Skip to content

Fix and enable the AlternateRootDN ACI test#706

Merged
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/alternate-root-dn-test
Jul 8, 2026
Merged

Fix and enable the AlternateRootDN ACI test#706
vharseko merged 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/alternate-root-dn-test

Conversation

@vharseko

@vharseko vharseko commented Jul 5, 2026

Copy link
Copy Markdown
Member

Context

AlternateRootDN (a Sun-era test of ACI behaviour for alternate root bind DNs, including proxied authorization as alternate root DNs) has never run since the Maven migration: its class name does not match any failsafe include pattern (Test*, *Test, *Tests, *TestCase, *TestCases). Once forced to run, testAlternateProxyDNs failed — the test rotted against two changes in the proxied authorization ACI semantics:

  • targetcontrol ACI: for a proxied authorization control the check evaluateProxyAuthControls() evaluates ACIs against the entry of the authenticated user (isAllowed(authDN, ...)), not against the search target. The test placed the control ACI on the search target entry → Unavailable Critical Extension. It now lives on the authenticating user's entry.
  • proxy right: AciHandler.mayProxy() evaluates allow (proxy) against the entry being authorized as — here the root DN entries under cn=config, which only global ACIs can reach. A global ACI targeting cn=Root DNs,cn=config is added → previously Authorization Denied.

Also fixes a copy-paste error (the third search proxied as the admin alternate DN instead of the root one) and renames the class to AlternateRootDNTestCase so the failsafe include patterns pick it up.

Verification

Two consecutive runs: 2/2 green, ~14s each.

Found during the slow group audit follow-up (#684-#705).

The test class name never matched the failsafe include patterns, so it
has not run since the Maven migration, and it rotted against two
changes in the proxied authorization ACI semantics:

- the targetcontrol ACI for the proxied authorization control is
  evaluated against the entry of the authenticated user, not against
  the search target, so it must be placed on that entry;
- the proxy right is evaluated against the entry being authorized as -
  here the root DN entries under cn=config - so it must be granted
  through a global ACI targeting cn=Root DNs,cn=config.

Also fix a copy-paste error (the third search proxied as the admin
alternate DN instead of the root one) and rename the class to
AlternateRootDNTestCase so that the failsafe include patterns pick it
up (2/2 green, ~14s).
@vharseko vharseko requested a review from maximthomas July 5, 2026 07:36
@vharseko vharseko added tests Test suites: fixing, enabling, un-disabling ACI Access Control Instructions subsystem labels Jul 6, 2026
@vharseko vharseko merged commit 65ea66b into OpenIdentityPlatform:master Jul 8, 2026
32 of 34 checks passed
@vharseko vharseko deleted the features/alternate-root-dn-test branch July 8, 2026 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ACI Access Control Instructions subsystem build CI tests Test suites: fixing, enabling, un-disabling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants