Table of Contents
1. Introduction
1.1. Test Objectives
1.2 Judging Test Results
2. Organization of Test Suite
3. General Tests
3.1. Functionality Addressed by Tests
3.2 BLITS Directory Information Tree (DIT) and Content
3.2.1 Entries for Use with BLITS
3.3 The Tests
3.3.1 Bind/Unbind Tests
3.3.1.1 Anonymous Bind
3.3.1.2 Unbind
3.3.1.3 Bind With Correct Credentials
3.3.1.3.1 Bind With Simple Password
3.3.1.3.2 Bind With CRAM-MD5 Password Exchange
3.3.1.4 Bind Errors
3.3.1.4.1 Bind with Incorrect Credentials
3.3.1.4.2 Bind With Missing Password
3.3.1.4.3 BIND with Invalid DN Syntax
3.3.1.4.4 BIND with Inappropriate Authentication
3.3.1.4.5 BIND with Unsupported Protocol Version
3.3.1.4.6 Bind with Incorrect Credentials using CRAM-MD5
3.3.2 Search Tests
3.3.2.1 Simple Search Filters
3.3.2.2 Complex Search Filters
3.3.2.3 Search for Entry with Multi-Valued RDN
3.3.2.4 Three-Valued Logic Search Filter Evalutation
3.3.2.4.1 Filter of "AND" Choice with an Undefined Attribute Type (Evaluates to UNDEFINED)
3.3.2.4.2 Filter of "OR" Choice with an Undefined Attribute Type (Evaluates to TRUE)
3.3.2.4.3 Filter of "NOT" Choice with an Undefined Attribute Type (Evaluates to UNDEFINED)
3.3.2.5 Unrecognized Option in Attribute Description List
3.3.2.6 Retrieve Operational Attributes for an Entry
3.3.2.7 Alias Dereferencing
3.3.2.8 Miscellaneous Searching Feature Tests
3.3.2.9 Search Operation Errors
3.3.3 Modify Operation Tests
3.3.3.1 Modify-Add Tests
3.3.3.2 Modify-Delete Tests
3.3.3.3 Modify-Replace Tests
3.3.4 Add Operation Tests
3.3.4.1 Add New Entry
3.3.4.2 Add Errors
3.3.5 Delete Operation Tests
3.3.5.1 Delete Existing Object
3.3.5.2 Delete Errors
3.3.6 ModifyDN Operation Tests
3.3.6.1 Rename a Leaf Entry
3.3.6.2 Move a Leaf Entry to A New Parent
3.3.6.3 Move a Renamed Leaf Entry to A New Parent
3.3.6.4 Rename Subtree of Entries
3.3.6.5 Move Subtree of Entries
3.3.6.6 Move a Renamed Subtree of Entries to a New Parent
3.3.6.7 Modify DN Errors
3.3.7 Compare Operation Tests
3.3.7.1 Comparison with FALSE Return Code
3.3.7.2 Comparison with TRUE Return Code
3.3.7.3 Compare Errors
3.3.8 Extended Operations Tests
3.3.9 Charset-Related Tests
3.3.10 DN Quoting Form Tests
3.3.11 Certificate Storage, Retrieval, and Comparison
3.3.11.1 Search
3.3.11.1.1 Search for Entry Containing a User Certificate
3.3.11.1.2 Search for Entry not Containing a User Certificate
3.3.11.1.3 Search for Entry Containing a CA Certificate
3.3.11.1.4 Search for Entry not Containing a CA Certificate
3.3.11.1.5 Search for Entry Containing a CRL
3.3.11.2 Compare
3.3.11.3 Add and Modify Entries
3.3.11.3.1 Add Entry with Certificate
3.3.11.3.2 Modify-add tests
3.3.11.3.2.1 Create userCertificate Attribute
3.3.11.3.2.2 Add userCertificate Value to Existing Attribute
3.3.11.3.2.3 Create cACertificate Attribute
3.3.11.3.2.4 Create certificateRevocationList Attribute
3.3.11.3.3 Modify-Delete Tests
3.3.11.3.3.1 Delete One Value of a Multi-valued userCertificate Attribute
3.3.11.3.3.2 Delete Single-Valued userCertificate Attribute
3.3.11.3.4 Replace userCertificate Attribute
3.3.12 LDAP Extension Tests
3.3.12.1 Paged Results
3.3.12.1.1 Page completely through a set
3.3.12.1.2 Abort paging part-way through a set.
3.3.12.2 Server-Side Sorting
3.3.12.2.1 Sort on Single Numeric Attribute
3.3.12.2.2 Sort on Single Alphabetic Attribute
3.3.12.2.3 Sort on Multiple Attributes
3.3.12.2.4 Sort in reverse order
3.3.12.3 Feature Interactions with Paged and Sorted Results
3.3.12.3.1 Page a Sorted Set.
3.3.12.4 Scrolling View Browsing of Search Results
3.3.12.4.1 Scroll Completely Through Large Set of Results
3.3.12.4.2 Scroll Incrementally through Set of Results
3.3.12.4.3 Scroll Part Way Through Large Set of Results
3.3.12.4.4 Go to Arbitrary Place in Large Set of Results
3.3.12.5 Language Tags
3.3.12.5.1 Search for Language Tagged Attributes
3.3.12.5.2 Check Attribute Subtype Matching
3.3.12.5.3 Search Without Specifying Language Tags
3.3.12.5.4 Comparison with TRUE Return Code
3.3.12.5.5 Comparison with noSuchAttribute Return Code
3.3.12.5.6 Search for Tagged Attribute Types
3.3.12.5.7 Add and Modify Entries
3.3.12.5.7.1 Add Entry with Language Tags
3.3.12.5.7.2 Modify Entry with Language Tags
3.3.13 Schema-Related Tests
3.3.13.1 Schema Access tests.
3.3.13.2 Schema Modification tests.
3.3.14 Refererral Tests
3.3.14.1 Superior Reference
3.3.14.2 Subordinate Reference
3.3.14.3 Named Refererrals
3.3.14.3.1 Base Contains Ref Attribute
3.3.14.3.2 Target Contains Ref Attribute
3.3.14.3.3 Base Subordinate to Entry that Contains Ref
Attribute
3.3.14.3.4 Target Subordinate to Entry that Contains Ref
Attribute
3.3.14.3.5 Single-Level Search
3.3.14.3.6 Subtree Search
3.3.15 Transport Security
3.3.15.1 START TLS
3.3.15.1.1 Anonymous Bind over TLS
3.3.15.1.2 Bind With Password Exchange over TLS
3.3.15.1.3 TLS with Certificates
3.3.15.1.3.1 TLS Bind with Valid Certificate
3.3.15.1.3.2 TLS Bind with Expired Certificate
3.3.15.1.3.3 TLS Bind with Certificate Validated via Non-Trivial Path
3.3.15.1.3.4 TLS Bind with Revoked Certificate in Validation Path
3.3.15.1.4 Bind with Incorrect Credentials over TLS
3.3.15.1.5 Bind With Insufficiently Strong Authentication
3.3.15.1.6 Abort TLS Session
3.3.15.2 Port 636
3.3.15.2.1 Anonymous Bind over TLS
3.3.15.2.2 Bind With Password Exchange over TLS
3.3.15.2.3 TLS with Certificates
3.3.15.2.3.1 TLS Bind with Valid Certificate
3.3.15.2.3.2 TLS Bind with Expired Certificate
3.3.15.2.3.3 TLS Bind with Certificate Validated via Non-Trivial Path
3.3.15.2.3.4 TLS Bind with Revoked Certificate in Validation Path
3.3.15.2.4 Bind with Incorrect Credentials over TLS
3.3.15.2.5 Bind With Insufficiently Strong Authentication
3.3.15.2.6 Abort TLS Session
3.3.16 Server Location
3.3.16.1 Locate Server
3.4 Other Potential Testing Areas
4. Application-Specific Tests
5. Acknowledgements
6. Authors' Addresses
7. Bibliography
This document defines a basic LDAP Interoperability Test suite for use by any
individual, organization, or group. The purpose of this document is to provide
the information required for testers to prepare for and perform tests which are
designed to gauge interoperability between LDAP clients and servers.
The tests are designed to demonstrate interoperability between LDAP client/server pairs.
The tests are designed to be performed in a multi-vendor environment, permitting
LDAPv3 implementers to verify the degree to which basic LDAPv3 client/server
interaction features of their implementations are interoperable with other
implementations. This test suite is not designed for use in processes intended
certify full LDAPv3 protocol conformance.
Criteria for determining the success or failure of a particular test are described in
each test specification. Depending upon the test, success criteria can include: receipt
of a particular return code from a server (often expressed as an error message), getting
a response from the server being tested, a client reacting in a particular way to such
a response, or displaying search results correctly on the requesting LDAP client.
Specific success criteria for each test are indicated along with the description
of how to perform each test. If the criteria are not met for a given test, it is deemed to
have failed.
Section 3 contains general tests. Section 4 contains tests that are specific
to particular applications.
Tests for LDAPv3 operations (Bind, Unbind, Search, Modify, ModifyDN, Add, Delete,
Compare, and Abandon) are defined in this document. The functionality of these
operations is specified in the core LDAPv3 protocol specification [RFC 2251].
Tests for more granular LDAPv3 functionality such as aliases/alias dereferencing, referrals,
referral loop detects, error detection/generation, and other logical functions performed
via particular configurations of operational parameters are defined within the context of
operations to which they are relevant. Miscellaneous testing topics which do not currently
have tests defined for them are listed in various sections throughout the document.
Figure 3-1: BLITS Directory Information Tree (DIT)
The BLITS DIT is available in two forms: one rooted at o=IMC, c=US (for clients and servers
supporting X.500-style entry naming) and one rooted at dc=Relative, dc=IMC, dc=org (for clients
and servers supporting domain-component-based naming [RFC 2247]).
References to DNs found in the text of this document are described
in terms of X.500-style naming. Search bases intended for use during testing
are specified using both the domain-component- and X.500-based naming
conventions. Readers of this draft should understand that for translating
from X.500 style names to the domain-component-style names they must:
- replace "c=US" with "dc=org"
- replace "o=" with "dc="
- replace "ou=" with "dc="
- insert an appropriate "dc=Relative" domain component between
the "dc=IMC" component and all subordinate components (the appropriate
replacement component value could be based on vendor name or some other identifier unique across all event participants)
The BLITS DIT has several branches designed to allow simultaneous vendor testing based
on the tests defined below. Individual branches for LDAPv3 operations specified in
[RFC 2251] are defined with the exception of Bind, Unbind,
Abandon, and Compare. Tests related to these four operations are performed using
the entries located in the subtree rooted at ou=Search, o=IMC, c=US. The entries
constructed using the Microsoft-provided data fall under this subtree as leaf
entries of object class inetOrgPerson [7].
Subtrees for the Add, Delete, Modify, and ModifyDN operations tests are partitioned
into additional organizational units to support parallel multiple-vendor test
performance. The generic subtree structure for making such changes to directory
information is shown in Figure 3-3. In particular, the LDIF [16]
file constructed for use during the testing event includes organizational units sufficient
for 20 vendors, each testing 10 different clients. Modifications to this LDIF file should
be made if support for more than 20 vendors or more than 10 clients per vendor
are to be tested simultaneously. The subtrees used for testing Certificates storage,
retrieval, etc. are shown in Figure 3-4. There is a certificates subtree for tests
not requiring changes to the directory content. There are also CertificateAdd and
CertificateModify subtrees, each of which is
structured to allow testing by up to 20 LDAP vendors, each with up to 10
client products, in a similar way to the subtrees for the non-certificate
Add, Delete, Modify, and ModifyDN operations tests described above.
The DIT also has a CAs subtree, which contains a set of subtrees
which can be used for certificates provided by
different certificate generation products. Each of these subtrees contains
a Certificates, a CertificateAdd and a CertificateModify subtree.
The subordinate structure of the subtrees intended for use in testing schema-related features
(ou=Schema), charset support (ou=Charset), and referrals (ou=Referrals) are TBD.
Figure 3-2: BLITS Search Subtree Structure
Figure 3-3: BLITS Add/Delete/Modify/ModifyDN Subtree Structure
Figure 3-4: BLITS Certificates Subtree Structure
Only the following attribute sub-set will be used in this suite:
- localityName
- stateOrProvinceName
- organizationName
- organizationalUnitName
- description
- commonName
- surname
- givenName
- objectClass
- title
- streetAddress
- postalCode
- telephoneNumber
- facsimileTelephoneNumber
- userPassword
- aliasedObjectName
- postalAddress
- userCertificate
- cACertificate
- certificateRevocationList
Only the following object class sub-set will be used in this suite:
- top
- alias
- organization
- organizationalUnit
- person
- organizationalPerson
- inetOrgPerson
- certificationAuthority
- strongAuthenticationUser
- device
Access controls should be set up on each LDAP server in such a way that
users binding anonymously, or, with one exception (Directory Manager),
giving names but not passwords, can read and search all the data. Additional
access controls should be set up such that an entry for a Directory Manager
is present with a password, controller:
dn: cn=Directory Manager, o=IMC, c=US
cn: Directory Manager
objectclass: top
objectclass: person
objectclass: organizationalperson
userpassword: controller
Users binding as Directory Manager should not be allowed to bind at all
unless they specify the correct password.
3.2.1 Entries for Use with BLITS
Chris Weider of Microsoft, provided a sample of a test database which Microsoft
has used in the past. Each database record was a CSV-formatted list of employee
ame, employee ID, telephone number, and various organizational unit container names.
Database records were converted from CSV to LDIF using the inetOrgPerson
[7] object class as a template.
Some attributes, such as e-mail address and user password were generated for each entry.
These leaf entries were used as a seed data set for populating the BLITS DIT.
Other entries were created to enable the testing of aliases/alias dereferencing,
referrals, schema-related features, character set support,
and other features. LDIF files of the
entire BLITS DIT (one using domain-component-style names,
one using dc-relative-style names,
and one using X.500-style names)
are available. Each LDIF file is in three parts: one for the basic tests,
one for the extended tests, and one for the Certificates tests.
The Certificates tests LDIF files reference further files that contain
the certificates used in the tests.
| |
dc names |
dc-relative names |
X500 names
|
| Basic tests |
dc-names.ldif |
dc-names_relative.ldif |
X500-names.ldif |
| Extended tests |
new-dc-names.ldif |
new-dc-names_relative.ldif |
new-X500-names.ldif |
| Certificates tests |
cert-dc-names.ldif |
cert-dc-names_relative.ldif |
cert-X500-names.ldif |
| New Certificates tests |
new-cert-dc-names.ldif |
new-cert-dc-names_relative.ldif |
new-cert-X500-names.ldif |
The tests are defined in terms of client/server interaction features of the LDAPv3
protocol operations. Some features are specifically associated with a particular
LDAP operation, such as the use of search filters, scope, and base. Other features,
such as the generation of LDAP return codes that correspond to error conditions,
are often associated with more than one protocol operation. Another set of features,
such as support for character sets, referrals, valid forms of DN quoting, and others
are complicated enough to warrant treatment in a section separate from the
operation(s)
with which they are associated. Tests for all three types of features are defined
in the sub-paragraphs found below.
TIPS:
- Avoid client caching as it could affect test results. If a client is not
configurable, it should be re-started and re-bound for each test.
- All attributes must be displayed in a human-readable form, including
UTF-8-encoded Unicode characters and presentation addresses.
| Purpose |
Bind Anonymously to an LDAP server. |
| Reference |
[RFC 2251] (paragraph 4.2, pp. 20-23) |
| Procedure |
Issues a Bind request to an LDAP server with null credentials (anonymous bind) |
| Expected Results |
The test is successful if the LDAP connection can be established without errors. Search requests should now be accepted and processed by the server. |
| Purpose |
Unbind from an LDAP server. |
| Reference |
[RFC 2251] (paragraph 4.3, pp. 19-20 ) |
| Procedure |
An UNBIND operation must be issued to the responding LDAP server. |
| Expected Results |
The test is successful if the association is released gracefully. |
| Purpose |
Test authenticated unprotected simple bind with correct credentials. |
| Reference |
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Test simple authenticated Bind as 'Paul Cezanne' with a correct password ('Paul0005'). |
| DN |
cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) |
cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password |
Paul0005 |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test authenticated DIGEST-MD5 bind with correct credentials. |
| Reference |
[RFC 2829] (paragraph 6.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use DIGEST-MD5 authentication.
Test authenticated Bind as 'Marc Chagall' with a correct password ('Marc0001'). |
| DN |
cn= Marc Chagall, ou=Security, o=IMC, c=US |
| DN (dc-naming) |
cn= Marc Chagall, dc=Security, dc=Relative, dc=IMC, dc=ORG |
| Password |
Marc0001 |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test authenticated unprotected simple bind with incorrect credentials. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Attempt to Bind as a DN which has a userPassword attribute, but specify the wrong password. |
| DN |
cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) |
cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password |
Wrong (The correct password is Paul0005) |
| Expected results |
Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test authenticated unprotected simple Bind with missing password. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Test authenticated unprotected simple Bind as 'Paul Cezanne' with a null password. |
| DN |
cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) |
cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password |
<unspecified> |
| Expected results |
The test is successful if the connection attempt is accepted, but established as an anonymous bind. Search requests should now be accepted and processed by the server. |
| Purpose |
Verify correct behavior when a DN of invalid syntax is included in a Bind attempt. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Bind supplying a DN with an invalid syntax and an arbitrary value for the userPassword attribute. |
| DN |
cn, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) |
cn, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password |
AnythingYouWant |
| Expected results |
The Bind should fail. Requests may not be accepted and processed by the server; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Verify correct behavior when inappropriate authentication is used on a Bind attempt. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Test authenticated unprotected simple Bind as 'Directory Manager' with a null password. |
| DN |
cn=Directory Manager, o=IMC, c=US |
| DN (dc-naming) |
cn=Directory Manager, dc=Relative, dc=IMC, dc=ORG |
| Password |
(None) |
| Expected results |
Result code 48 (inappropriateAuthentication) should be returned. The Bind should fail. Requests may not be accepted and processed by the server. |
| Purpose |
Verify correct behavior when an unsupported protocol version parameter value is supplied on a Bind attempt. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Bind, anonymously with a null DN, supplying a version number of 4. |
| DN |
null |
| Password |
null |
| Expected results |
Result code 2 (protocolError) should be returned. The Bind should fail. Requests may not be accepted and processed by the server; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test authenticated DIGEST-MD5 bind with incorrect credentials. |
| Reference |
[RFC 2829] (paragraph 6.1),
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Configure client to use DIGEST-MD5 authentication.
Test authenticated Bind as 'Marc Chagall' with incorrect password ('Marc1110'). |
| DN |
cn=Marc Chagall, ou=Security, o=IMC, c=US |
| DN (dc-naming) |
cn=Marc Chagall, dc=Security, dc=Relative, dc=IMC, dc=ORG |
| Password |
Marc1110 |
| Expected results |
Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test equality matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
cn=Pat Bakers |
| Expected results |
The following entry should be returned: Pat Bakers |
| Purpose |
Test substring matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
cn=p*smith |
| Expected results |
The following entries should be returned: Peter Smith Paulette Smith |
| Purpose |
Test approximate matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
cn~=clint |
| Expected results |
The following entries should be returned: Clint Eastwood Bill Clinton Hillory Clinton |
| Purpose |
Test less-than-or-equal-to matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier<=1100008 |
| Expected results |
The 5 following entries should be returned: Paul Cezanne, Johan Jongkind,
Johan Jongkind (No Title), Milton Berle, Clint Eastwood |
| Purpose |
Test greater-than-or-equal-to matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier>=2200500 |
| Expected results |
The following entries should be returned: Kip Barker, Larry Barker, Leslie Barker, Lincoln Barker, Linda Barker |
| Purpose |
Test presence matching in simple search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Fin-Accounting, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Fin-Accounting, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
title=* |
| Expected results |
The following entry should be returned: Johan Jongkind (title VP) |
TBD, but to be based on extensible matching rules listed in [RFC 2252]
and the description of extensible matching in searchRequest [RFC 2251].
| Purpose |
Test equality and presence matching combination in complex search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(sn=thatcher)(title=*)) |
| Expected results |
The following entry should be returned: Margaret Thatcher (title: Director) |
| Purpose |
Test substring and presence matching combination in complex search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(cn=cl*ews)(title=*)) |
| Expected results |
The following entry should be returned: Cliff Andrews (title: Associate) |
| Purpose |
Test multiple substring matching combination in complex search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(|(cn=*od)(cn=*ad)) |
| Expected results |
The following entries should be returned: Clint Eastwood, Charlie Abood, Henry Atwood, Alice Frostad |
| Purpose |
Test substring and approximate matching combination in complex search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(|(cn=*homer*)(cn~=body)) |
| Expected results |
The following entries should be returned: Homer Winslow, Bette Davis, Buddy Holly |
| Purpose |
Test presence (for person objects) matching in search filter that includes negation. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(&(!(description=*))(objectclass=person)) |
| Expected results |
The following entry should be returned: Jonathan Adams |
| Purpose |
Test presence (for person objects) matching in search filter that includes negation. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Sales, ou=Europe,ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Sales, dc=Europe,dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(&(!(sn=wa*))(objectclass=person)) |
| Expected results |
The following entry should be returned: Paulette Smith |
| Purpose |
Test a search filter with AVAs having the following combination of match type operators
(Substring OR Substring) AND (Presence AND Presence) |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(& (|(sn=*ood*)(sn=*woo*)) (&(telephonenumber=*)(title=*)) ) |
| Expected results |
The following entries should be returned: Clint Eastwood, Merry Aboods, Charlie
Abood, Brian Atwoods, Henry Atwoods, Henry Atwood |
| Purpose |
(Approximate AND Sub-string) OR (Approximate AND Sub-string) |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(| (&(cn~=body)(telephonenumber=*825*)) (&(cn~=smythe)(telephonenumber=*720*)) ) |
| Expected results |
The following entries should be returned: Peter Smith, Paulette Smith, Bette Davis, Buddy Holly |
| Purpose |
NOT (Presence OR Presence) (for person objects) |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(&(!(|(internationaliSDNNumber=*)(description=*))) (objectclass=person)) |
| Expected results |
The following entry should be returned: Paul Cezanne |
| Purpose |
Read the entry with the common name of 'cn=Pablo Picasso' and the
user identifier of 'uid=00123456789', to check that an entry with a multi-valued RDN can be retrieved correctly |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28), [RFC 2253] |
| Procedure |
Instruct the LDAP user agent to locate and display all the attributes for
the entry with the common name 'Pablo Picasso' and the user identifier of '00123456789'. |
| Base |
cn=Pablo Picasso + uid=00123456789, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Pablo Picasso + uid=00123456789, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
base |
| Filter |
(objectclass=*) |
| Expected Results |
The test is successful if the entry is returned and all the attributes are displayed. |
| Purpose |
Search for entries with a common name value of "Margaret Thatcher" and include an unrecognized attribute type in the search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure |
Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(cn=Margaret Thatcher)(foo=bar)) |
| Expected Results |
The test is successful if no entries are displayed because the search filter evaluates to UNDEFINED. |
| Purpose |
Search for entries with a common name value of "Margaret Thatcher" and include an unrecognized attribute type in the search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure |
Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(|(cn=Margaret Thatcher)(foo=bar)) |
| Expected Results |
The test is successful if an entry for Margaret Thatcher is displayed
because the search filter evaluates to TRUE. |
| Purpose |
Search for entries and only include an unrecognized attribute type in the search filter. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure |
Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(!(foo=bar)) |
| Expected Results |
The test is successful if no entries are displayed because the search filter evaluates to UNDEFINED. |
| Purpose |
Verify appropriate behavior when the list of attributes to be retrieved for an entry includes an unrecognized option as part of an attribute description. |
| Reference |
[RFC 2251] (paragraph 4.1.5, pg. 13), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Submit a Search request with a search filter, base, scope, and attributes list as indicated below. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Attributes |
cn, telephonenumber;foo, mail |
| Filter |
cn=*Margaret* |
| Expected results |
Unrecognized option should be ignored. The entry for Margaret Thatcher should be
returned. (note: telephone number attribute should not be included in attributes returned,
because an unknown option requires that a server treat the attribute affected by that
option as an unknown attribute) |
| Purpose |
Verify correct behavior when all attributes, plus specific operational ones, are requested. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-29) |
| Procedure |
Submit a Search request as specified below, making sure to use a '*' character and also specific operational attribute names as the list of attributes to return for each entry. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
base-level |
| Attributes |
*, creatorsname, creatorstimestamp, modifersname, modifytimestamp |
| Filter |
objectclass=organizationalunit |
| Expected results |
The following entry should be returned with all attributes present, including requested operational attributes:
ou=Americas, ou=Search, o=IMC, c=US |
| Purpose |
Verify that an aliased base object supplied on a Search request is not
deferenced. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a subordinate of a base object which is an alias, requesting neverDerefAliases. |
| Base |
cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(sn=Thatcher) |
| Expected results |
Search base alias will not be dereferenced, entry for Margaret Thatcher will not be returned. No entries will be returned. |
| Purpose |
Verify that an aliased leaf object will not be dereferenced as a part of the Search response. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a leaf entry which is an alias, requesting neverDerefAliases. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(telephonenumber=*) |
| Expected results |
Alias for Jonathan Adams will not be dereferenced. No entries will be returned. |
| Purpose |
Verify that an aliased base object will not be dereferenced when alias dereferencing during searching is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a subordinate of a base object which is an alias, requesting derefInSearching |
| Base |
cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(sn=Thatcher) |
| Expected results |
Search base alias will not be dereferenced. No entries will be returned. |
| Purpose |
Verify that an aliased leaf object will be dereferenced as a part of the SEARCH results when alias dereferencing during searching is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a leaf entry which is an alias, requesting derefInSearching. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(telephonenumber=*) |
| Expected results |
Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a
match, with telephone number +1 408 720 0000. |
| Purpose |
Verify that an aliased base object will be dereferenced when alias dereferencing while finding base objects is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a subordinate of a base object which is an alias, requesting derefFindingBaseObj. |
| Base |
cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(sn=Thatcher) |
| Expected results |
Search base alias will be dereferenced, the entries for DN
"cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas,
ou=Search, o=IMC, c=US" and "cn=Margaret Thatcher (No
Title), ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC,
c=US" will be returned. |
| Purpose |
Verify that an aliased leaf object will not be dereferenced when alias dereferencing while finding base objects is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a leaf entry which is an alias, derefFindingBaseObj. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(telephonenumber=*) |
| Expected results |
Alias for Jonathan Adams will not be dereferenced. No entries will be returned. |
| Purpose |
Verify that an aliased base object is dereferenced when full alias dereferencing is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a subordinate of a base object which is an alias, requesting derefAlways. |
| Base |
cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(sn=Thatcher) |
| Expected results |
Search base alias will be dereferenced, the entries for DN "cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US" and "cn=Margaret Thatcher (No
Title), ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC,
c=US" will be returned. |
| Purpose |
Verify that an aliased leaf object is dereferenced when full alias dereferencing is enabled. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a leaf entry which is an alias, requesting derefAlways. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(telephonenumber=*) |
| Expected results |
Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a
match, with telephone number +1 408 720 0000. |
| Purpose |
Verify that an aliased leaf object is dereferenced when full alias dereferencing is
enabled, and that matches in non-dereferenced search paths are not returned. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Search for a leaf entry which is an alias, requesting derefAlways. |
| Base |
ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(sn=Adams) |
| Expected results |
Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a
match, with telephone number +1 408 720 0000. The "Jonny Adams"
alias entry is not returned. |
| Purpose |
Verify that size limit feature works appropriately. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Set sizelimit parameter to 1. Perform a search that will return more than 1 entry. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(cn=*) |
| Expected results |
One entry should be returned, followed by return code 4 (sizeLimitExceeded). Reset the size limit to its original value. |
| Purpose |
Verify that time limit feature works appropriately. |
| Reference |
[RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Set timelimit parameter to 1. Perform search that should take longer than 1 second. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(objectclass=*) |
| Expected results |
Some entries should be returned, followed by return code 3 (timeLimitExceeded). Reset the timelimit parameter to its original value. |
| Purpose |
Verify that the feature designed to allow for returning attribute names instead of name-value pairs works appropriately. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Set typesonly parameter to TRUE. Perform a search that will return matching results. |
| Base |
ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(cn=*) |
| Expected results |
Only attribute names should be returned. |
| Purpose |
Verify appropriate behavior when a search filter of invalid syntax is included as a search request parameter. |
| Reference |
[RFC 2251] (paragraph TBD , pp. TBD) |
| Procedure |
Submit a Search request with a bad filter syntax. |
| Base |
ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(&(!(|internationaliSDNNumber=*(description=* |
| Expected results |
Return code TBD (codeTBD) should be returned. No matching entries should
be returned. (note: there was a response code for this in LDAPv2,
but I can't seem to find the equivalent requirement in LDAPv3)
The error is should be an API error since the filter string is parsed to
be encoded.
|
| Purpose |
Verify that the server will generate a noSuchObject error for a subtree search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Perform a subtree search with a base that does not exist. |
| Base |
ou=Staff, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=Staff, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(objectclass=person) |
| Expected results |
Return code 32 (noSuchObject) should be returned as an error. No entries will be returned. |
| Purpose |
Verify that the server will generate a noSuchObject error for a single-level search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Perform a single-level search with a base that does not exist. |
| Base |
ou=People, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc=People, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(objectclass=person) |
| Expected results |
Return code 32 (noSuchObject) should be returned. No entries will be returned. |
| Purpose |
Verify that the server will generate a noSuchObject error for a base-level search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Perform a base-scope search with a base that does not exist. |
| Base |
cn=Madonna, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Madonna, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
base |
| Filter |
(objectclass=*) |
| Expected results |
Return code 32 (noSuchObject) should be returned. No entries will be returned. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a subtree search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Specify a DN with bad syntax for a subtree search. |
| Base |
cn=Tom Jones,ou, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Tom Jones,ou, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(sn=jones) |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a single-level search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Specify a DN with bad syntax for a single-level search. |
| Base |
cn=Tom Jones,ou, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
cn=Tom Jones,ou, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
(sn=jones) |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a base-level search. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure |
Specify a DN with bad syntax for a base-level search. |
| Base |
ou="Any Unit, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) |
dc="Any Unit, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
base-level |
| Filter |
(sn=jones) |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
To perform the tests in paragraph 3.3.3, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.3;
definitions for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10";
if you have more than 10 clients you wish to test, please notify the event
planners so that they can make appropriate modifications to the LDIF file
intended for use during the testing event.
You should replace the bracketed place holder for these parameters in all DNs
found in this paragraph prior to performing the tests.
| Purpose |
Verify that an attribute type is created when a request for adding an attribute value for an attribute type that does not currently exist for an entry. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add the first value of an attribute type. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
facsimileTelephoneNumber |
| Attribute value |
+1 908 555 1212 |
| Expected results |
Entry should now have +1 908 555 1212 as a fax number. |
| Purpose |
Verify that an additional value can be added to an existing attribute. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add a second attribute value of an attribute type. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
CEO |
| Expected results |
Entry should now have both "President" and "CEO" as titles. |
| Purpose |
Verify that an attributeOrValueExists error message can be generated. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Attempt to add a surname attribute value already contained within an entry. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
sn |
| Attribute value |
Cezanne |
| Expected results |
Return code 20 (attributeOrValueExists) should be returned. |
| Purpose |
Verify that an invalid attribute syntax causes the server to generate an invalidAttributeSyntax error. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Do not supply a value for the attribute being added using a modify-add request. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
mail |
| Attribute value |
<unspecified> |
| Expected results |
Return code 21 (invalidAttributeSyntax) should be returned. The attribute should not have been added to the entry. |
| Purpose |
Verify that an invalid DN syntax causes the server to generate an invalidDNSyntax error for a modify-add request. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Specify a DN with bad syntax for a modify-add. |
| DN |
cn, ou, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
cn |
| Attribute value |
Missing Person |
| Expected results |
Return code 34 (invalidDNSytnax) should be returned. The attribute should not have been added to the entry. |
| Purpose |
Verify deletion of a single value for a multi-valued attribute. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Delete one of three attribute values for an attribute type. |
| DN |
cn=Paul Newman, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
Head Honcho |
| Expected results |
Entry should now have "President" and "CEO" as titles. |
| Purpose |
Verify that a single-valued attribute can be deleted using the MODIFY operation. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Delete the only attribute for an attribute type. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
Director |
| Expected results |
Entry should now have no title attributes. |
| Purpose |
Verify that a multi-valued attribute can be deleted using the MODIFY operation. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Delete a multi-valued attribute. |
| DN |
cn=Emeril Lagosse, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
<unspecified> |
| Expected results |
Entry should now have no title attributes. |
| Purpose |
Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute not contained within an entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Based on a specification of an attribute type only, attempt to delete an attribute from an entry that does not contain that attribute. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
facsimileTelephoneNumber |
| Expected results |
Return code 16 (noSuchAttribute) should be returned. |
| Purpose |
Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute not contained within an entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Based on a specification of an attribute type-value pair, attempt to delete an attribute type-value pair from an entry that does not contain that attribute. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
internationaliSDNNumber |
| Attribute value |
1 313 555 1234 |
| Expected results |
Return code 16 (noSuchAttribute) should be returned. |
| Purpose |
Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute type-value pair not contained within an entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Based on a specification of an attribute type-value pair with an incorrect value, attempt to delete an attribute value from an entry that does not contain that attribute. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
telephoneNumber |
| Attribute value |
313 555-8300 |
| Notes |
Actual existing value is 825-0008 |
| Expected results |
Return code 16 (noSuchAttribute) should be returned. |
| Purpose |
Verify that server will generate an objectClassViolation error message when instructed via a modify-delete request to delete a mandatory attribute. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Attempt to remove a required attribute from an entry. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
objectclass |
| Expected results |
Return code 65 (objectClassViolation) should be returned. |
| Purpose |
Verify that a multi-valued attribute can be replaced by a single-valued attribute. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Replace an attribute type which has multiple values using a Modify request. |
| DN |
cn=David Rosengarten, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
Chief Taster |
| Expected results |
Entry should now have only "Chief Taster" as a title. |
| Purpose |
Verify that a single-valued attribute can be replaced. |
| Procedure |
Replace an attribute value for an attribute type using a Modify request. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| DN |
cn=David Rosengarten, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
mail |
| Attribute value |
David.Rosengarten@tvfood.com |
| Expected results |
Entry should now have only "David.Rosengarten@tvfood.com" as an e-mail address. |
| Purpose |
Verify that a server will remove attributes to be replaced if specified with no value. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Do not supply a value for the attribute type being replaced using a Modify request. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
givenname |
| Attribute value |
<unspecified> |
| Expected results |
The givenname attribute should no longer be contained within the entry. |
| Purpose |
Verify that a modify-replace request involving a non-existent object will generate a noSuchObject error message. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Specify an entry that does not exist for a modify-replace request. |
| DN |
cn=Invisible Person, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
sn |
| Attribute value |
Person |
| Expected results |
Return code 32 (noSuchObject) should be returned. The operation should not succeed. |
| Purpose |
Verify that a modify-replace request specified to change the naming attribute generates a notAllowedOnRDN error message. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Attempt to rename the naming attribute of an entry using a modify-replace request. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type |
cn |
| Attribute value |
Maggy Thatcher |
| Expected results |
Return code 67 (notAllowedOnRDN) should be returned. The operation should not succeed. |
To perform the tests in paragraph 3.3.4, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.4.4; definitions
for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10"
if you have more than 10 clients you wish to test, please notify
the event planners so that they can make appropriate modifications
to the LDIF file that will be used during the testing event.
You should replace the bracketed place holder for these parameters in
all DNs found in this paragraph prior to performing the tests.
| Purpose |
Verify capability to add a new entry to the directory using the ADD operation. |
| Reference |
[RFC 2251] (paragraph 4.7 , pg. 34) |
| Procedure |
Add an entire new directory entry using the information below. |
| DN |
cn=Austin Powers, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top person organizationalPerson inetOrgPerson |
| Attribute type |
sn |
| Attribute value |
Powers |
| Attribute type |
cn |
| Attribute value |
Austin \"Danger\" Powers |
| Attribute type |
telephoneNumber |
| Attribute value |
+ 44 582 10101 |
| Attribute type |
mail |
| Attribute value |
secret_agent_man@imc.org |
| Attribute type |
description |
| Attribute value |
Yea Baby!! |
| Attribute type |
uid |
| Attribute value |
secret_agent_man |
| Attribute type |
description |
| Attribute value |
Behave! |
| Expected results |
A new entry should now be present in the directory with the above attributes. |
| Purpose |
Verify that servers will return a noSuchObject error message in response to an Add request that includes a specification of a non-existent superior object. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure |
Specify a non-existent organizationalUnit value in the path of the name of a new entry for an add operation. |
| DN |
cn=Dweezle Zappa, ou=Zappaland, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top person |
| Attribute type |
sn |
| Attribute value |
Person |
| Attribute type |
cn |
| Attribute value |
Not A Person |
| Expected results |
Return code 32 (noSuchObject) should be returned. The entry should not be created. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for an Add request including an improperly-formed DN. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure |
Specify a DN with bad syntax for an add operation. |
| DN |
cn=New Person, ou=<client-ID>, ou=<vendor-ID>, =IMC, c=US |
| Attribute type |
objectclass |
| Attribute value |
top person |
| Attribute type |
sn |
| Attribute value |
Person |
| Attribute type |
cn |
| Attribute value |
New Person |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. The entry should not have been added to the directory. |
| Purpose |
Verify that the server will generate an entryAlreadyExists error for an Add request including specification of an existing entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure |
Attempt to add a new entry with the same name as an existing entry. |
| DN |
ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top organizationalUnit |
| Attribute type |
ou |
| Attribute value |
<client-ID> |
| Expected results |
Return code 68 (entryAlreadyExists) should be returned. The existing entry should remain in the directory, unmodified. |
| Purpose |
Verify that the server will generate an objectClassViolation error for an Add request that is missing the specification of a mandatory attribute. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure |
Attempt to add an alias entry without specifying the required aliasedObjectName attribute. |
| DN |
cn=Alias Entry, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top alias |
| Expected results |
Return code 65 (objectClassViolation) should be returned. The entry should not be present in the directory. |
To perform the tests in paragraph 3.3.5, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.4.4; definitions
for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10"
if you have more than 10 clients you wish to test, please notify
the event planners so that they can make appropriate modifications
to the LDIF file that will be used during the testing event.
You should replace the bracketed place holder for these parameters in
all DNs found in this paragraph prior to performing the tests.
| Purpose |
Verify that an entry can be deleted. |
| Reference |
[RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure |
Delete the entry with the DN specified below. |
| DN |
cn=Mary-Sue Milliken, ou=<client-ID>, ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results |
The entry should no longer exist. |
| Purpose |
Verify that the server will generate a noSuchObject error for a Delete request that includes a specification of a non-existent object. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure |
Specify an entry that does not exist for a delete operation. |
| DN |
cn=Susan Feniger, ou=<client-ID>, ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results |
Return code 32 (noSuchObject) should be returned. No changes should have been made to the directory. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed DN. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure |
Specify a DN with bad syntax for a delete operation. |
| DN |
Sarah Thorton,<client-ID>,<vendor-ID>,Modify, IMC, US |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. The entry should not have been deleted from the directory. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a Delete request specifying the removal of an object that has children. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure |
Attempt to remove an entry which has entries below it in the tree. |
| DN |
ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results |
Return code 66 (notAllowedOnNonLeaf) should be return. The object should not have been removed from the directory. |
To perform the tests in paragraph 3.3.6, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.3;
definitions for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10";
if you have more than 10 clients you wish to test, please notify the event
planners so that they can make appropriate modifications to the LDIF file
intended for use during the testing event.
You should replace the bracketed place holder for these parameters in all DNs
found in this paragraph prior to performing the tests.
| Purpose |
Verify that RDNs can be modified. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Change the RDN of the entry specified below. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Paul Newman |
| Expected results |
The new distinguished name of this entry should be cn=Paul Newman, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose |
Verify that RDNs can be modified. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Change the RDN of the entry specified below. |
| DN |
cn=Paul Hoffman, ou=Current Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Paul Hoffman |
| New Superior |
ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Expected results |
The new distinguished name of this entry should be cn=Paul Hoffman, ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose |
Verify that RDNs can be modified. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Change the RDN of the entry specified below. |
| DN |
cn=Paul Revere, ou=Current Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Paul McCartney |
| New Superior |
ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Expected results |
The new distinguished name of this entry should be cn=Paul McCarney, ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose |
Verify that the parent object of a subtree can be renamed. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Rename the subtree based at the object specified below. |
| Base DN |
ou=Current Subtree, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
ou=New Subtree |
| Delete RDN Flag |
FALSE |
| Expected results |
The new distinguished name of objects in this subtree are now rooted at ou=New Subtree, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=Current Subtree will remain associated with the entry with the base DN defined above. |
| Purpose |
Verify that subtrees can be moved to a new parent. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Move the subtree based at the object specified below. |
| Base DN |
ou=Static, ou=Current Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
ou=Static |
| New Superior |
ou=New Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Delete RDN Flag |
TRUE |
| Expected results |
The new distinguished name of objects in this subtree are now rooted at ou=Static, ou=New Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=TBD will remain associated with the entry with the base DN defined above. |
| Purpose |
Verify that subtrees can be moved to a new parent. |
| Reference |
[RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Move the subtree based at the object specified below. |
| Base DN |
ou=Old Subtree, ou=Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
ou=Not So Old Subtree |
| New Superior |
ou=Not So Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Delete RDN Flag |
TRUE |
| Expected results |
The new distinguished name of objects in this subtree are now rooted at ou=Not So Old Subtree, ou=Not So Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=TBD will remain associated with the entry with the base DN defined above. |
| Purpose |
Verify that the server will generate an entryAlreadyExists error for ModifyDN request including specification of parameters corresponding to an existing entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Attempt to rename an entry to a name that already exists. |
| DN |
cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Margaret Thatcher |
| Expected results |
Return code 68 (entryAlreadyExists) should be returned. Both the entry for which the change was intended and the existing entry should remain in the directory, unmodified. |
| Purpose |
Verify that the server will generate a noSuchObject error for Modify DN request that includes a specification of a non-existant object. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Specify a name change for an entry that does not exist on this server using a Modify DN request. |
| DN |
cn=No Person, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Does not matter |
| Expected results |
Return code 32 (noSuchObject) should be returned. No changes should have been made to the directory. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed DN. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Specify a DN with bad syntax for a ModifyDN operation. |
| DN |
, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
cn=Missing Person |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed RDN. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure |
Specify a RDN with bad syntax for a ModifyDN operation. |
| DN |
cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN |
Maggy Thatcher |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. The entry should not have been deleted from the directory. |
| Purpose |
Verify return of FALSE return code for Compare request. |
| Reference |
[RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure |
Send a Compare request to a server constructed using the information shown below. |
| DN |
cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
Directory (correct value is Director; extra 'y' was included in purported title attribute value) |
| Expected results |
Result code 5 (compareFalse) should be returned. |
| Purpose |
Verify return of TRUE return code for Compare request. |
| Reference |
[RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure |
Send a Compare request to a server constructed using the information shown below. |
| DN |
cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
Director |
| Expected results |
Result code 6 (compareTrue) should be returned. |
| Purpose |
Verify that server generates a noSuchAttribute error message for Compare request that includes a purported AVA not present in an entry. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure |
Specify an AVA that will not match an existing for an entry that does not contain that attribute on a Compare request. |
| DN |
cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type |
internationaliSDNNumber |
| Attribute value |
+1 810 555 3333 |
| Expected results |
Return code 16 (noSuchAttribute) should be returned. |
| Purpose |
Verify that the server will generate a noSuchObject error for a Compare request that includes a specification of a non-existant object. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure |
Specify an AVA that will not match an existing directory entry. |
| DN |
cn=Nobody Here, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type |
sn |
| Attribute value |
Here |
| Expected results |
Return code 32 (noSuchObject) should be returned. |
| Purpose |
Verify that the server will generate an invalidDNSyntax error for a Compare request including an improperly-formed DN. |
| Reference |
[RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure |
Specify a DN with bad syntax for a Compare request. |
| DN |
cn=Margaret Thatcher, ou=Help Desk, ouIT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type |
telephoneNumber |
| Attribute value |
825-0008 |
| Expected results |
Return code 34 (invalidDNSyntax) should be returned. |
TBD, but to be based on the following cases:
- Test that the server returns the correct error for unrecognized extended operation [RFC 2251]
-
- Test unrecognized critical extension [RFC 2251]
-
- Test that the server does not return an error for unrecognized non-critical extension [RFC 2251]
- Test correct handling of UNICODE composite characters
TBD but based on [RFC 2253].
The descriptions of these tests assume that the certificates generated by CA1
are used. These certificates are found in directory certs1
and are as per the CATS description. A
further set of certificates that could equally well be used, generated by CA2,
are provided in directory certs2. Where other certificate
generators participate in testing, and are assigned ids CA3, CA4, etc., the
tests can also be performed with their certificates. For certificate
generator product allocated
identity <CA-ID>, the
DIT subtree rooted at ou=<CA-ID>, ou=CAs, o=IMC, c=US is used
(eg. for certificate generator product 3, the
DIT subtree rooted at ou=CA3, ou=CAs, o=IMC, c=US is used.
Note that the certificates in directories certs1 and
certs2
are in DER format.
| Purpose |
Search for entry containing a user certificate. |
| Reference |
[RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) |
dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(sn=Brush)(userCertificate=*)) |
| Expected results |
The following entry should be returned: Basil Brush.
The entry should include two certificates. |
| Purpose |
Search for entry not containing a user certificate. |
| Reference |
[RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) |
dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(sn=Brush)(!(userCertificate=*))) |
| Expected results |
The following entry should be returned: Bertram Brush.
The entry should not include a certificate. |
| Purpose |
Search for entry containing a CA certificate. |
| Reference |
[RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=CAs, o=IMC, c=US |
| Base (dc-naming) |
dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
cACertificate=* |
| Expected results |
Two entries - CA<n> and BadCA<n> - should
be returned for each certificate generator participating
in the tests. Each entry returned should include a
cACertificate attribute. |
| Purpose |
Search for entry not containing a CA certificate. |
| Reference |
[RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) |
dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(sn=Brush)(!(cACertificate=*))) |
| Expected results |
Two entries should be returned:
Basil Brush (This entry should include two user certificates);
Bertram Brush (This entry should not include a certificate). |
| Purpose |
Search for entry containing a Certificate Revocation List. |
| Reference |
[RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated below. |
| Base |
ou=CAs, o=IMC, c=US |
| Base (dc-naming) |
dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter |
certificateRevocationList=* |
| Expected results |
An entry - CA<n> - should
be returned for each certificate generator participating
in the tests. Each entry returned should include a
certificateRevocationList attribute. |
| Purpose |
Compare using userCertificate attribute. |
| Reference |
[RFC 2251] (paragraph 4.10, pp. 37-38)
(Note that neither
[LDAP_PR] nor
[RFC 2559] requires the
compare operation to be supported for certificate attributes.) |
| Procedure |
Send a Compare request to a server constructed using the information shown below. |
| DN |
cn=Charles Fox, ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The certificate in file certs1/charles_fox |
| Expected results |
Result code 6 (compareTrue) should be returned. |
To perform the tests in paragraph 3.3.11.3, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.11.3; definitions
for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10"
if you have more than 10 clients you wish to test, please notify
the event planners so that they can make appropriate modifications
to the LDIF file that will be used during the testing event.
You should replace the bracketed place holder for these parameters in
all DNs found in this paragraph prior to performing the tests.
| Purpose |
Verify capability to add a new entry to the directory with
userCertificate attribute. |
| Reference |
[RFC 2251] (paragraph 4.7 , pg. 34) |
| Procedure |
Add an entire new directory entry using the information below. |
| DN |
cn=Lawrence Lamb, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateAdd,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top person organizationalPerson inetOrgPerson |
| Attribute type |
sn |
| Attribute value |
Lamb |
| Attribute type |
cn |
| Attribute value |
Lawrence Lamb |
| Attribute type |
telephoneNumber |
| Attribute value |
+ 44 1189 500 001 |
| Attribute type |
mail |
| Attribute value |
lawrence@maff.gov.uk |
| Attribute type |
userCertificate |
| Attribute value |
The certificate for Lawrence Lamb in file certs1/lawrence_lamb |
| Expected results |
A new entry should now be present in the directory with the above attributes. |
| Purpose |
Verify that a userCertificate attribute type is created when a request is made for adding a userCertificate attribute value when the userCertificate attribute type does not currently exist for an entry. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add the first value of a userCertificate attribute type. |
| DN |
cn=Richard Bird, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The certificate for Richard Bird in file certs1/richard_bird |
| Expected results |
Entry should now include the certificate for Richard Bird. |
| Purpose |
Verify that an additional value can be added to an existing attribute. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add a second attribute value of an attribute type. |
| DN |
cn=Michael Fish, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The
Michael Fish Current Certificate in file certs1/michael_fish_current |
| Expected results |
Entry should now have two certificates. |
| Purpose |
Verify that a cACertificate attribute type is created when a request
is made for adding a cACertificate attribute value when the cACertificate
attribute type does not currently exist for an entry. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add the first value of a cACertificate attribute type. |
| DN |
ou=Swallow Bank, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
cACertificate |
| Attribute value |
The CA certificate for the Swallow Bank in file certs1/swallow_bank |
| Expected results |
Entry should now include the CA certificate for the Swallow Bank. |
| Purpose |
Verify that a certificateRevocationList attribute type is created
when a request is made for adding a certificateRevocationList attribute value
when the certificateRevocationList attribute type does not currently exist
for an entry. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Add the first value of a certificateRevocationList attribute type. |
| DN |
ou=Swallow Bank, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
certificateRevocationList |
| Attribute value |
The CA CRL in file certs1/swallow_crl |
| Expected results |
Entry should now include the CRL for the Swallow Bank. |
| Purpose |
Verify deletion of a single value for a multi-valued attribute. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Delete one of two attribute values for an attribute type. |
| DN |
cn=Tony Hart, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The Tony Hart Expired Certificate in file certs1/tony_hart_expired |
| Expected results |
Entry should now have just the certificate contained in file certs1/tony_hart_current |
| Purpose |
Verify that a single-valued userCertificate attribute can be deleted using the MODIFY operation. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure |
Delete the only attribute for a userCertificate attribute type. |
| DN |
cn=Quintain Hogg, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The certificate stored in certs1/quintain_hogg |
| Expected results |
Entry should now have no userCertificate attributes. |
| Purpose |
Verify that a userCertificate attribute can be replaced. |
| Procedure |
Replace an attribute value for an attribute type using a Modify request. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33) |
| DN |
cn=John Prescott, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify,
ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type |
userCertificate |
| Attribute value |
The
John Prescott Current Certificate in file certs1/john_prescott_current |
| Expected results |
The value of the userCertificate attribute should be changed as above. |
| Purpose |
Page completely through a multi-page set of results. |
| Reference |
[PAGING] (paragraphs 2, 3, 4) |
| Procedure |
Make a search request asking for paged results
with a page size of 3.
After initial response, request the next page. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier<=91100105 |
| Expected results |
Initial request results in three entries plus an indication
of 5 total entries in the search result.
Second request results in a further two entries plus an indication
that there are no more entries. |
| Purpose |
Abort paging part-way through a multi-page set of results. |
| Reference |
[PAGING] (paragraphs 2, 3) |
| Procedure |
Make a search request asking for paged results
with a page size of 3.
After initial response, request the next page.
After second page displayed, abort the search.
Then make a new search with a different filter. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter for First Request |
givenname=Adam |
| Filter for Second Request |
givenname=Adrian |
| Expected results |
Initial request results in three entries plus an indication
of 26 total entries in the search result.
Second request results in a further three entries plus an indication
that there are more entries.
Third request indicates that there are no matching entries. |
| Purpose |
Sort a set of results on a single numeric attribute. |
| Reference |
[SORTING] (paragraphs 3, 4) |
| Procedure |
Make a search request asking for sorted results. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier<=91100105 |
| Sort Key |
dnqualifier |
| Expected results |
Five entries are displayed in order of
employee number (and reverse alphabetical order of name). |
| Purpose |
Sort a set of results on a single alphabetic attribute. |
| Reference |
[SORTING] (paragraphs 3, 4) |
| Procedure |
Make a search request asking for sorted results. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier<=91100105 |
| Sort Key |
givenname |
| Expected results |
Five entries are displayed in alphabetical order of name. |
| Purpose |
Sort a set of results on multiple attributes. |
| Reference |
[SORTING] (paragraphs 3, 4) |
| Procedure |
Make a search request asking for sorted results using
two sort keys. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(&(dnqualifier>=91100125)(dnqualifier<=91100128)) |
| First Sort Key |
sn |
| Second Sort Key |
dnqualifier |
| Expected results |
Four entries are displayed in order Zoe York, Yuri York,
Belinda Zions, Adam Zions. |
| Purpose |
Sort in reverse order. |
| Reference |
[SORTING] (paragraphs 3, 4) |
| Procedure |
Make a search request asking for sorted results in reverse order. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier<=91100105 |
| Sort Key |
dnqualifier |
| Expected results |
Five entries are displayed in alphabetical order of name
(but reverse order of employee number). |
| Purpose |
Test that a Paged, Sorted Set is in Correct Order. |
| Reference |
[PAGING] (paragraphs 2, 3)
[SORTING] (paragraphs 3, 4, 5) |
| Procedure |
Make a search request asking for results to be sorted
and paged with a page size of 3.
Page through the results. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter for First Request |
givenname=Adam |
| Sort Key |
dnqualifier |
| Expected results |
Results are displayed in order of employee number
(which is inverse alphabetical order) consistently across all
pages, not just within each page. |
| Purpose |
Scroll Completely Through Large Set of results. |
| Reference |
[SORTING] (paragraphs 3, 4),
[VLV] (paragraph 5) |
| Procedure |
Make a search request asking for sorted results in reverse order.
When first page of results is displayed,
drag the scroll bar slider down to the bottom of
its range. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier>=0 |
| Sort Key |
dnqualifier |
| Expected results |
The first page (starting with Adam Adams) is displayed initially.
When the slider is dragged down, the last page (ending with Zoe Zions)
is displayed. |
| Purpose |
Scroll incrementally through set of results. |
| Reference |
[SORTING] (paragraphs 3, 4),
[VLV] (paragraph 5) |
| Procedure |
Make a search request asking for sorted results in reverse order.
When the first page of results is displayed,
click on scroll bar just below slider. When a new page is
displayed, click on scroll bar just above slider. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier>=0 |
| Sort Key |
dnqualifier |
| Expected results |
The first page (starting with Adam Adams) is displayed initially.
When the scroll bar is clicked below the slider, the next page
is displayed. When the scroll bar is then clicked above the slider, the first page
is displayed again. |
| Purpose |
Scroll Part Way Through Large Set of results. |
| Reference |
[SORTING] (paragraphs 3, 4),
[VLV] (paragraph 5) |
| Procedure |
Make a search request asking for sorted results in reverse order.
When first page of results is displayed,
drag the scroll bar about half way down its range. |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier>=0 |
| Sort Key |
dnqualifier |
| Expected results |
The first page (starting with Adam Adams) is displayed initially.
When the slider is dragged down, a page about half
way through (employees with surnames starting with M, N
or similar) is displayed. |
| Purpose |
Go to Arbitrary Place in Large Set of results. |
| Reference |
[SORTING] (paragraphs 3, 4),
[VLV] (paragraph 5) |
| Procedure |
Make a search request asking for sorted results in reverse order.
When first page of results is displayed,
type "91100533". |
| Base |
ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
dnqualifier>=0 |
| Sort Key |
dnqualifier |
| Expected results |
The first page (starting with Adam Adams) is displayed initially.
After typing the number, the page of results starting
with "Jacky Jones" is displayed. |
| Purpose |
Search for entries with attributes having particular language tags. |
| Reference |
[RFC 2596] (paragraph 3.3) |
| Procedure |
Make a search request. |
| Base |
ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
title;lang-en-us=President |
| Expected results |
The entries for George Washington,
Thomas Jefferson and Abraham Lincoln
are returned. |
| Purpose |
Search for entries with attributes that are subtypes of a tagged type. |
| Reference |
[RFC 2596] (paragraph 3.3) |
| Procedure |
Make a search request. |
| Base |
ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
name;lang-fr=* |
| Expected results |
The entries for Marie Antoinette and
Thomas Jefferson are returned. |
| Purpose |
Search entries whose attributes have language tags without
specifying language tags in the search request. |
| Reference |
[RFC 2596] (paragraph 3.3) |
| Procedure |
Make a search request. |
| Base |
ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
Title=Queen |
| Expected results |
The entry for Marie Antoinette is returned. |
| Purpose |
Verify return of TRUE return code for Compare request including a language tag. |
| Reference |
[RFC 2596] (paragraph 3.4) |
| Procedure |
Send a Compare request to a server constructed using the information shown below. |
| DN |
cn=William Pitt, ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
lang-en-gb;Prime Minister |
| Expected results |
Result code 6 (compareTrue) should be returned. |
| Purpose |
Verify that server generates a noSuchAttribute error message
for Compare request that includes a language tag not present
in an entry. |
| Reference |
[RFC 2596] (paragraph 3.4) |
| Procedure |
Send a Compare request to a server constructed using the information shown below. |
| DN |
cn=William Pitt, ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Attribute type |
title |
| Attribute value |
lang-en;Prime Minister |
| Expected results |
Result code 16 (noSuchAttribute) should be returned. |
| Purpose |
Verify appropriate behavior when the list of attributes to be retrieved for an entry includes an attribute with language tags. |
| Reference |
[RFC 2596] (paragraph 3.5) |
| Procedure |
Submit a Search request with a search filter, base, scope, and attributes list as indicated below. |
| Base |
ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) |
dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Attributes |
cn;lang-en-gb, cn;lang-en-us |
| Filter |
dnqualifier<=91101102 |
| Expected results |
The entries for George Washington and Marie Antoinette
should be returned with attributes cn;lang-en-us: George Washington, cn;lang-en-GB: George Washington and
cn;lang-en: Marie Antionette.
|
To perform the tests in paragraph 3.3.12.5.7, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.12.5.7; definitions
for these parameters are as follows:
-
<vendor-ID>
-
the vendor ID allocated to you during the testing event; "Vendor1",
"Vendor2", etc.
-
<client-ID>
-
a sequence of IDs assigned by you to each client you plan on testing;
"Client1", "Client2", …, "Client10"
if you have more than 10 clients you wish to test, please notify
the event planners so that they can make appropriate modifications
to the LDIF file that will be used during the testing event.
You should replace the bracketed place holder for these parameters in
all DNs found in this paragraph prior to performing the tests.
| Purpose |
Verify capability to add a new entry to the directory with attributes that
have language tags. |
| Reference |
[RFC 2596] (paragraph 3.6) |
| Procedure |
Add an entire new directory entry using the information below. |
| DN |
cn=Florence Nightingale, ou=<client-ID>, ou=<vendor-ID>, ou=ExtendedAdd, o=IMC, c=US |
| Attribute type |
objectclass |
| Attribute values |
top person organizationalPerson inetOrgPerson |
| Attribute type |
sn |
| Attribute value |
Nightingale |
| Attribute type |
cn |
| Attribute value |
Florence Nightingale |
| Attribute type |
telephoneNumber |
| Attribute value |
+ 44 171 999 1854 |
| Attribute type |
mail |
| Attribute value |
florence@nhs.gov.uk |
| Attribute type |
description;lang-en |
| Attribute value |
The lady with the lamp |
| Attribute type |
description;lang-fr |
| Attribute value |
La femme au lumiere |
| Expected results |
A new entry should now be present in the directory with the above attributes. |
| Purpose |
Verify that a single-valued attribute with language tags can be replaced. |
| Procedure |
Replace an attribute value for an attribute type using a Modify request. |
| Reference |
[RFC 2251] (paragraph 4.6, pp. 32-33)
[RFC 2596] (paragraph 3.7) |
| DN |
cn=Tony Blair, ou=<client-ID>, ou=<vendor-ID>, ou=ExtendedModify, o=IMC, c=US |
| Attribute type |
title;lang-en-gb |
| Attribute value |
First Minister |
| Expected results |
The value of the title;lang-en-gb attribute (but
not the title;lang-en-us attribute) should be changed
as above. |
- Demonstrate support for schema publication in servers.
- Check for support for schema modifications via LDAP.
- Demonstrate support for the extensibleObjectClass.
- ExtensibleObject object class on add/modify
- Demonstrate support for the dynamicObject object class.
- DynamicObject object class on add/modify
To be completed, but to be based on some or all of the following:
- Demonstrate support for IWPS [11], LIPS [12], X.520 [13], X.521 [14], and
the X.500(96) User Schema for LDAPv3 [RFC 2256]
- Demonstrate preservation of defined semantic context for attributes as
projected to users in clients.
| Purpose |
Verify that the subSchemaSubEntry is present in the root DSE. |
| Reference |
[RFC 2251] (paragraph 3.4) |
| Procedure |
Make a search request. |
| Base |
zero length DN "" |
| Scope |
base |
| Filter |
(objectclass=*) |
| Requested Attributes |
subschemasubentry |
| Expected results |
The attribute subschemasubentry is returned for the root DSE Entry. |
| Purpose |
Verify that the subSchemaSubEntry is present in any entry of the Directory. |
| Reference |
[RFC 2251] (paragraph 3.2.1) |
| Procedure |
Make a search request. |
| Base |
ou=Search, o=IMC, c=us |
| Base (dc-naming) |
dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
(cn=margaret*) |
| Requested Attributes |
subschemasubentry |
| Expected results |
2 entries are returned with only the attribute subschemasubentry. |
| Purpose |
Verify that the schema is accessible via LDAP. |
| Reference |
[RFC 2251] (paragraph 3.2.2) |
| Procedure |
Make a search request on root DSE to get the attribute subSchemaSubEntry.
Then make a base search request with the value of subSchemaSubEntry. |
| Base |
zero length DN "" |
| Scope |
base |
| Filter |
(objectclass=*) |
| Requested Attributes |
subschemasubentry |
| Expected results |
The root DSE is returned with only the attribute subschemasubentry. |
| Second Search |
|
| Base |
The value of the subschemasubentry attribute |
| Scope |
base |
| Filter |
(objectclass=subschema) |
| Requested Attributes |
objectclasses, attributetypes |
| Expected results |
the schema entry is returned with the 2 requested attributes. Each
attribute contains several values. |
To perform the tests in paragraph 3.3.13.2, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
Note that these tests cannot be performed by several clients at the same
time because the schema is in one unique entry.
| Purpose |
Verify that an objectclass can be added in the schema. |
| Reference |
[RFC 2251] (paragraph TBD) |
| Procedure |
Add an attribute value to the attribute "objectclasses" (using the modify-add operation). |
| DN |
The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type |
objectclasses |
| Attribute Value |
( 1.1.1.1.1.1111 NAME 'IMCTestObject' DESC 'Useless ObjectClass for testing' SUP 'top' MUST ( cn $ telephoneNumber ) MAY ( description $ seeAlso ) ) |
| Requested Attributes |
subschemasubentry |
| Expected results |
The schema entry should have one more "objectclasses" attribute value containing the above value. |
| Purpose |
Verify that an objectclass can be deleted from the schema. |
| Reference |
[RFC 2251] (paragraph TBD) |
| Procedure |
Delete an attribute value to the attribute "objectclasses" (using the
modify-delete operation).This test must be run just after test 3.3.13.2.1 |
| DN |
The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type |
objectclasses |
| Attribute Value |
( 1.1.1.1.1.1111 NAME 'IMCTestObject' DESC 'Useless ObjectClass for testing' SUP 'top' MUST ( cn $ telephoneNumber ) MAY ( description $ seeAlso ) ) |
| Expected results |
The schema entry should not have the "objectclasses" attribute value for IMCTestObject. |
| Purpose |
Verify that an attribute definition can be added in the schema. |
| Reference |
[RFC 2251] (paragraph TBD) |
| Procedure |
Add an attribute value to the attribute "attributetypes" (using the modify-add operation). |
| DN |
The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type |
attributetypes |
| Attribute Value |
( 1.1.1.1.1.1111 NAME 'IMCTestAttr' DESC 'Useless attribute type for testing' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
| Requested Attributes |
subschemasubentry |
| Expected results |
The schema entry should have one more "attributetypes" attribute value containing the above value. |
| Purpose |
Verify that an attribute definition can be deleted from the schema. |
| Reference |
[RFC 2251] (paragraph TBD) |
| Procedure |
Delete an attribute value to the attribute "attributetypes" (using the
modify-delete operation).This test must be run just after test 3.3.13.2.3 |
| DN |
The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type |
attributetypes |
| Attribute Value |
( 1.1.1.1.1.1111 NAME 'IMCTestAttr' DESC 'Useless attribute type for testing' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
| Expected results |
The schema entry should not have the "attributetypes" attribute value for IMCTestAttr. |
Note that RFC 2251 does not actually require the server to return a referral
in this case, and that the referral returned (if one is returned at all) will be
configuration-dependant).
| Purpose |
Test return of superior reference referral. |
| Reference |
[RFC 2251] (paragraphs 4.1.11, 4.5.3.1) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below. |
| Base |
o=IMC, c=US |
| Base (dc-naming) |
dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
ou=Server<n> |
| Expected results |
A referral to another server should be returned. |
Note that RFC 2251 does not actually require the server to return a referral
in this case, and that the referral returned (if one is returned at all) will be
configuration-dependant).
| Purpose |
Test return of subordinate reference referral. |
| Reference |
[RFC 2251] (paragraphs 4.1.11, 4.5.3.1) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below. |
| Base |
ou=Referrals, o=IMC, c=US |
| Base (dc-naming) |
dc=Referrals, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
ou=Server<n> |
| Expected results |
A referral to another server should be returned. |
| Purpose |
Test return of referral for search operation where the base contains a ref
attribute. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.2, case 2) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below, when bound to a server other than server<n>. |
| Base |
ou=Server<n>, ou=Servers, o=IMC, c=US |
| Base (dc-naming) |
dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope |
base/single-level/subtree |
| Filter |
ou=Server<n> |
| Expected results |
The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,
ou=Servers, o=IMC, c=US (x.500 naming) or
ldap://server<n>.dc.opengroup.org/dc=Server<n>,
dc=Servers, dc=Relative, dc=IMC, dc=org (dc naming) |
| Purpose |
Test return of referral for modify operation where the target contains a ref
attribute. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.2, case 2) |
| Procedure |
Attempt to add an attribute value, when bound to a server other than server<n>. |
| DN (X.500 naming) |
ou=Server<n>, ou=Servers, o=IMC, c=US |
| DN (dc naming) |
dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Attribute type |
telephoneNumber |
| Attribute value |
+33 1 234 5678 |
| Expected results |
The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ (x.500 naming) or
ldap://server<n>.dc.opengroup.org/ (dc naming) |
| Purpose |
Test return of referral for search operation where the base is subordinate
to an entry that contains a ref
attribute. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.2, case 3) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below, when bound to a server other than server<n>. |
| Base |
cn=John Humphries, ou=Server<n>, ou=Servers, o=IMC, c=US |
| Base (dc-naming) |
cn=John Humphries, dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope |
base |
| Filter |
telephoneNumber=* |
| Expected results |
The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,
ou=Servers, o=IMC, c=US (x.500 naming) or
ldap://server<n>.dc.opengroup.org/dc=Server<n>,
dc=Servers, dc=Relative, dc=IMC, dc=org (dc naming) |
| Purpose |
Test return of referral for modify operation where the target contains a ref
attribute. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.2, case 3) |
| Procedure |
Attempt to add an attribute value, when bound to a server other than server<n>. |
| DN (X.500 naming) |
cn=John Humphries, ou=Server<n>, ou=Servers, o=IMC, c=US |
| DN (dc naming) |
cn=John Humphries, dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Attribute type |
facsimileTelephoneNumber |
| Attribute value |
+44 181 432 2000 |
| Expected results |
The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ (x.500 naming) or
ldap://server<n>.dc.opengroup.org/ (dc naming) |
| Purpose |
Test return of referral for single-level search operation where an entry
that contains a ref attribute is found. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.3) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below, when bound to a server other than server<n>. |
| Base |
ou=Servers, o=IMC, c=US |
| Base (dc-naming) |
dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope |
single-level |
| Filter (X.500 naming) |
ou=Server<n> |
| Filter (dc naming) |
dc=Server<n> |
| Expected results |
The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,ou=Servers,o=IMC,c=US??base (x.500 naming) or
ldap://server<n>.dc.opengroup.org/dc=Server<n>,
dc=Servers,dc=Relative,dc=IMC,dc=org??base (dc naming) |
| Purpose |
Test return of referral for subtree search operation where an entry that contains a ref
attribute is found. |
| Reference |
[NAMEDREF] (paragraph 5.1.1.4) |
| Procedure |
Submit a Search request with a search filter, base, and scope as indicated
below, when bound to a server other than server<n>. |
| Base |
ou=Servers, o=IMC, c=US |
| Base (dc-naming) |
dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
cn=John Humphries |
| Expected results |
The following continuation references should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,ou=Servers,o=IMC,c=US (x.500 naming) or
ldap://server<n>.dc.opengroup.org/dc=Server<n>,
dc=Servers,dc=Relative,dc=IMC,dc=org (dc naming)
There should be 19 continuation references returned: <n>=1, . . 20, except
the value of <n> for the server to which the client is bound.
|
The tests in this section are designed to be performed with multiple
certificate generation products. Their descriptions refer to "CA1" and
"CA2", but if other sets of certificates as described in CATS
are available, then these could be substituted. See the description in 3.3.11.
Each participating server is allocated a unique
number <n>. Server <n> should use the Server<n> certificate generated by CA1
(in file certs1/ serv<n>)
to secure TLS connections.
Clients that can validate server certificates should be set up to accept certificates that can be validated
by the
CA1 root certificate (which is in file certs1/ca_root).
The servers should be set up as follows:
- Clients binding anonymously should not be required
to provide a certificate.
- Clients binding as users with entries in the subtree
rooted at ou=Security, o=IMC, c=US should not be required
to provide a certificate.
- Clients binding as users with entries in the subtree
rooted at ou=CAs, o=IMC, c=US should be required
to provide a certificate.
For the tests in this section, clients should use the START TLS mechanism.
| Purpose |
Test TLS-protected simple anonymous bind. |
| Reference |
[RFC 2829] (paragraph 5.2),
[RFC 2830]
(paragraph 2.1)
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS.
Issue an LDAP anonymous BIND request. |
| Expected results |
The test is successful if the LDAP connection can be established without errors.
Search requests should now be accepted and processed by the server.. |
| Purpose |
Test authenticated TLS-protected simple bind with correct credentials. |
| Reference |
[RFC 2829] (paragraph 6.2),
[RFC 2830]
(paragraph 2.1)
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS.
Test authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri001 |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind with valid certificate. |
| Reference |
[RFC 2829] (paragraph 7.1), [RFC
2830]
(paragraph 2.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
Pablo Picasso (file certs1/pablo_picasso).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN |
cn=Pablo Picasso, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind with expired certificate. |
| Reference |
[RFC 2829] (paragraph 7.1), [RFC
2830]
(paragraph 2.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
John Constable (file certs1/john_constable).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN |
cn=John Constable, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
Result code 49 (invalidCredentials) should be returned.
The Bind should fail. The server may not accept and process requests;
if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test TLS Certificate bind with an end-user certificate that must be validated by a root
certificate generated by a product other than that used to generate the
end-user certificate. |
| Reference |
[RFC 2829] (paragraph 7.1), [RFC
2830]
(paragraph 2.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
William CA2 Turner in the CA1 branch of the DIT (file
certs2/william_ca1_turner). Configure server to use the CA1 Root Certificate
(file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN |
cn=William CA2 Turner, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind when there is a revoked certificate in the
certification path. |
| Reference |
[RFC 2829] (paragraph 7.1), [RFC
2830]
(paragraph 2.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
Georges CA2 Braque in the CA1 branch of the DIT (in file
certs2/georges_ca1_braque).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN |
cn=Georges CA2 Braque, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
Result code 49 (invalidCredentials) should be returned.
The Bind should fail. The server may not accept and process requests;
if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test authenticated TLS-protected simple bind with incorrect credentials. |
| Reference |
[RFC 2829] (paragraph 6.2),
[RFC 2830]
(paragraph 2.1),
[RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Configure client to use TLS.
Test authenticated Bind as 'Henri Matisse' with incorrect password ('Henri111'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri111 |
| Expected results |
Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test bind without using TLS when TLS is required. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2.3)
|
| Procedure |
Configure client to not use TLS.
Test simple authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri001 |
| Expected results |
Result code 8 (strongAuthRequired) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test abrubt closure of TLS connection. |
| Reference |
[RFC 2829] (paragraph 6.2),
[RFC 2830]
(paragraphs 2.1 and 4.2)
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS and establish connection.
Make any search request and await results.
Take some action that will close the underlying TCP connection.
Then make it possible for the TCP connection to be re-established.
Make the same search request again. |
| Expected results |
The test is successful if the second search request is rejected
with an indication that the service is not available
or if the client is required to re-establish credentials. |
For the tests in this section, clients should use the "Port 636"
mechanism. (This mechanism is not described in the standards and is
expected to be phased out eventually.) Servers should be configured to use LDAP
over TLS (or SSL) on connections to port 636.
| Purpose |
Test TLS-protected simple anonymous bind. |
| Reference |
[RFC 2829] (paragraph 5.2), [RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS. Connect to server using port 636, and issue an LDAP anonymous BIND request. |
| Expected results |
The test is successful if the LDAP connection can be established without errors.
Search requests should now be accepted and processed by the server.. |
| Purpose |
Test authenticated TLS-protected simple bind with correct credentials. |
| Reference |
[RFC 2829] (paragraph 6.2),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS. Connect to server using port 636, and test authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri001 |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind with valid certificate. |
| Reference |
[RFC 2829] (paragraph 9.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
Pablo Picasso (file certs1/pablo_picasso).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN |
cn=Pablo Picasso, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind with expired certificate. |
| Reference |
[RFC 2829] (paragraph 7.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
John Constable (file certs1/john_constable).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN |
cn=John Constable, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
Result code 49 (invalidCredentials) should be returned.
The Bind should fail. The server may not accept and process requests;
if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test TLS Certificate bind with an end-user certificate that must be validated by a root
certificate generated by a product other than that used to generate the
end-user certificate. |
| Reference |
[RFC 2829] (paragraph 7.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
William CA2 Turner in the CA1 branch of the DIT (file
certs2/william_ca1_turner).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN |
cn=William CA2 Turner, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
The test is successful if the Bind is successful.
Search requests should now be accepted and processed by the server. |
| Purpose |
Test TLS Certificate bind when there is a revoked certificate in the
certification path. |
| Reference |
[RFC 2829] (paragraph 7.1),
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
Georges CA2 Braque in the CA1 branch of the DIT (in file
certs2/georges_ca1_braque).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN |
cn=Georges CA2 Braque, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results |
Result code 49 (invalidCredentials) should be returned.
The Bind should fail. The server may not accept and process requests;
if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test authenticated TLS-protected simple bind with incorrect credentials. |
| Reference |
[RFC 2829] (paragraph 6.2), [RFC 2251]
(paragraphs 4.1.10, 4.2)
|
| Procedure |
Configure client to use TLS. Connect to server using port 636, and test authenticated Bind as 'Henri Matisse' with incorrect password ('Henri111'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri111 |
| Expected results |
Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test bind without using TLS when TLS is required. |
| Reference |
[RFC 2251]
(paragraphs 4.1.10, 4.2.3)
|
| Procedure |
Configure client to not use TLS. Connect to server using normal LDAP port,
and test simple authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN |
cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password |
Henri001 |
| Expected results |
Result code 8 (strongAuthRequired) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose |
Test abrupt closure of TLS connection. |
| Reference |
[RFC 2251]
(paragraph 4.2)
|
| Procedure |
Configure client to use TLS and establish connection.
Make any search request and await results.
Take some action that will close the underlying TCP connection.
Then make it possible for the TCP connection to be re-established.
Make the same search request again. |
| Expected results |
The test is successful if the second search request is rejected
with an indication that the service is not available
or if the client is required to re-establish credentials. |
The tests in this section are designed to be performed in conjunction with
DNS servers that implement SRV records. Each server participating in the tests
is assigned a server identity server1, server2, . . through server 20. There is
a specific LDIF file for each server, which should be loaded by that server
prior to testing. Since the SRV record format assumes dc-naming (see [SRV]
paragraph 2), these LDIF files are provided in dc format and dc-relative format
only.
The tests pre-suppose that there is a DNS available that contains the
following SRV records (<n>=1, . . 20).
_ldap_tcp.server<n>.Servers.Relative.imc.org. IN SRV 0 0 389
server<n>.dc.opengroup.org.
| Purpose |
Bind Anonymously to an LDAP server which is located by looking up SRV
records in the DNS. |
| Reference |
[RFC 2251] (paragraph 4.2, pp. 20-23), [SRV]
(paragraphs 3, 4). |
| Procedure |
Request to bind anonymously to the server for the DN given below. On
successful bind, submit a Search request with a filter, base, and scope as indicated
below. |
| DN (dc naming) |
dc=Server<n>, dc=Servers, dc=Relative, dc=imc, dc=org |
| Base (dc-naming) |
dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope |
subtree |
| Filter |
cn=John Humphreys |
| Requested Attributes |
telephonenumber |
| Expected Results |
The test is successful if the LDAP connection to server n is established without
errors, and if the search request returns a telephone number that ends with
<n>. Eg. the telephone number returned by server 3 will be +44
181 432103. |
- Demonstrate ability to update a shadow/replica server and have it propagate to the master.
- Demonstrate support for language codes. [19]
- Demonstrate SASL bind options. [RFC 2251], [17]
- Demonstrate mechanism to extend external authentication functions.
- Changelog-00 [15]
- Test that the following operational attributes are maintained [RFC 2251]:
- subschemaSubentry
- namingContexts
- supportedExtension
- supportedControl
- supportedSASLmechanisms
- supportedLDAPversion
- Test server behavior for unrecognized option in AttributeDescription
supplied in search request (already done above), compare request, and modify request [RFC 2251]
- Test for return of unsolicited notification for invalid PDU [RFC 2251]
- Test UTF-8 compliance
- Abandon operation [RFC 2251]
To be added.
The EuroSInet Consortium gave the IMC permission to use their test suite during
the DirConnect 1 event; their test suite document was instrumental in prompting
DirConnect 1 participants to verify that their implementations could support search,
retrieval, and update functions as well as international character sets. The test
entries that accompanied the EuroSInet test suite inspired the creation of some of
the entries in this document.
The participants of DirConnect 1 deserve much thanks for pointing out deficiencies
in the test suite documentation and LDIF file prepared for that event. Their comments
and suggestions for improvement were incorporated into this document. (I'll list the
ames of the participants if I can find them; I think they're on the IMC web site).
Chris Apple, Room 2F-165
AT&T Laboratories
600 Mountain Ave.
Murray Hill, NJ 07974-0636
USA
E-Mail: capple@att.com
Voice: +1 908 582 2409
FAX: +1 908 582 3296
Chris Harding
The Open Group
Apex Plaza
Forbury Road
Reading, Berks. RG1 1AX
UK
E-Mail: c.harding@opengroup.org
Voice: +44 118 9508311 X 2262
FAX: +44 118 9500110
Ludovic Poitou
Sun Microsystems
32 chemin du vieux chene
3240 MEYLAN
FRANCE
E-Mail: ludovic.poitou@france.sun.com
Voice: +33 476 414 212
FAX: +33 476 414 241
- M. Smith, "Definition of the inetOrgPerson Object Class",
(work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-inetorgperson-01.txt
, July 1997.
- C. Weider, A. Herron, T. Howes, "LDAP Control Extension for Simple
Paged Results Manipulation", (work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-simple-paged-01.txt
, March 1997.
- A. Herron, T. Howes, M. Wahl, "LDAP Control Extension for Server Side
Sorting of Search Results", (work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldapv3-sorting-00.txt
, April 1997.
- T. Howes, M. Wahl, "Referrals and Knowledge References in LDAP
Directories", (work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-referral-00.txt
, May 1997.
- T. Genovese, B Jennings, "A Common Schema for the Internet White Pages
Service", (work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-ids-iwps-schema-spec-07.txt
, September 1997.
- Network Applications Consortium, "Lightweight Internet Person
Schema",
http://www.netapps.org
, May 1997.
- The Directory: Selected Attribute Types. ITU-T Recommendation X.520, 1993.
- The Directory: Selected Object Classes. ITU-T Recommendation X.521, 1993.
- G. Good, "Definition of an Object Class to Hold LDAP Change Records",
(work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldapv3-changelog-01.txt
, July 1997.
- G. Good, "The LDAP Data Interchange Format (LDIF) - Technical
Specification", (work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldif-02.txt
, July 1997.
- M. Wahl, "X.500 Strong Authentication Mechanism for LDAPv3",
(work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldapv3-strong-00.txt
, March 1997.
- The Unicode Consortium, "The Unicode Standard Version 2.0",
Addison-Wesley Developers Press, Reading, Massachusetts, 1996.
- Tim Howes, M. Wahl, "Use of Language Codes in LDAPv3",
(work-in-progress) INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldapv3-lang-00.txt
, June 1997.
- [RFC 2247]
- S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri, "
Using Domains in LDAP/X.500 Distinguished Names",
http://www.ietf.org/rfc/rfc2247.txt,
January 1998.
- [RFC 2251]
- T. Howes, S. Kille, M. Wahl, "
Lightweight Directory Access Protocol (v3)",
http://www.ietf.org/rfc/rfc2251.txt,
December 1997.
- [RFC 2252]
- A. Coulbeck, T. Howes, S. Kille, M. Wahl, "
Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions",
http://www.ietf.org/rfc/rfc2252.txt,
December 1997.
- [RFC 2253]
- T. Howes, S. Kille, M. Wahl, "
Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names",
http://www.ietf.org/rfc/rfc2253.txt,
December 1997.
- [RFC 2254]
- T. Howes, "
The String Representation of LDAP Search Filters",
http://www.ietf.org/rfc/rfc2254.txt,
December 1997.
- [RFC 2255]
- T. Howes, M. Smith, "
The LDAP URL Format",
http://www.ietf.org/rfc/rfc2255.txt,
December 1997.
- [RFC 2256]
- M. Wahl, "
A Summary of the X.500(96) User Schema for use with LDAPv3",
http://www.ietf.org/rfc/rfc2256.txt,
December 1997.
- [RFC 2559]
- S. Boeyen,
T. Howes, P. Richard, "Internet X.509 Public Key Infrastructure
Operational Protocols - LDAPv2",
http://www.ietf.org/rfc/rfc2559.txt,
April 1999.
- [RFC 2596]
- T. Howes, M. Wahl,
"Use of Language Codes in LDAP", http://www.ietf.org/rfc/rfc2596.txt,
May 1999.
- [RFC 2829]
-
M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication Methods for LDAP",
http://www.ietf.org/rfc/rfc2829.txt,
May 2000.
- [RFC 2830]
- J. Hodges, R. Morgan, M. Wahl,
"Lightweight Directory Access Protocol (v3):
Extension for Transport Layer Security", (work-in-progress)
INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-ldapv3-tls-02.txt,
May 2000.
- [PAGING]
- A. Anantha, A. Herron, T. Howes, C. Weider,
"LDAP Control Extension for Simple Paged Results Manipulation", (work-in-progress)
INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-asid-ldapv3-simplepaged-03.txt,
August 1998.
- [SORTING]
- A. Anantha, A. Herron, T. Howes, M. Wahl, C. Weider,
"LDAP Control Extension for Server Side Sorting of Search Results", (work-in-progress)
INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-sorting-01.txt,
August 1998.
- [VLV]
- D. Boreham, C. Weider,
"LDAP Extensions for Scrolling View Browsing of Search Results", (work-in-progress)
INTERNET-DRAFT
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-ldapv3-vlv-01.txt,
March 1998.
- [SRV]
-
M. Armijo, L.Esibov, P.Leach, R. Morgan, "Discovering LDAP Services with DNS"
http://www.ietf.org/internet-drafts/draft-ietf-ldapext-locate-02.txt,
April 2000.
- [NAMEDREF]
-
C.Lucas, T.Howes, M. Roszkowski, M.Smith, M.Wahl, "Named Referrals in LDAP Directories"
draft-ietf-ldapext-locate-02.txt,
June 1999.
- [LDAP_PR]
-
"LDAP Server Profiles Draft 1.0",
Open Group Draft Product Standard
http://www.opengroup.org/orc/DOCS/LDAP_PR/,
1998.
|
