directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r326243 - in /directory/apacheds/trunk/core/src: main/java/org/apache/ldap/server/authz/ main/java/org/apache/ldap/server/partition/ test/org/apache/ldap/server/authz/
Date Tue, 18 Oct 2005 21:03:38 GMT
Author: akarasulu
Date: Tue Oct 18 14:03:32 2005
New Revision: 326243

URL: http://svn.apache.org/viewcvs?rev=326243&view=rev
Log:
changes ...

 o moved collection for safe lookup bypasses into the DPNP so other 
   interceptors can utilize it: this is a common operation/bypass
 o uncommented and modified search tests for authorization rules which
   now seem to work like a champion although I still need more tests 
   like the following:
 
     * test the hiding of attributes 
     * test selective excusion of entries from search results (now we
       are only testing do we get all or not with ACI)
     * test the hiding of specific values of attributes 
     * test the use of both entry ACI and subentry ACI in combination
       with perscriptive ACI
     * test out the effects of denials in concert with grants
     * test out the effects of precidence


Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/partition/DirectoryPartitionNexusProxy.java
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=326243&r1=326242&r2=326243&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
Tue Oct 18 14:03:32 2005
@@ -144,7 +144,7 @@
         {
             Name parentDn = ( Name ) dn.clone();
             parentDn.remove( dn.size() - 1 );
-            entry = proxy.lookup( parentDn, LOOKUP_BYPASS );
+            entry = proxy.lookup( parentDn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         }
 
         Attribute subentries = entry.get( AC_SUBENTRY_ATTR );
@@ -219,7 +219,7 @@
         // will contain the subentryACI attributes that effect subentries
         Name parentDn = ( Name ) dn.clone();
         parentDn.remove( dn.size() - 1 );
-        Attributes administrativeEntry = proxy.lookup( parentDn, LOOKUP_BYPASS );
+        Attributes administrativeEntry = proxy.lookup( parentDn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         Attribute subentryAci = administrativeEntry.get( SUBENTRYACI_ATTR );
 
         if ( subentryAci == null )
@@ -334,7 +334,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
         {
@@ -359,27 +359,12 @@
     }
 
 
-    private static final Collection LOOKUP_BYPASS;
-    static
-    {
-            Collection c = new HashSet();
-            c.add( "normalizationService" );
-            c.add( "authenticationService" );
-            c.add( "authorizationService" );
-            c.add( "oldAuthorizationService" );
-            c.add( "schemaService" );
-            c.add( "subentryService" );
-            c.add( "operationalAttributeService" );
-            c.add( "eventService" );
-            LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
-    }
-
     public void modify( NextInterceptor next, Name name, int modOp, Attributes mods ) throws
NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
         {
@@ -436,7 +421,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
         {
@@ -495,7 +480,7 @@
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
 
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
@@ -569,7 +554,7 @@
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( dn, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( dn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
 
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
@@ -587,7 +572,7 @@
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
 
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
@@ -606,7 +591,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         Name newName = ( Name ) name.clone();
         newName.remove( name.size() - 1 );
@@ -667,7 +652,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( oriChildName, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         Name newName = ( Name ) newParentName.clone();
         newName.add( newRn );
@@ -737,7 +722,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( oriChildName, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         Name newName = ( Name ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
@@ -810,7 +795,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
+        Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
         {
@@ -857,7 +842,7 @@
         * tests.  If we hasPermission() returns false we immediately short the
         * process and return false.
         */
-        Attributes entry = invocation.getProxy().lookup( normName, LOOKUP_BYPASS );
+        Attributes entry = invocation.getProxy().lookup( normName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
         Name userDn = ctx.getPrincipal().getJndiName();
         Set userGroups = groupCache.getGroups( userDn.toString() );
@@ -933,7 +918,8 @@
         }
 
 
-        public boolean accept( Invocation invocation, SearchResult result, SearchControls
controls ) throws NamingException
+        public boolean accept( Invocation invocation, SearchResult result, SearchControls
controls )
+                throws NamingException
         {
             Name normName = parser.parse( result.getName() );
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/partition/DirectoryPartitionNexusProxy.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/partition/DirectoryPartitionNexusProxy.java?rev=326243&r1=326242&r2=326243&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/partition/DirectoryPartitionNexusProxy.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/partition/DirectoryPartitionNexusProxy.java
Tue Oct 18 14:03:32 2005
@@ -17,10 +17,7 @@
 package org.apache.ldap.server.partition;
 
 
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Collection;
-import java.util.Collections;
+import java.util.*;
 
 import javax.naming.Context;
 import javax.naming.Name;
@@ -57,6 +54,8 @@
  */
 public class DirectoryPartitionNexusProxy extends DirectoryPartitionNexus
 {
+    /** safe to use set of bypass instructions to lookup raw entries */
+    public static final Collection LOOKUP_BYPASS;
     /** Bypass String to use when ALL interceptors should be skipped */
     public static final String BYPASS_ALL = "*";
     /** Bypass String to use when ALL interceptors should be skipped */
@@ -71,6 +70,22 @@
     private final Context caller;
     private final DirectoryService service;
     private final DirectoryServiceConfiguration configuration;
+
+
+    static
+    {
+        Collection c = new HashSet();
+        c.add( "normalizationService" );
+        c.add( "authenticationService" );
+        c.add( "authorizationService" );
+        c.add( "oldAuthorizationService" );
+        c.add( "schemaService" );
+        c.add( "subentryService" );
+        c.add( "operationalAttributeService" );
+        c.add( "eventService" );
+        LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
+    }
+
 
     /**
      * Creates a new instance.

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=326243&r1=326242&r2=326243&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
Tue Oct 18 14:03:32 2005
@@ -233,144 +233,144 @@
      */
     public void testAddSearchData() throws NamingException
     {
-//        Name base = addSearchData( new LdapName(), 3, 10 );
-//        SearchControls controls = new SearchControls();
-//        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
-//        NamingEnumeration results = sysRoot.search( base, "(objectClass=*)", controls );
-//        int counter = 0;
-//        while ( results.hasMore() )
-//        {
-//            results.next();
-//            counter++;
-//        }
-//
-//        assertEquals( 10, counter );
-//        recursivelyDelete( base );
-//        try { sysRoot.lookup( base ); fail(); } catch ( LdapNameNotFoundException e ) {}
+        Name base = addSearchData( new LdapName(), 3, 10 );
+        SearchControls controls = new SearchControls();
+        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+        NamingEnumeration results = sysRoot.search( base, "(objectClass=*)", controls );
+        int counter = 0;
+        while ( results.hasMore() )
+        {
+            results.next();
+            counter++;
+        }
+
+        assertEquals( 10, counter );
+        recursivelyDelete( base );
+        try { sysRoot.lookup( base ); fail(); } catch ( LdapNameNotFoundException e ) {}
     }
 
 
-//    /**
-//     * Checks to make sure group membership based userClass works for add operations.
-//     *
-//     * @throws javax.naming.NamingException if the test encounters an error
-//     */
-//    public void testGrantAdministrators() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // try an add operation which should fail without any ACI
-//        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
-//
-//        // Gives grantAdd perm to all users in the Administrators group for
-//        // entries and all attribute types and values
-//        createAccessControlSubentry( "searchAdmin", "{ " +
-//                "identificationTag \"addAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" }
}, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-//                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
-//
-//        // see if we can now add that test entry which we could not before
-//        // add op should still fail since billd is not in the admin group
-//        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
-//
-//        // now add billyd to the Administrator group and try again
-//        addUserToGroup( "billyd", "Administrators" );
-//
-//        // try an add operation which should succeed with ACI and group membership change
-//        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
-//    }
-//
-//
-//    /**
-//     * Checks to make sure name based userClass works for add operations.
-//     *
-//     * @throws javax.naming.NamingException if the test encounters an error
-//     */
-//    public void testGrantAddByName() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // try an add operation which should fail without any ACI
-//        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
-//
-//        // now add a subentry that enables user billyd to add an entry below ou=system
-//        createAccessControlSubentry( "billydAdd", "{ " +
-//                "identificationTag \"addAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-//                "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
-//
-//        // should work now that billyd is authorized by name
-//        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
-//    }
-//
-//
-//    /**
-//     * Checks to make sure subtree based userClass works for add operations.
-//     *
-//     * @throws javax.naming.NamingException if the test encounters an error
-//     */
-//    public void testGrantAddBySubtree() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // try an add operation which should fail without any ACI
-//        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
-//
-//        // now add a subentry that enables user billyd to add an entry below ou=system
-//        createAccessControlSubentry( "billyAddBySubtree", "{ " +
-//                "identificationTag \"addAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-//                "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
-//
-//        // should work now that billyd is authorized by the subtree userClass
-//        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
-//    }
-//
-//
-//    /**
-//     * Checks to make sure <b>allUsers</b> userClass works for add operations.
-//     *
-//     * @throws javax.naming.NamingException if the test encounters an error
-//     */
-//    public void testGrantAddAllUsers() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // try an add operation which should fail without any ACI
-//        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
-//
-//        // now add a subentry that enables anyone to add an entry below ou=system
-//        createAccessControlSubentry( "anybodyAdd", "{ " +
-//                "identificationTag \"addAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { allUsers }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-//                "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
-//
-//        // see if we can now add that test entry which we could not before
-//        // should work now with billyd now that all users are authorized
-//        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
-//    }
+    /**
+     * Checks to make sure group membership based userClass works for add operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // Gives grantAdd perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "searchAdmin", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } },
" +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // add op should still fail since billd is not in the admin group
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try an add operation which should succeed with ACI and group membership change
+        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for search operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantSearchByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for search operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantSearchBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials {  grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for search operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantSearchAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // should work now with billyd now that all users are authorized
+        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+    }
 }



Mime
View raw message