone = standalone.exists()
+
+ # Remove the instance
+ if instance_standalone:
+ standalone.delete()
+
+ # Create the instance
+ standalone.create()
+
+ # Used to retrieve configuration information (dbdir, confdir...)
+ standalone.open()
+
+ # clear the tmp directory
+ standalone.clearTmpDir(__file__)
+
+ # Here we have standalone instance up and running
+ return TopologyStandalone(standalone)
+
+
+def test_ticket48366_init(topology):
+ """
+ It creates identical entries in 3 subtrees
+ It creates aci which allow access to a set of attrs
+ in two of these subtrees for bound users
+ It creates a user to be used for test
+
+ """
+
+
+ topology.standalone.log.info("Add subtree: %s" % SUBTREE_GREEN)
+ topology.standalone.add_s(Entry((SUBTREE_GREEN, {
+ 'objectclass': "top organizationalunit".split(),
+ 'ou': "green_one"})))
+ topology.standalone.log.info("Add subtree: %s" % SUBTREE_RED)
+ topology.standalone.add_s(Entry((SUBTREE_RED, {
+ 'objectclass': "top organizationalunit".split(),
+ 'ou': "red"})))
+
+ # add proxy user and test user
+ topology.standalone.log.info("Add %s" % TEST_USER_DN)
+ topology.standalone.add_s(Entry((TEST_USER_DN, {
+ 'objectclass': "top person".split(),
+ 'sn': 'test',
+ 'cn': 'test',
+ 'userpassword': USER_PW})))
+ topology.standalone.log.info("Add %s" % PROXY_USER_DN)
+ topology.standalone.add_s(Entry((PROXY_USER_DN, {
+ 'objectclass': "top person".split(),
+ 'sn': 'proxy',
+ 'cn': 'proxy',
+ 'userpassword': USER_PW})))
+
+ # enable acl error logging
+ # mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
+ # topology.standalone.modify_s(DN_CONFIG, mod)
+
+ # get rid of default ACIs
+ mod = [(ldap.MOD_DELETE, 'aci', None)]
+ topology.standalone.modify_s(SUFFIX, mod)
+
+ # Ok Now add the proper ACIs
+ ACI_TARGET = "(target = \"ldap:///%s\")" % SUBTREE_GREEN
+ ACI_TARGETATTR = "(targetattr = \"objectclass || cn || sn || uid || givenname \")"
+ ACI_ALLOW = "(version 3.0; acl \"Allow search-read to green subtree\"; allow (read, search, compare)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % TEST_USER_DN
+ ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
+ mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)]
+ topology.standalone.modify_s(SUFFIX, mod)
+
+ ACI_ALLOW = "(version 3.0; acl \"Allow use pf proxy auth to green subtree\"; allow (proxy)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % PROXY_USER_DN
+ ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
+ mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)]
+ topology.standalone.modify_s(SUFFIX, mod)
+
+ log.info("Adding %d test entries...")
+ for id in range(2):
+ name = "%s%d" % ('test', id)
+ mail = "%s(a)example.com" % name
+ for subtree in SUBTREES:
+ topology.standalone.add_s(Entry(("cn=%s,%s" % (name, subtree), {
+ 'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'sn': name,
+ 'cn': name,
+ 'uid': name,
+ 'givenname': 'test',
+ 'mail': mail,
+ 'description': 'description',
+ 'employeenumber': "%d" % id,
+ 'telephonenumber': "%d%d%d" % (id,id,id),
+ 'mobile': "%d%d%d" % (id,id,id),
+ 'l': 'MV',
+ 'title': 'Engineer'})))
+
+
+
+def test_ticket48366_search_user(topology):
+
+ proxy_ctrl = ProxyAuthzControl(criticality=True, authzId="dn: "+TEST_USER_DN)
+ # searching as test user should return one entry from the green subtree
+ topology.standalone.simple_bind_s(TEST_USER_DN, PASSWORD)
+ ents = topology.standalone.search_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1')
+ assert (len(ents) == 1)
+
+ # searching as proxy user should return no entry
+ topology.standalone.simple_bind_s(PROXY_USER_DN, PASSWORD)
+ ents = topology.standalone.search_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1')
+ assert (len(ents) == 0)
+
+ # serching as proxy user, authorizing as test user should return 1 entry
+ ents = topology.standalone.search_ext_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1', serverctrls=[proxy_ctrl])
+ assert (len(ents) == 1)
+
+def test_ticket48366_search_dm(topology):
+
+ # searching as directory manager should return one entries from both subtrees
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ ents = topology.standalone.search_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1')
+ assert (len(ents) == 2)
+
+ # searching as directory manager proxying test user should return one entry
+ proxy_ctrl = ProxyAuthzControl(criticality=True, authzId="dn: "+TEST_USER_DN)
+ ents = topology.standalone.search_ext_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1', serverctrls=[proxy_ctrl])
+ assert (len(ents) == 1)
+
+ # searching as directory manager proxying proxy user should return no entry
+ proxy_ctrl = ProxyAuthzControl(criticality=True, authzId="dn: "+PROXY_USER_DN)
+ ents = topology.standalone.search_ext_s(SUFFIX, ldap.SCOPE_SUBTREE, 'uid=test1', serverctrls=[proxy_ctrl])
+ assert (len(ents) == 0)
+
+def test_ticket48366_final(topology):
+ topology.standalone.delete()
+ log.info('Testcase PASSED')
+
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation_prefix
+ installation_prefix = None
+
+ topo = topology(True)
+ test_ticket48366_init(topo)
+
+ test_ticket48366_search_dm(topo)
+
+ test_ticket48366_final(topo)
+
+
+if __name__ == '__main__':
+ run_isolated()
+
7 years, 9 months
Branch '389-ds-base-1.2.11' - ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/repl-monitor.pl.in | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)
New commits:
commit 68166d4ec19d9a84543b78c5f3ab14cafceb1a25
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Jun 17 20:58:16 2016 -0400
Ticket 47538 - repl-monitor.pl not displaying correct color code for lag time
Bug Description: The tool was not correctly picking the correct
color code in the html report.
Fix Description: Correct the logic for picking the color. Also
found an issue where if the agmtmaxcsn contains
"unavailable" for the supplier maxcsn the tool
did not know how to properly handle it.
https://fedorahosted.org/389/ticket/47538
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 7ada2e2f1bdaab24f39d197b1569f9d418059534)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index 4cb0bef..94a6a92 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -811,9 +811,7 @@ sub print_consumers
if ($c_ridx >= 0) {
$myruv = $allruvs {"$c_ridx:$mid"};
- ($c_maxcsn, $c_lastmodified) = split ( /;/, "$myruv" );
- ($c_maxcsn_str, $lag, $markcolor) = &cacl_time_lag ($m_maxcsn, $c_maxcsn);
- if(!$opt_s){ $c_maxcsn_str =~ s/ /\<br\>/; }
+ ($c_maxcsn, $c_lastmodified) = split ( /;/, $myruv );
($c_sidx, $c_replicaroot, $c_replicatype) = split (/:/, $allreplicas[$c_ridx]);
$c_replicaroot = "same as master" if $m_replicaroot eq $c_replicaroot;
}
@@ -848,6 +846,17 @@ sub print_consumers
if ($first_entry) {
$first_entry = 0;
$c_ldapurl = &get_ldap_url ($c_sidx, $conntype);
+ if ($c_ridx >= 0) {
+ ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
+ &cacl_time_lag ($_->{nsDS5ReplicaRoot},
+ $_->{cn},
+ $_->{nsds5ReplicaHost},
+ $_->{nsds5ReplicaPort},
+ $s_ridx,
+ $m_maxcsn,
+ $c_maxcsn);
+ if(!$opt_s){ $c_maxcsn_str =~ s/ /\<br\>/; }
+ }
if($opt_s){
print "Receiver: $c_ldapurl\nType: $c_replicatype\n";
print "Time Lag: $lag\n";
@@ -1132,7 +1141,7 @@ sub get_ldap_url
sub to_decimal_csn
{
my ($maxcsn) = @_;
- if (!$maxcsn || $maxcsn eq "") {
+ if (!$maxcsn || $maxcsn eq "" || $maxcsn eq "Unavailable") {
return "none";
}
@@ -1152,6 +1161,9 @@ sub to_string_csn
if (!$rawcsn || $rawcsn eq "") {
return "none";
}
+ if ($rawcsn eq "Unavailable"){
+ return $rawcsn;
+ }
my ($tm, $seq, $masterid, $subseq) = split(/ /, $decimalcsn);
my ($sec, $min, $hour, $mday, $mon, $year) = localtime($tm);
$mon++;
@@ -1171,8 +1183,9 @@ sub get_color
my ($color) = $allcolors { $colorkeys[0] };
foreach ( keys %allcolors) {
- last if ($lag_minute < $_);
- $color = $allcolors {$_};
+ if ($lag_minute >= $_){
+ $color = $allcolors {$_};
+ }
}
return $color;
}
@@ -1235,9 +1248,9 @@ sub print_html_header
print "Directory Server Replication Status ($version)\n\n";
print "Time: $now";
if ($opt_u) {
- print " - This report updates every $interval seconds\n\n";
+ print " - This report updates every $interval seconds\n\n";
} else {
- print "\n\n";
+ print "\n";
}
}
}
7 years, 9 months
Branch '389-ds-base-1.3.3' - ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/repl-monitor.pl.in | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
New commits:
commit 62052f78a566390376bac31465a157484bf66e4a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Jun 17 20:58:16 2016 -0400
Ticket 47538 - repl-monitor.pl not displaying correct color code for lag time
Bug Description: The tool was not correctly picking the correct
color code in the html report.
Fix Description: Correct the logic for picking the color. Also
found an issue where if the agmtmaxcsn contains
"unavailable" for the supplier maxcsn the tool
did not know how to properly handle it.
https://fedorahosted.org/389/ticket/47538
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 7ada2e2f1bdaab24f39d197b1569f9d418059534)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index 3b1cf30..5354a8b 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -820,7 +820,7 @@ sub print_consumers
if ($c_ridx >= 0) {
$myruv = $allruvs {"$c_ridx:$mid"};
- ($c_maxcsn, $c_lastmodified) = split ( /;/, "$myruv" );
+ ($c_maxcsn, $c_lastmodified) = split ( /;/, $myruv );
($c_sidx, $c_replicaroot, $c_replicatype) = split (/:/, $allreplicas[$c_ridx]);
$c_replicaroot = "same as master" if $m_replicaroot eq $c_replicaroot;
}
@@ -859,7 +859,7 @@ sub print_consumers
$first_entry = 0;
$c_ldapurl = &get_ldap_url ($c_sidx, $conntype);
if ($c_ridx >= 0) {
- ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
+ ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
&cacl_time_lag ($_->{nsDS5ReplicaRoot},
$_->{cn},
$_->{nsds5ReplicaHost},
@@ -1209,7 +1209,7 @@ sub get_ldap_url
sub to_decimal_csn
{
my ($maxcsn) = @_;
- if (!$maxcsn || $maxcsn eq "") {
+ if (!$maxcsn || $maxcsn eq "" || $maxcsn eq "Unavailable") {
return "none";
}
@@ -1229,6 +1229,9 @@ sub to_string_csn
if (!$rawcsn || $rawcsn eq "") {
return "none";
}
+ if ($rawcsn eq "Unavailable"){
+ return $rawcsn;
+ }
my ($tm, $seq, $masterid, $subseq) = split(/ /, $decimalcsn);
my ($sec, $min, $hour, $mday, $mon, $year) = localtime($tm);
$mon++;
@@ -1249,8 +1252,9 @@ sub get_color
my ($color) = $allcolors { $colorkeys[0] };
foreach ( keys %allcolors) {
- last if ($lag_minute < $_);
- $color = $allcolors {$_};
+ if ($lag_minute >= $_){
+ $color = $allcolors {$_};
+ }
}
return $color;
}
@@ -1313,9 +1317,9 @@ sub print_html_header
print "Directory Server Replication Status ($version)\n\n";
print "Time: $now";
if ($opt_u) {
- print " - This report updates every $interval seconds\n\n";
+ print " - This report updates every $interval seconds\n\n";
} else {
- print "\n";
+ print "\n";
}
}
}
7 years, 9 months
Branch '389-ds-base-1.3.4' - ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/repl-monitor.pl.in | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
New commits:
commit 769b1b2e0be4dfd19161fdafb16bb813426dd675
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Jun 17 20:58:16 2016 -0400
Ticket 47538 - repl-monitor.pl not displaying correct color code for lag time
Bug Description: The tool was not correctly picking the correct
color code in the html report.
Fix Description: Correct the logic for picking the color. Also
found an issue where if the agmtmaxcsn contains
"unavailable" for the supplier maxcsn the tool
did not know how to properly handle it.
https://fedorahosted.org/389/ticket/47538
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 7ada2e2f1bdaab24f39d197b1569f9d418059534)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index a670610..eca3db0 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -791,7 +791,7 @@ sub print_consumers
if ($c_ridx >= 0) {
$myruv = $allruvs {"$c_ridx:$mid"};
- ($c_maxcsn, $c_lastmodified) = split ( /;/, "$myruv" );
+ ($c_maxcsn, $c_lastmodified) = split ( /;/, $myruv );
($c_sidx, $c_replicaroot, $c_replicatype) = split (/:/, $allreplicas[$c_ridx]);
$c_replicaroot = "same as master" if $m_replicaroot eq $c_replicaroot;
}
@@ -830,7 +830,7 @@ sub print_consumers
$first_entry = 0;
$c_ldapurl = &get_ldap_url ($c_sidx, $conntype);
if ($c_ridx >= 0) {
- ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
+ ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
&cacl_time_lag ($_->{nsDS5ReplicaRoot},
$_->{cn},
$_->{nsds5ReplicaHost},
@@ -1180,7 +1180,7 @@ sub get_ldap_url
sub to_decimal_csn
{
my ($maxcsn) = @_;
- if (!$maxcsn || $maxcsn eq "") {
+ if (!$maxcsn || $maxcsn eq "" || $maxcsn eq "Unavailable") {
return "none";
}
@@ -1200,6 +1200,9 @@ sub to_string_csn
if (!$rawcsn || $rawcsn eq "") {
return "none";
}
+ if ($rawcsn eq "Unavailable"){
+ return $rawcsn;
+ }
my ($tm, $seq, $masterid, $subseq) = split(/ /, $decimalcsn);
my ($sec, $min, $hour, $mday, $mon, $year) = localtime($tm);
$mon++;
@@ -1220,8 +1223,9 @@ sub get_color
my ($color) = $allcolors { $colorkeys[0] };
foreach ( keys %allcolors) {
- last if ($lag_minute < $_);
- $color = $allcolors {$_};
+ if ($lag_minute >= $_){
+ $color = $allcolors {$_};
+ }
}
return $color;
}
@@ -1284,9 +1288,9 @@ sub print_html_header
print "Directory Server Replication Status ($version)\n\n";
print "Time: $now";
if ($opt_u) {
- print " - This report updates every $interval seconds\n\n";
+ print " - This report updates every $interval seconds\n\n";
} else {
- print "\n";
+ print "\n";
}
}
}
7 years, 9 months
ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/repl-monitor.pl.in | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
New commits:
commit 7ada2e2f1bdaab24f39d197b1569f9d418059534
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Jun 17 20:58:16 2016 -0400
Ticket 47538 - repl-monitor.pl not displaying correct color code for lag time
Bug Description: The tool was not correctly picking the correct
color code in the html report.
Fix Description: Correct the logic for picking the color. Also
found an issue where if the agmtmaxcsn contains
"unavailable" for the supplier maxcsn the tool
did not know how to properly handle it.
https://fedorahosted.org/389/ticket/47538
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index 0964ae0..0247f24 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -790,7 +790,7 @@ sub print_consumers
if ($c_ridx >= 0) {
$myruv = $allruvs {"$c_ridx:$mid"};
- ($c_maxcsn, $c_lastmodified) = split ( /;/, "$myruv" );
+ ($c_maxcsn, $c_lastmodified) = split ( /;/, $myruv );
($c_sidx, $c_replicaroot, $c_replicatype) = split (/:/, $allreplicas[$c_ridx]);
$c_replicaroot = "same as master" if $m_replicaroot eq $c_replicaroot;
}
@@ -829,7 +829,7 @@ sub print_consumers
$first_entry = 0;
$c_ldapurl = &get_ldap_url ($c_sidx, $conntype);
if ($c_ridx >= 0) {
- ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
+ ($c_maxcsn_str, $lag, $markcolor, $supplier_maxcsn) =
&cacl_time_lag ($_->{nsDS5ReplicaRoot},
$_->{cn},
$_->{nsds5ReplicaHost},
@@ -1179,7 +1179,7 @@ sub get_ldap_url
sub to_decimal_csn
{
my ($maxcsn) = @_;
- if (!$maxcsn || $maxcsn eq "") {
+ if (!$maxcsn || $maxcsn eq "" || $maxcsn eq "Unavailable") {
return "none";
}
@@ -1199,6 +1199,9 @@ sub to_string_csn
if (!$rawcsn || $rawcsn eq "") {
return "none";
}
+ if ($rawcsn eq "Unavailable"){
+ return $rawcsn;
+ }
my ($tm, $seq, $masterid, $subseq) = split(/ /, $decimalcsn);
my ($sec, $min, $hour, $mday, $mon, $year) = localtime($tm);
$mon++;
@@ -1219,8 +1222,9 @@ sub get_color
my ($color) = $allcolors { $colorkeys[0] };
foreach ( keys %allcolors) {
- last if ($lag_minute < $_);
- $color = $allcolors {$_};
+ if ($lag_minute >= $_){
+ $color = $allcolors {$_};
+ }
}
return $color;
}
@@ -1283,9 +1287,9 @@ sub print_html_header
print "Directory Server Replication Status ($version)\n\n";
print "Time: $now";
if ($opt_u) {
- print " - This report updates every $interval seconds\n\n";
+ print " - This report updates every $interval seconds\n\n";
} else {
- print "\n";
+ print "\n";
}
}
}
7 years, 9 months
Branch '389-ds-base-1.3.4' - ldap/servers man/man1
by Noriko Hosoi
ldap/servers/slapd/tools/ldclt/ldcltU.c | 2 +-
man/man1/ldclt.1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 8d8f7e882bf96dd5cacfbb150c5ddc14b76335de
Author: Viktor Ashirov <vashirov(a)redhat.com>
Date: Tue Jun 14 10:18:54 2016 +0200
Ticket 48889 - ldclt - fix man page and usage info
Bug description:
ldclt uses dc=example,dc=com as default base DN,
but man page and usage info report a different base DN.
Fix description:
Replace o=sun,c=us with dc=example,dc=com in man page and
usage info
https://fedorahosted.org/389/ticket/48889
Reviewed by: mreynolds(a)redhat.com
(cherry picked from commit cc6e1f002bda6b212c7c17ef8fe0222aa30c7598)
diff --git a/ldap/servers/slapd/tools/ldclt/ldcltU.c b/ldap/servers/slapd/tools/ldclt/ldcltU.c
index 4597a03..bdaa6f9 100644
--- a/ldap/servers/slapd/tools/ldclt/ldcltU.c
+++ b/ldap/servers/slapd/tools/ldclt/ldcltU.c
@@ -134,7 +134,7 @@ void usage ()
(void) printf ("\n");
(void) printf (" The valid options are:\n");
(void) printf (" -a Asynchronous mode, with max pending operations.\n");
- (void) printf (" -b Give the base DN to use. Default \"o=sun,c=us\".\n");
+ (void) printf (" -b Give the base DN to use. Default \"dc=example,dc=com\".\n");
(void) printf (" -D Bind DN. See -w\n");
(void) printf (" -E Max errors allowed. Default 1000.\n");
(void) printf (" -e Execution parameters:\n");
diff --git a/man/man1/ldclt.1 b/man/man1/ldclt.1
index 87bc6b4..6a672a2 100644
--- a/man/man1/ldclt.1
+++ b/man/man1/ldclt.1
@@ -41,7 +41,7 @@ The valid options are:
Asynchronous mode, with max pending operations.
.TP
.B \fB\-b\fR
-Give the base DN to use. Default "o=sun,c=us".
+Give the base DN to use. Default "dc=example,dc=com".
.TP
.B \fB\-D\fR
Bind DN. See \fB\-w\fR
7 years, 9 months
ldap/servers man/man1
by Noriko Hosoi
ldap/servers/slapd/tools/ldclt/ldcltU.c | 2 +-
man/man1/ldclt.1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
New commits:
commit cc6e1f002bda6b212c7c17ef8fe0222aa30c7598
Author: Viktor Ashirov <vashirov(a)redhat.com>
Date: Tue Jun 14 10:18:54 2016 +0200
Ticket 48889 - ldclt - fix man page and usage info
Bug description:
ldclt uses dc=example,dc=com as default base DN,
but man page and usage info report a different base DN.
Fix description:
Replace o=sun,c=us with dc=example,dc=com in man page and
usage info
https://fedorahosted.org/389/ticket/48889
Reviewed by: mreynolds(a)redhat.com
diff --git a/ldap/servers/slapd/tools/ldclt/ldcltU.c b/ldap/servers/slapd/tools/ldclt/ldcltU.c
index e1fb4f4..018989c 100644
--- a/ldap/servers/slapd/tools/ldclt/ldcltU.c
+++ b/ldap/servers/slapd/tools/ldclt/ldcltU.c
@@ -135,7 +135,7 @@ void usage ()
(void) printf ("\n");
(void) printf (" The valid options are:\n");
(void) printf (" -a Asynchronous mode, with max pending operations.\n");
- (void) printf (" -b Give the base DN to use. Default \"o=sun,c=us\".\n");
+ (void) printf (" -b Give the base DN to use. Default \"dc=example,dc=com\".\n");
(void) printf (" -D Bind DN. See -w\n");
(void) printf (" -E Max errors allowed. Default 1000.\n");
(void) printf (" -e Execution parameters:\n");
diff --git a/man/man1/ldclt.1 b/man/man1/ldclt.1
index 206bacf..4105f42 100644
--- a/man/man1/ldclt.1
+++ b/man/man1/ldclt.1
@@ -41,7 +41,7 @@ The valid options are:
Asynchronous mode, with max pending operations.
.TP
.B \fB\-b\fR
-Give the base DN to use. Default "o=sun,c=us".
+Give the base DN to use. Default "dc=example,dc=com".
.TP
.B \fB\-D\fR
Bind DN. See \fB\-w\fR
7 years, 9 months