Original Issue Produced by: Chris Apple, AT&T Labs
This Issue Edited by: Chris Harding, The Open Group
An LDIF addendum file has been created for the certificates tests, which do not use any of the previous test data. The new entries are in three new subtrees of the DIT: Certificates, CertificateAdd and CertificateModify. The previous entries are left undisturbed. The CertificateAdd and CertificateModify subtrees are structured in a similar way to the Add and Modify subtrees to allow up to 20 vendors, each with up to 10 clients, to participate in the tests.
An LDIF addendum file has been created for the extensions tests, which do not use any of the previous test data. The new entries are in four new subtrees of the DIT: ExtendedSearch, ExtendedAdd, ExtendedModify and Security. The previous entries are left undisturbed. The ExtendedSearch subtree contains subtrees "Corporate" and "Languages". The ExtendedAdd and ExtendedModify subtrees are structured in a similar way to the Add and Modify subtrees to allow up to 20 vendors, each with up to 10 clients, to participate in the tests.
1. Introduction
1.1. Test Objectives
1.2 Judging Test Results
2. Organization of Test Suite
3. General Tests
3.1. Functionality Addressed by Tests
3.2 BLITS Directory Information Tree (DIT) and Content
3.2.1 Entries for Use with BLITS
3.3 The Tests
3.3.1 Bind/Unbind Tests
3.3.1.1 Anonymous Bind
3.3.1.2 Unbind
3.3.1.3 Bind With Correct Credentials
3.3.1.3.1 Bind With Simple Password
3.3.1.3.2 Bind With CRAM-MD5 Password Exchange
3.3.1.4 Bind Errors
3.3.1.4.1 Bind with Incorrect Credentials
3.3.1.4.2 Bind With Missing Password
3.3.1.4.3 BIND with Invalid DN Syntax
3.3.1.4.4 BIND with Inappropriate Authentication
3.3.1.4.5 BIND with Unsupported Protocol Version
3.3.1.4.6 Bind with Incorrect Credentials using CRAM-MD5
3.3.2 Search Tests
3.3.2.1 Simple Search Filters
3.3.2.2 Complex Search Filters
3.3.2.3 Search for Entry with Multi-Valued RDN
3.3.2.4 Three-Valued Logic Search Filter Evalutation
3.3.2.4.1 Filter of "AND" Choice with an Undefined Attribute Type (Evaluates to UNDEFINED)
3.3.2.4.2 Filter of "OR" Choice with an Undefined Attribute Type (Evaluates to TRUE)
3.3.2.4.3 Filter of "NOT" Choice with an Undefined Attribute Type (Evaluates to UNDEFINED)
3.3.2.5 Unrecognized Option in Attribute Description List
3.3.2.6 Retrieve Operational Attributes for an Entry
3.3.2.7 Alias Dereferencing
3.3.2.8 Miscellaneous Searching Feature Tests
3.3.2.9 Search Operation Errors
3.3.3 Modify Operation Tests
3.3.3.1 Modify-Add Tests
3.3.3.2 Modify-Delete Tests
3.3.3.3 Modify-Replace Tests
3.3.4 Add Operation Tests
3.3.4.1 Add New Entry
3.3.4.2 Add Errors
3.3.5 Delete Operation Tests
3.3.5.1 Delete Existing Object
3.3.5.2 Delete Errors
3.3.6 ModifyDN Operation Tests
3.3.6.1 Rename a Leaf Entry
3.3.6.2 Move a Leaf Entry to A New Parent
3.3.6.3 Move a Renamed Leaf Entry to A New Parent
3.3.6.4 Rename Subtree of Entries
3.3.6.5 Move Subtree of Entries
3.3.6.6 Move a Renamed Subtree of Entries to a New Parent
3.3.6.7 Modify DN Errors
3.3.7 Compare Operation Tests
3.3.7.1 Comparison with FALSE Return Code
3.3.7.2 Comparison with TRUE Return Code
3.3.7.3 Compare Errors
3.3.8 Extended Operations Tests
3.3.9 Charset-Related Tests
3.3.10 DN Quoting Form Tests
3.3.11 Certificate Storage, Retrieval, and Comparison
3.3.11.1 Search
3.3.11.1.1 Search for Entry Containing a User Certificate
3.3.11.1.2 Search for Entry not Containing a User Certificate
3.3.11.1.3 Search for Entry Containing a CA Certificate
3.3.11.1.4 Search for Entry not Containing a CA Certificate
3.3.11.1.5 Search for Entry Containing a CRL
3.3.11.2 Compare
3.3.11.3 Add and Modify Entries
3.3.11.3.1 Add Entry with Certificate
3.3.11.3.2 Modify-add tests
3.3.11.3.2.1 Create userCertificate Attribute
3.3.11.3.2.2 Add userCertificate Value to Existing Attribute
3.3.11.3.2.3 Create cACertificate Attribute
3.3.11.3.2.4 Create certificateRevocationList Attribute
3.3.11.3.3 Modify-Delete Tests
3.3.11.3.3.1 Delete One Value of a Multi-valued userCertificate Attribute
3.3.11.3.3.2 Delete Single-Valued userCertificate Attribute
3.3.11.3.4 Replace userCertificate Attribute
3.3.12 LDAP Extension Tests
3.3.12.1 Paged Results
3.3.12.1.1 Page completely through a set
3.3.12.1.2 Abort paging part-way through a set.
3.3.12.2 Server-Side Sorting
3.3.12.2.1 Sort on Single Numeric Attribute
3.3.12.2.2 Sort on Single Alphabetic Attribute
3.3.12.2.3 Sort on Multiple Attributes
3.3.12.2.4 Sort in reverse order
3.3.12.3 Feature Interactions with Paged and Sorted Results
3.3.12.3.1 Page a Sorted Set.
3.3.12.4 Scrolling View Browsing of Search Results
3.3.12.4.1 Scroll Completely Through Large Set of Results
3.3.12.4.2 Scroll Incrementally through Set of Results
3.3.12.4.3 Scroll Part Way Through Large Set of Results
3.3.12.4.4 Go to Arbitrary Place in Large Set of Results
3.3.12.5 Language Tags
3.3.12.5.1 Search for Language Tagged Attributes
3.3.12.5.2 Check Attribute Subtype Matching
3.3.12.5.3 Search Without Specifying Language Tags
3.3.12.5.4 Comparison with TRUE Return Code
3.3.12.5.5 Comparison with noSuchAttribute Return Code
3.3.12.5.6 Search for Tagged Attribute Types
3.3.12.5.7 Add and Modify Entries
3.3.12.5.7.1 Add Entry with Language Tags
3.3.12.5.7.2 Modify Entry with Language Tags
3.3.13 Schema-Related Tests
3.3.13.1 Schema Access tests.
3.3.13.2 Schema Modification tests.
3.3.14 Refererral Tests
3.3.14.1 Superior Reference
3.3.14.2 Subordinate Reference
3.3.14.3 Named Refererrals
3.3.14.3.1 Base Contains Ref Attribute
3.3.14.3.2 Target Contains Ref Attribute
3.3.14.3.3 Base Subordinate to Entry that Contains Ref
Attribute
3.3.14.3.4 Target Subordinate to Entry that Contains Ref
Attribute
3.3.14.3.5 Single-Level Search
3.3.14.3.6 Subtree Search
3.3.15 Transport Security
3.3.15.1 START TLS
3.3.15.1.1 Anonymous Bind over TLS
3.3.15.1.2 Bind With Password Exchange over TLS
3.3.15.1.3 TLS with Certificates
3.3.15.1.3.1 TLS Bind with Valid Certificate
3.3.15.1.3.2 TLS Bind with Expired Certificate
3.3.15.1.3.3 TLS Bind with Certificate Validated via Non-Trivial Path
3.3.15.1.3.4 TLS Bind with Revoked Certificate in Validation Path
3.3.15.1.4 Bind with Incorrect Credentials over TLS
3.3.15.1.5 Bind With Insufficiently Strong Authentication
3.3.15.1.6 Abort TLS Session
3.3.15.2 Port 636
3.3.15.2.1 Anonymous Bind over TLS
3.3.15.2.2 Bind With Password Exchange over TLS
3.3.15.2.3 TLS with Certificates
3.3.15.2.3.1 TLS Bind with Valid Certificate
3.3.15.2.3.2 TLS Bind with Expired Certificate
3.3.15.2.3.3 TLS Bind with Certificate Validated via Non-Trivial Path
3.3.15.2.3.4 TLS Bind with Revoked Certificate in Validation Path
3.3.15.2.4 Bind with Incorrect Credentials over TLS
3.3.15.2.5 Bind With Insufficiently Strong Authentication
3.3.15.2.6 Abort TLS Session
3.3.16 Server Location
3.3.16.1 Locate Server
3.4 Other Potential Testing Areas
4. Application-Specific Tests
5. Acknowledgements
6. Authors' Addresses
7. Bibliography
This document defines a basic LDAP Interoperability Test suite for use by any individual, organization, or group. The purpose of this document is to provide the information required for testers to prepare for and perform tests which are designed to gauge interoperability between LDAP clients and servers.
This document may be copied in whole or in part for use in other documents if acknowledgement of the source is provided in those documents.
The tests are designed to demonstrate interoperability between LDAP client/server pairs.
The tests are designed to be performed in a multi-vendor environment, permitting LDAPv3 implementers to verify the degree to which basic LDAPv3 client/server interaction features of their implementations are interoperable with other implementations. This test suite is not designed for use in processes intended certify full LDAPv3 protocol conformance.
Criteria for determining the success or failure of a particular test are described in each test specification. Depending upon the test, success criteria can include: receipt of a particular return code from a server (often expressed as an error message), getting a response from the server being tested, a client reacting in a particular way to such a response, or displaying search results correctly on the requesting LDAP client. Specific success criteria for each test are indicated along with the description of how to perform each test. If the criteria are not met for a given test, it is deemed to have failed.
Section 3 contains general tests. Section 4 contains tests that are specific to particular applications.
Tests for LDAPv3 operations (Bind, Unbind, Search, Modify, ModifyDN, Add, Delete, Compare, and Abandon) are defined in this document. The functionality of these operations is specified in the core LDAPv3 protocol specification [RFC 2251]. Tests for more granular LDAPv3 functionality such as aliases/alias dereferencing, referrals, referral loop detects, error detection/generation, and other logical functions performed via particular configurations of operational parameters are defined within the context of operations to which they are relevant. Miscellaneous testing topics which do not currently have tests defined for them are listed in various sections throughout the document.
Figure 3-1: BLITS Directory Information Tree (DIT)
The BLITS DIT is available in two forms: one rooted at o=IMC, c=US (for clients and servers supporting X.500-style entry naming) and one rooted at dc=Relative, dc=IMC, dc=org (for clients and servers supporting domain-component-based naming [RFC 2247]). References to DNs found in the text of this document are described in terms of X.500-style naming. Search bases intended for use during testing are specified using both the domain-component- and X.500-based naming conventions. Readers of this draft should understand that for translating from X.500 style names to the domain-component-style names they must:
The BLITS DIT has several branches designed to allow simultaneous vendor testing based on the tests defined below. Individual branches for LDAPv3 operations specified in [RFC 2251] are defined with the exception of Bind, Unbind, Abandon, and Compare. Tests related to these four operations are performed using the entries located in the subtree rooted at ou=Search, o=IMC, c=US. The entries constructed using the Microsoft-provided data fall under this subtree as leaf entries of object class inetOrgPerson [7]. Subtrees for the Add, Delete, Modify, and ModifyDN operations tests are partitioned into additional organizational units to support parallel multiple-vendor test performance. The generic subtree structure for making such changes to directory information is shown in Figure 3-3. In particular, the LDIF [16] file constructed for use during the testing event includes organizational units sufficient for 20 vendors, each testing 10 different clients. Modifications to this LDIF file should be made if support for more than 20 vendors or more than 10 clients per vendor are to be tested simultaneously. The subtrees used for testing Certificates storage, retrieval, etc. are shown in Figure 3-4. There is a certificates subtree for tests not requiring changes to the directory content. There are also CertificateAdd and CertificateModify subtrees, each of which is structured to allow testing by up to 20 LDAP vendors, each with up to 10 client products, in a similar way to the subtrees for the non-certificate Add, Delete, Modify, and ModifyDN operations tests described above. The DIT also has a CAs subtree, which contains a set of subtrees which can be used for certificates provided by different certificate generation products. Each of these subtrees contains a Certificates, a CertificateAdd and a CertificateModify subtree.
The subordinate structure of the subtrees intended for use in testing schema-related features (ou=Schema), charset support (ou=Charset), and referrals (ou=Referrals) are TBD.
Figure 3-2: BLITS Search Subtree Structure
Figure 3-3: BLITS Add/Delete/Modify/ModifyDN Subtree Structure
Figure 3-4: BLITS Certificates Subtree Structure
Only the following attribute sub-set will be used in this suite:
Only the following object class sub-set will be used in this suite:
Access controls should be set up on each LDAP server in such a way that
users binding anonymously, or, with one exception (Directory Manager),
giving names but not passwords, can read and search all the data. Additional
access controls should be set up such that an entry for a Directory Manager
is present with a password, controller:
dn: cn=Directory Manager, o=IMC, c=US
cn: Directory Manager
objectclass: top
objectclass: person
objectclass: organizationalperson
userpassword: controller
Users binding as Directory Manager should not be allowed to bind at all
unless they specify the correct password.
Chris Weider of Microsoft, provided a sample of a test database which Microsoft has used in the past. Each database record was a CSV-formatted list of employee ame, employee ID, telephone number, and various organizational unit container names. Database records were converted from CSV to LDIF using the inetOrgPerson [7] object class as a template. Some attributes, such as e-mail address and user password were generated for each entry. These leaf entries were used as a seed data set for populating the BLITS DIT. Other entries were created to enable the testing of aliases/alias dereferencing, referrals, schema-related features, character set support, and other features. LDIF files of the entire BLITS DIT (one using domain-component-style names, one using dc-relative-style names, and one using X.500-style names) are available. Each LDIF file is in three parts: one for the basic tests, one for the extended tests, and one for the Certificates tests. The Certificates tests LDIF files reference further files that contain the certificates used in the tests.
| dc names | dc-relative names | X500 names | |
|---|---|---|---|
| Basic tests | dc-names.ldif | dc-names_relative.ldif | X500-names.ldif |
| Extended tests | new-dc-names.ldif | new-dc-names_relative.ldif | new-X500-names.ldif |
| Certificates tests | cert-dc-names.ldif | cert-dc-names_relative.ldif | cert-X500-names.ldif |
| New Certificates tests | new-cert-dc-names.ldif | new-cert-dc-names_relative.ldif | new-cert-X500-names.ldif |
The tests are defined in terms of client/server interaction features of the LDAPv3 protocol operations. Some features are specifically associated with a particular LDAP operation, such as the use of search filters, scope, and base. Other features, such as the generation of LDAP return codes that correspond to error conditions, are often associated with more than one protocol operation. Another set of features, such as support for character sets, referrals, valid forms of DN quoting, and others are complicated enough to warrant treatment in a section separate from the operation(s) with which they are associated. Tests for all three types of features are defined in the sub-paragraphs found below.
TIPS:
| Purpose | Bind Anonymously to an LDAP server. |
| Reference | [RFC 2251] (paragraph 4.2, pp. 20-23) |
| Procedure | Issues a Bind request to an LDAP server with null credentials (anonymous bind) |
| Expected Results | The test is successful if the LDAP connection can be established without errors. Search requests should now be accepted and processed by the server. |
| Purpose | Unbind from an LDAP server. |
| Reference | [RFC 2251] (paragraph 4.3, pp. 19-20 ) |
| Procedure | An UNBIND operation must be issued to the responding LDAP server. |
| Expected Results | The test is successful if the association is released gracefully. |
| Purpose | Test authenticated unprotected simple bind with correct credentials. |
| Reference | [RFC 2251] (paragraph 4.2) |
| Procedure | Test simple authenticated Bind as 'Paul Cezanne' with a correct password ('Paul0005'). |
| DN | cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) | cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password | Paul0005 |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test authenticated DIGEST-MD5 bind with correct credentials. |
| Reference | [RFC 2829] (paragraph 6.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use DIGEST-MD5 authentication. Test authenticated Bind as 'Marc Chagall' with a correct password ('Marc0001'). |
| DN | cn= Marc Chagall, ou=Security, o=IMC, c=US |
| DN (dc-naming) | cn= Marc Chagall, dc=Security, dc=Relative, dc=IMC, dc=ORG |
| Password | Marc0001 |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test authenticated unprotected simple bind with incorrect credentials. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Attempt to Bind as a DN which has a userPassword attribute, but specify the wrong password. |
| DN | cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) | cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password | Wrong (The correct password is Paul0005) |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test authenticated unprotected simple Bind with missing password. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Test authenticated unprotected simple Bind as 'Paul Cezanne' with a null password. |
| DN | cn=Paul Cezanne, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) | cn=Paul Cezanne, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password | <unspecified> |
| Expected results | The test is successful if the connection attempt is accepted, but established as an anonymous bind. Search requests should now be accepted and processed by the server. |
| Purpose | Verify correct behavior when a DN of invalid syntax is included in a Bind attempt. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Bind supplying a DN with an invalid syntax and an arbitrary value for the userPassword attribute. |
| DN | cn, ou=Americas, ou=Search, o=IMC, c=US |
| DN (dc-naming) | cn, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=ORG |
| Password | AnythingYouWant |
| Expected results | The Bind should fail. Requests may not be accepted and processed by the server; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Verify correct behavior when inappropriate authentication is used on a Bind attempt. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Test authenticated unprotected simple Bind as 'Directory Manager' with a null password. |
| DN | cn=Directory Manager, o=IMC, c=US |
| DN (dc-naming) | cn=Directory Manager, dc=Relative, dc=IMC, dc=ORG |
| Password | (None) |
| Expected results | Result code 48 (inappropriateAuthentication) should be returned. The Bind should fail. Requests may not be accepted and processed by the server. |
| Purpose | Verify correct behavior when an unsupported protocol version parameter value is supplied on a Bind attempt. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Bind, anonymously with a null DN, supplying a version number of 4. |
| DN | null |
| Password | null |
| Expected results | Result code 2 (protocolError) should be returned. The Bind should fail. Requests may not be accepted and processed by the server; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test authenticated DIGEST-MD5 bind with incorrect credentials. |
| Reference | [RFC 2829] (paragraph 6.1), [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Configure client to use DIGEST-MD5 authentication. Test authenticated Bind as 'Marc Chagall' with incorrect password ('Marc1110'). |
| DN | cn=Marc Chagall, ou=Security, o=IMC, c=US |
| DN (dc-naming) | cn=Marc Chagall, dc=Security, dc=Relative, dc=IMC, dc=ORG |
| Password | Marc1110 |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test equality matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | cn=Pat Bakers |
| Expected results | The following entry should be returned: Pat Bakers |
| Purpose | Test substring matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | cn=p*smith |
| Expected results | The following entries should be returned: Peter Smith Paulette Smith |
| Purpose | Test approximate matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | cn~=clint |
| Expected results | The following entries should be returned: Clint Eastwood Bill Clinton Hillory Clinton |
| Purpose | Test less-than-or-equal-to matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber<=1100008 |
| Expected results | The 5 following entries should be returned: Paul Cezanne, Johan Jongkind, Johan Jongkind (No Title), Milton Berle, Clint Eastwood |
| Purpose | Test greater-than-or-equal-to matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber>=2200500 |
| Expected results | The following entries should be returned: Kip Barker, Larry Barker, Leslie Barker, Lincoln Barker, Linda Barker |
| Purpose | Test presence matching in simple search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Fin-Accounting, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Fin-Accounting, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | title=* |
| Expected results | The following entry should be returned: Johan Jongkind (title VP) |
TBD, but to be based on extensible matching rules listed in [RFC 2252] and the description of extensible matching in searchRequest [RFC 2251].
| Purpose | Test equality and presence matching combination in complex search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(sn=thatcher)(title=*)) |
| Expected results | The following entry should be returned: Margaret Thatcher (title: Director) |
| Purpose | Test substring and presence matching combination in complex search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(cn=cl*ews)(title=*)) |
| Expected results | The following entry should be returned: Cliff Andrews (title: Associate) |
| Purpose | Test multiple substring matching combination in complex search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (|(cn=*od)(cn=*ad)) |
| Expected results | The following entries should be returned: Clint Eastwood, Charlie Abood, Henry Atwood, Alice Frostad |
| Purpose | Test substring and approximate matching combination in complex search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (|(cn=*homer*)(cn~=body)) |
| Expected results | The following entries should be returned: Homer Winslow, Bette Davis, Buddy Holly |
| Purpose | Test presence (for person objects) matching in search filter that includes negation. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (&(!(description=*))(objectclass=person)) |
| Expected results | The following entry should be returned: Jonathan Adams |
| Purpose | Test presence (for person objects) matching in search filter that includes negation. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Sales, ou=Europe,ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Sales, dc=Europe,dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (&(!(sn=wa*))(objectclass=person)) |
| Expected results | The following entry should be returned: Paulette Smith |
| Purpose | Test a search filter with AVAs having the following combination of match type operators (Substring OR Substring) AND (Presence AND Presence) |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (& (|(sn=*ood*)(sn=*woo*)) (&(telephonenumber=*)(title=*)) ) |
| Expected results | The following entries should be returned: Clint Eastwood, Merry Aboods, Charlie Abood, Brian Atwoods, Henry Atwoods, Henry Atwood |
| Purpose | (Approximate AND Sub-string) OR (Approximate AND Sub-string) |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (| (&(cn~=body)(telephonenumber=*825*)) (&(cn~=smythe)(telephonenumber=*720*)) ) |
| Expected results | The following entries should be returned: Peter Smith, Paulette Smith, Bette Davis, Buddy Holly |
| Purpose | NOT (Presence OR Presence) (for person objects) |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (&(!(|(internationaliSDNNumber=*)(description=*))) (objectclass=person)) |
| Expected results | The following entry should be returned: Paul Cezanne |
| Purpose | Read the entry with the common name of 'cn=Pablo Picasso' and the user identifier of 'uid=00123456789', to check that an entry with a multi-valued RDN can be retrieved correctly |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28), [RFC 2253] |
| Procedure | Instruct the LDAP user agent to locate and display all the attributes for the entry with the common name 'Pablo Picasso' and the user identifier of '00123456789'. |
| Base | cn=Pablo Picasso + uid=00123456789, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Pablo Picasso + uid=00123456789, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (objectclass=*) |
| Expected Results | The test is successful if the entry is returned and all the attributes are displayed. |
| Purpose | Search for entries with a common name value of "Margaret Thatcher" and include an unrecognized attribute type in the search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure | Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(cn=Margaret Thatcher)(foo=bar)) |
| Expected Results | The test is successful if no entries are displayed because the search filter evaluates to UNDEFINED. |
| Purpose | Search for entries with a common name value of "Margaret Thatcher" and include an unrecognized attribute type in the search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure | Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (|(cn=Margaret Thatcher)(foo=bar)) |
| Expected Results | The test is successful if an entry for Margaret Thatcher is displayed because the search filter evaluates to TRUE. |
| Purpose | Search for entries and only include an unrecognized attribute type in the search filter. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 27-28) |
| Procedure | Instruct the LDAP user agent to search for and display all entries matching the search filter below. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (!(foo=bar)) |
| Expected Results | The test is successful if no entries are displayed because the search filter evaluates to UNDEFINED. |
| Purpose | Verify appropriate behavior when the list of attributes to be retrieved for an entry includes an unrecognized option as part of an attribute description. |
| Reference | [RFC 2251] (paragraph 4.1.5, pg. 13), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Submit a Search request with a search filter, base, scope, and attributes list as indicated below. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Attributes | cn, telephonenumber;foo, mail |
| Filter | cn=*Margaret* |
| Expected results | Unrecognized option should be ignored. The entry for Margaret Thatcher should be returned. (note: telephone number attribute should not be included in attributes returned, because an unknown option requires that a server treat the attribute affected by that option as an unknown attribute) |
| Purpose | Verify correct behavior when all attributes, plus specific operational ones, are requested. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-29) |
| Procedure | Submit a Search request as specified below, making sure to use a '*' character and also specific operational attribute names as the list of attributes to return for each entry. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base-level |
| Attributes | *, creatorsname, creatorstimestamp, modifersname, modifytimestamp |
| Filter | objectclass=organizationalunit |
| Expected results | The following entry should be returned with all attributes present, including requested operational attributes: ou=Americas, ou=Search, o=IMC, c=US |
| Purpose | Verify that an aliased base object supplied on a Search request is not deferenced. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a subordinate of a base object which is an alias, requesting neverDerefAliases. |
| Base | cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (sn=Thatcher) |
| Expected results | Search base alias will not be dereferenced, entry for Margaret Thatcher will not be returned. No entries will be returned. |
| Purpose | Verify that an aliased leaf object will not be dereferenced as a part of the Search response. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a leaf entry which is an alias, requesting neverDerefAliases. |
| Base | cn=Jonny Adams, ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Jonny Adams, dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (telephonenumber=*) |
| Expected results | Alias for Jonathan Adams will not be dereferenced. No entries will be returned. |
| Purpose | Verify that an aliased base object will not be dereferenced when alias dereferencing during searching is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a subordinate of a base object which is an alias, requesting derefInSearching |
| Base | cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (sn=Thatcher) |
| Expected results | Search base alias will not be dereferenced. No entries will be returned. |
| Purpose | Verify that an aliased leaf object will be dereferenced as a part of the SEARCH results when alias dereferencing during searching is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a leaf entry which is an alias, requesting derefInSearching. |
| Base | cn=Jonny Adams, ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Jonny Adams, dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (telephonenumber=*) |
| Expected results | Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a match, with telephone number +1 408 720 0000. |
| Purpose | Verify that an aliased base object will be dereferenced when alias dereferencing while finding base objects is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a subordinate of a base object which is an alias, requesting derefFindingBaseObj. |
| Base | cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (sn=Thatcher) |
| Expected results | Search base alias will be dereferenced, the entries for DN "cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US" and "cn=Margaret Thatcher (No Title), ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US" will be returned. |
| Purpose | Verify that an aliased leaf object will not be dereferenced when alias dereferencing while finding base objects is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a leaf entry which is an alias, derefFindingBaseObj. |
| Base | cn=Jonny Adams, ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Jonny Adams, dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (telephonenumber=*) |
| Expected results | Alias for Jonathan Adams will not be dereferenced. No entries will be returned. |
| Purpose | Verify that an aliased base object is dereferenced when full alias dereferencing is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a subordinate of a base object which is an alias, requesting derefAlways. |
| Base | cn=Canada, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Canada, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (sn=Thatcher) |
| Expected results | Search base alias will be dereferenced, the entries for DN "cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US" and "cn=Margaret Thatcher (No Title), ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US" will be returned. |
| Purpose | Verify that an aliased base object is dereferenced when full alias dereferencing is enabled. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a leaf entry which is an alias, requesting derefAlways. |
| Base | cn=Jonny Adams, ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Jonny Adams, dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (telephonenumber=*) |
| Expected results | Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a match, with telephone number +1 408 720 0000. |
| Purpose | Verify that an aliased base object is dereferenced when full alias dereferencing is enabled, and that matches in non-dereferenced search paths are not returned.. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Search for a leaf entry which is an alias, requesting derefAlways. |
| Base | cn=Jonny Adams, ou=Europe, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Jonny Adams, dc=Europe, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (sn=Adams) |
| Expected results | Alias for DN "cn=Jonathan Adams, ou=Europe, ou=Search, o=IMC, c=US" will be dereferenced and will be returned as a match, with telephone number +1 408 720 0000. The "Jonny Adams" alias entry is not returned. |
| Purpose | Verify that size limit feature works appropriately. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Set sizelimit parameter to 1. Perform a search that will return more than 1 entry. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (cn=*) |
| Expected results | One entry should be returned, followed by return code 4 (sizeLimitExceeded). Reset the size limit to its original value. |
| Purpose | Verify that time limit feature works appropriately. |
| Reference | [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Set timelimit parameter to 1. Perform search that should take longer than 1 second. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (objectclass=*) |
| Expected results | Some entries should be returned, followed by return code 3 (timeLimitExceeded). Reset the timelimit parameter to its original value. |
| Purpose | Verify that the feature designed to allow for returning attribute names instead of name-value pairs works appropriately. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Set typesonly parameter to TRUE. Perform a search that will return matching results. |
| Base | ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (cn=*) |
| Expected results | Only attribute names should be returned. |
| Purpose | Verify appropriate behavior when a search filter of invalid syntax is included as a search request parameter. |
| Reference | [RFC 2251] (paragraph TBD , pp. TBD) |
| Procedure | Submit a Search request with a bad filter syntax. |
| Base | ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (&(!(|internationaliSDNNumber=*(description=* |
| Expected results | Return code TBD (codeTBD) should be returned. No matching entries should
be returned. (note: there was a response code for this in LDAPv2,
but I can't seem to find the equivalent requirement in LDAPv3)
The error is should be an API error since the filter string is parsed to be encoded. |
| Purpose | Verify that the server will generate a noSuchObject error for a subtree search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Perform a subtree search with a base that does not exist. |
| Base | ou=Staff, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=Staff, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (sn=person) |
| Expected results | Return code 32 (noSuchObject) should be returned as an error. No entries will be returned. |
| Purpose | Verify that the server will generate a noSuchObject error for a single-level search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Perform a single-level search with a base that does not exist. |
| Base | ou=People, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc=People, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (objectclass=person) |
| Expected results | Return code 32 (noSuchObject) should be returned. No entries will be returned. |
| Purpose | Verify that the server will generate a noSuchObject error for a base-level search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Perform a base-scope search with a base that does not exist. |
| Base | cn=Madonna, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Madonna, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | (objectclass=*) |
| Expected results | Return code 32 (noSuchObject) should be returned. No entries will be returned. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a subtree search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Specify a DN with bad syntax for a subtree search. |
| Base | cn=Tom Jones,ou, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Tom Jones,ou, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (sn=jones) |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a single-level search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Specify a DN with bad syntax for a single-level search. |
| Base | cn=Tom Jones,ou, ou=Search, o=IMC, c=US |
| Base (dc-naming) | cn=Tom Jones,ou, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | (sn=jones) |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a base-level search. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.5.1, pp. 25-28) |
| Procedure | Specify a DN with bad syntax for a base-level search. |
| Base | ou="Any Unit, ou=Americas, ou=Search, o=IMC, c=US |
| Base (dc-naming) | dc="Any Unit, dc=Americas, dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | base-level |
| Filter | (sn=jones) |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. No entries will be returned. |
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.3; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify that an attribute type is created when a request for adding an attribute value for an attribute type that does not currently exist for an entry. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add the first value of an attribute type. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | facsimileTelephoneNumber |
| Attribute value | +1 908 555 1212 |
| Expected results | Entry should now have +1 908 555 1212 as a fax number. |
| Purpose | Verify that an additional value can be added to an existing attribute. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add a second attribute value of an attribute type. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | title |
| Attribute value | CEO |
| Expected results | Entry should now have both "President" and "CEO" as titles. |
| Purpose | Verify that an attributeOrValueExists error message can be generated. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Attempt to add a surname attribute value already contained within an entry. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | sn |
| Attribute value | Cezanne |
| Expected results | Return code 20 (attributeOrValueExists) should be returned. |
| Purpose | Verify that an invalid attribute syntax causes the server to generate an invalidAttributeSyntax error. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Do not supply a value for the attribute being added using a modify-add request. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | |
| Attribute value | <unspecified> |
| Expected results | Return code 21 (invalidAttributeSyntax) should be returned. The attribute should not have been added to the entry. |
| Purpose | Verify that an invalid DN syntax causes the server to generate an invalidDNSyntax error for a modify-add request. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Specify a DN with bad syntax for a modify-add. |
| DN | cn, ou, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | cn |
| Attribute value | Missing Person |
| Expected results | Return code 34 (invalidDNSytnax) should be returned. The attribute should not have been added to the entry. |
| Purpose | Verify deletion of a single value for a multi-valued attribute. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Delete one of three attribute values for an attribute type. |
| DN | cn=Paul Newman, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | title |
| Attribute value | Head Honcho |
| Expected results | Entry should now have "President" and "CEO" as titles. |
| Purpose | Verify that a single-valued attribute can be deleted using the MODIFY operation. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Delete the only attribute for an attribute type. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | title |
| Attribute value | Director |
| Expected results | Entry should now have no title attributes. |
| Purpose | Verify that a multi-valued attribute can be deleted using the MODIFY operation. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Delete a multi-valued attribute. |
| DN | cn=Emeril Lagosse, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | title |
| Attribute value | <unspecified> |
| Expected results | Entry should now have no title attributes. |
| Purpose | Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute not contained within an entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Based on a specification of an attribute type only, attempt to delete an attribute from an entry that does not contain that attribute. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | facsimileTelephoneNumber |
| Expected results | Return code 16 (noSuchAttribute) should be returned. |
| Purpose | Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute not contained within an entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Based on a specification of an attribute type-value pair, attempt to delete an attribute type-value pair from an entry that does not contain that attribute. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | internationaliSDNNumber |
| Attribute value | 1 313 555 1234 |
| Expected results | Return code 16 (noSuchAttribute) should be returned. |
| Purpose | Verify that server will generate a noSuchAttribute error message when instructed via a modify-delete request to delete an attribute type-value pair not contained within an entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Based on a specification of an attribute type-value pair with an incorrect value, attempt to delete an attribute value from an entry that does not contain that attribute. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | telephoneNumber |
| Attribute value | 313 555-8300 |
| Notes | Actual existing value is 825-0008 |
| Expected results | Return code 16 (noSuchAttribute) should be returned. |
| Purpose | Verify that server will generate an objectClassViolation error message when instructed via a modify-delete request to delete a mandatory attribute. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Attempt to remove a required attribute from an entry. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | objectclass |
| Expected results | Return code 65 (objectClassViolation) should be returned. |
| Purpose | Verify that a multi-valued attribute can be replaced by a single-valued attribute. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Replace an attribute type which has multiple values using a Modify request. |
| DN | cn=David Rosengarten, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | title |
| Attribute value | Chief Taster |
| Expected results | Entry should now have only "Chief Taster" as a title. |
| Purpose | Verify that a single-valued attribute can be replaced. |
| Procedure | Replace an attribute value for an attribute type using a Modify request. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| DN | cn=David Rosengarten, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | |
| Attribute value | David.Rosengarten@tvfood.com |
| Expected results | Entry should now have only "David.Rosengarten@tvfood.com" as an e-mail address. |
| Purpose | Verify that a server will remove attributes to be replaced if specified with no value. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Do not supply a value for the attribute type being replaced using a Modify request. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | givenname |
| Attribute value | <unspecified> |
| Expected results | The givenname attribute should no longer be contained within the entry. |
| Purpose | Verify that a modify-replace request involving a non-existent object will generate a noSuchObject error message. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Specify an entry that does not exist for a modify-replace request. |
| DN | cn=Invisible Person, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | sn |
| Attribute value | Person |
| Expected results | Return code 32 (noSuchObject) should be returned. The operation should not succeed. |
| Purpose | Verify that a modify-replace request specified to change the naming attribute generates a notAllowedOnRDN error message. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Attempt to rename the naming attribute of an entry using a modify-replace request. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=Modify, o=IMC, c=US |
| Attribute type | cn |
| Attribute value | Maggy Thatcher |
| Expected results | Return code 67 (notAllowedOnRDN) should be returned. The operation should not succeed. |
To perform the tests in paragraph 3.3.4, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.4.4; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify capability to add a new entry to the directory using the ADD operation. |
| Reference | [RFC 2251] (paragraph 4.7 , pg. 34) |
| Procedure | Add an entire new directory entry using the information below. |
| DN | cn=Austin Powers, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top person organizationalPerson inetOrgPerson |
| Attribute type | sn |
| Attribute value | Powers |
| Attribute type | cn |
| Attribute value | Austin \"Danger\" Powers |
| Attribute type | telephoneNumber |
| Attribute value | + 44 582 10101 |
| Attribute type | |
| Attribute value | secret_agent_man@imc.org |
| Attribute type | description |
| Attribute value | Yea Baby!! |
| Attribute type | uid |
| Attribute value | secret_agent_man |
| Attribute type | description |
| Attribute value | Behave! |
| Expected results | A new entry should now be present in the directory with the above attributes. |
| Purpose | Verify that servers will return a noSuchObject error message in response to an Add request that includes a specification of a non-existent superior object. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure | Specify a non-existent organizationalUnit value in the path of the name of a new entry for an add operation. |
| DN | cn=Dweezle Zappa, ou=Zappaland, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top person |
| Attribute type | sn |
| Attribute value | Person |
| Attribute type | cn |
| Attribute value | Not A Person |
| Expected results | Return code 32 (noSuchObject) should be returned. The entry should not be created. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for an Add request including an improperly-formed DN. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure | Specify a DN with bad syntax for an add operation. |
| DN | cn=New Person, ou=<client-ID>, ou=<vendor-ID>, =IMC, c=US |
| Attribute type | objectclass |
| Attribute value | top person |
| Attribute type | sn |
| Attribute value | Person |
| Attribute type | cn |
| Attribute value | New Person |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. The entry should not have been added to the directory. |
| Purpose | Verify that the server will generate an entryAlreadyExists error for an Add request including specification of an existing entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure | Attempt to add a new entry with the same name as an existing entry. |
| DN | ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top organizationalUnit |
| Attribute type | ou |
| Attribute value | <client-ID> |
| Expected results | Return code 68 (entryAlreadyExists) should be returned. The existing entry should remain in the directory, unmodified. |
| Purpose | Verify that the server will generate an objectClassViolation error for an Add request that is missing the specification of a mandatory attribute. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.7, pp. 34-35) |
| Procedure | Attempt to add an alias entry without specifying the required aliasedObjectName attribute. |
| DN | cn=Alias Entry, ou=<client-ID>, ou=<vendor-ID>, ou=Add, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top alias |
| Expected results | Return code 65 (objectClassViolation) should be returned. The entry should not be present in the directory. |
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.4.4; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify that an entry can be deleted. |
| Reference | [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure | Delete the entry with the DN specified below. |
| DN | cn=Mary-Sue Milliken, ou=<client-ID>, ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results | The entry should no longer exist. |
| Purpose | Verify that the server will generate a noSuchObject error for a Delete request that includes a specification of a non-existent object. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure | Specify an entry that does not exist for a delete operation. |
| DN | cn=Susan Feniger, ou=<client-ID>, ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results | Return code 32 (noSuchObject) should be returned. No changes should have been made to the directory. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed DN. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure | Specify a DN with bad syntax for a delete operation. |
| DN | Sarah Thorton,<client-ID>,<vendor-ID>,Modify, IMC, US |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. The entry should not have been deleted from the directory. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a Delete request specifying the removal of an object that has children. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.8, pg. 35) |
| Procedure | Attempt to remove an entry which has entries below it in the tree. |
| DN | ou=<vendor-ID>, ou=Delete, o=IMC, c=US |
| Expected results | Return code 66 (notAllowedOnNonLeaf) should be return. The object should not have been removed from the directory. |
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.3; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify that RDNs can be modified. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Change the RDN of the entry specified below. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Paul Newman |
| Expected results | The new distinguished name of this entry should be cn=Paul Newman, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose | Verify that RDNs can be modified. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Change the RDN of the entry specified below. |
| DN | cn=Paul Hoffman, ou=Current Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Paul Hoffman |
| New Superior | ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Expected results | The new distinguished name of this entry should be cn=Paul Hoffman, ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose | Verify that RDNs can be modified. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Change the RDN of the entry specified below. |
| DN | cn=Paul Revere, ou=Current Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Paul McCartney |
| New Superior | ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Expected results | The new distinguished name of this entry should be cn=Paul McCarney, ou=New Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Purpose | Verify that the parent object of a subtree can be renamed. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Rename the subtree based at the object specified below. |
| Base DN | ou=Current Subtree, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | ou=New Subtree |
| Delete RDN Flag | FALSE |
| Expected results | The new distinguished name of objects in this subtree are now rooted at ou=New Subtree, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=Current Subtree will remain associated with the entry with the base DN defined above. |
| Purpose | Verify that subtrees can be moved to a new parent. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Move the subtree based at the object specified below. |
| Base DN | ou=Static, ou=Current Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | ou=Static |
| New Superior | ou=New Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Delete RDN Flag | TRUE |
| Expected results | The new distinguished name of objects in this subtree are now rooted at ou=Static, ou=New Base, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=TBD will remain associated with the entry with the base DN defined above. |
| Purpose | Verify that subtrees can be moved to a new parent. |
| Reference | [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Move the subtree based at the object specified below. |
| Base DN | ou=Old Subtree, ou=Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | ou=Not So Old Subtree |
| New Superior | ou=Not So Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| Delete RDN Flag | TRUE |
| Expected results | The new distinguished name of objects in this subtree are now rooted at ou=Not So Old Subtree, ou=Not So Old Parent, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US. The old base object should not exist. The attribute-value pair: ou=TBD will remain associated with the entry with the base DN defined above. |
| Purpose | Verify that the server will generate an entryAlreadyExists error for ModifyDN request including specification of parameters corresponding to an existing entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Attempt to rename an entry to a name that already exists. |
| DN | cn=Paul Cezanne, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Margaret Thatcher |
| Expected results | Return code 68 (entryAlreadyExists) should be returned. Both the entry for which the change was intended and the existing entry should remain in the directory, unmodified. |
| Purpose | Verify that the server will generate a noSuchObject error for Modify DN request that includes a specification of a non-existant object. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Specify a name change for an entry that does not exist on this server using a Modify DN request. |
| DN | cn=No Person, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Does not matter |
| Expected results | Return code 32 (noSuchObject) should be returned. No changes should have been made to the directory. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed DN. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Specify a DN with bad syntax for a ModifyDN operation. |
| DN | , ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | cn=Missing Person |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a Delete request including an improperly-formed RDN. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.9, pp. 36-37) |
| Procedure | Specify a RDN with bad syntax for a ModifyDN operation. |
| DN | cn=Margaret Thatcher, ou=<client-ID>, ou=<vendor-ID>, ou=ModifyDN, o=IMC, c=US |
| New RDN | Maggy Thatcher |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. The entry should not have been deleted from the directory. |
| Purpose | Verify return of FALSE return code for Compare request. |
| Reference | [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure | Send a Compare request to a server constructed using the information shown below. |
| DN | cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type | title |
| Attribute value | Directory (correct value is Director; extra 'y' was included in purported title attribute value) |
| Expected results | Result code 5 (compareFalse) should be returned. |
| Purpose | Verify return of TRUE return code for Compare request. |
| Reference | [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure | Send a Compare request to a server constructed using the information shown below. |
| DN | cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type | title |
| Attribute value | Director |
| Expected results | Result code 6 (compareTrue) should be returned. |
| Purpose | Verify that server generates a noSuchAttribute error message for Compare request that includes a purported AVA not present in an entry. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure | Specify an AVA that will not match an existing for an entry that does not contain that attribute on a Compare request. |
| DN | cn=Margaret Thatcher, ou=Help Desk, ou=IT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type | internationaliSDNNumber |
| Attribute value | +1 810 555 3333 |
| Expected results | Return code 16 (noSuchAttribute) should be returned. |
| Purpose | Verify that the server will generate a noSuchObject error for a Compare request that includes a specification of a non-existant object. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure | Specify an AVA that will not match an existing directory entry. |
| DN | cn=Nobody Here, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type | sn |
| Attribute value | Here |
| Expected results | Return code 32 (noSuchObject) should be returned. |
| Purpose | Verify that the server will generate an invalidDNSyntax error for a Compare request including an improperly-formed DN. |
| Reference | [RFC 2251] (paragraph 4.1.10, pp. 16-17), [RFC 2251] (paragraph 4.10, pp. 37-38) |
| Procedure | Specify a DN with bad syntax for a Compare request. |
| DN | cn=Margaret Thatcher, ou=Help Desk, ouIT, ou=Americas, ou=Search, o=IMC, c=US |
| Attribute type | telephoneNumber |
| Attribute value | 825-0008 |
| Expected results | Return code 34 (invalidDNSyntax) should be returned. |
TBD but based on [RFC 2253].
The descriptions of these tests assume that the certificates generated by CA1 are used. These certificates are found in directory certs1 and are as per the CATS description. A further set of certificates that could equally well be used, generated by CA2, are provided in directory certs2. Where other certificate generators participate in testing, and are assigned ids CA3, CA4, etc., the tests can also be performed with their certificates. For certificate generator product allocated identity <CA-ID>, the DIT subtree rooted at ou=<CA-ID>, ou=CAs, o=IMC, c=US is used (eg. for certificate generator product 3, the DIT subtree rooted at ou=CA3, ou=CAs, o=IMC, c=US is used.
Note that the certificates in directories certs1 and certs2 are in DER format. Equivalent certificates in PEM format are provided in directories certs1.pem and certs2.pem.
| Purpose | Search for entry containing a user certificate. |
| Reference | [RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) | dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(sn=Brush)(userCertificate=*)) |
| Expected results | The following entry should be returned: Basil Brush. The entry should include two certificates. |
| Purpose | Search for entry not containing a user certificate. |
| Reference | [RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) | dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(sn=Brush)(!(userCertificate=*))) |
| Expected results | The following entry should be returned: Bertram Brush. The entry should not include a certificate. |
| Purpose | Search for entry containing a CA certificate. |
| Reference | [RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=CAs, o=IMC, c=US |
| Base (dc-naming) | dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | cACertificate=* |
| Expected results | Two entries - CA<n> and BadCA<n> - should be returned for each certificate generator participating in the tests. Each entry returned should include a cACertificate attribute. |
| Purpose | Search for entry not containing a CA certificate. |
| Reference | [RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Base (dc-naming) | dc=Certificates, dc=CA1, dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(sn=Brush)(!(cACertificate=*))) |
| Expected results | Two entries should be returned: Basil Brush (This entry should include two user certificates); Bertram Brush (This entry should not include a certificate). |
| Purpose | Search for entry containing a Certificate Revocation List. |
| Reference | [RFC 2559] (paragraph 6.2, pp. 6-7) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=CAs, o=IMC, c=US |
| Base (dc-naming) | dc=CAs, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter | certificateRevocationList=* |
| Expected results | An entry - CA<n> - should be returned for each certificate generator participating in the tests. Each entry returned should include a certificateRevocationList attribute. |
| Purpose | Compare using userCertificate attribute. |
| Reference | [RFC 2251] (paragraph 4.10, pp. 37-38) (Note that neither [LDAP_PR] nor [RFC 2559] requires the compare operation to be supported for certificate attributes.) |
| Procedure | Send a Compare request to a server constructed using the information shown below. |
| DN | cn=Charles Fox, ou=Certificates, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The certificate in file certs1/charles_fox |
| Expected results | Result code 6 (compareTrue) should be returned. |
To perform the tests in paragraph 3.3.11.3, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.11.3; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify capability to add a new entry to the directory with userCertificate attribute. |
| Reference | [RFC 2251] (paragraph 4.7 , pg. 34) |
| Procedure | Add an entire new directory entry using the information below. |
| DN | cn=Lawrence Lamb, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateAdd, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top person organizationalPerson inetOrgPerson |
| Attribute type | sn |
| Attribute value | Lamb |
| Attribute type | cn |
| Attribute value | Lawrence Lamb |
| Attribute type | telephoneNumber |
| Attribute value | + 44 1189 500 001 |
| Attribute type | |
| Attribute value | lawrence@maff.gov.uk |
| Attribute type | userCertificate |
| Attribute value | The certificate for Lawrence Lamb in file certs1/lawrence_lamb |
| Expected results | A new entry should now be present in the directory with the above attributes. |
| Purpose | Verify that a userCertificate attribute type is created when a request is made for adding a userCertificate attribute value when the userCertificate attribute type does not currently exist for an entry. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add the first value of a userCertificate attribute type. |
| DN | cn=Richard Bird, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The certificate for Richard Bird in file certs1/richard_bird |
| Expected results | Entry should now include the certificate for Richard Bird. |
| Purpose | Verify that an additional value can be added to an existing attribute. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add a second attribute value of an attribute type. |
| DN | cn=Michael Fish, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The Michael Fish Current Certificate in file certs1/michael_fish_current |
| Expected results | Entry should now have two certificates. |
| Purpose | Verify that a cACertificate attribute type is created when a request is made for adding a cACertificate attribute value when the cACertificate attribute type does not currently exist for an entry. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add the first value of a cACertificate attribute type. |
| DN | ou=Swallow Bank, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | cACertificate |
| Attribute value | The CA certificate for the Swallow Bank in file certs1/swallow_bank |
| Expected results | Entry should now include the CA certificate for the Swallow Bank. |
| Purpose | Verify that a certificateRevocationList attribute type is created when a request is made for adding a certificateRevocationList attribute value when the certificateRevocationList attribute type does not currently exist for an entry. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Add the first value of a certificateRevocationList attribute type. |
| DN | ou=Swallow Bank, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | certificateRevocationList |
| Attribute value | The CA CRL in file certs1/swallow_crl |
| Expected results | Entry should now include the CRL for the Swallow Bank. |
| Purpose | Verify deletion of a single value for a multi-valued attribute. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Delete one of two attribute values for an attribute type. |
| DN | cn=Tony Hart, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The Tony Hart Expired Certificate in file certs1/tony_hart_expired |
| Expected results | Entry should now have just the certificate contained in file certs1/tony_hart_current |
| Purpose | Verify that a single-valued userCertificate attribute can be deleted using the MODIFY operation. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| Procedure | Delete the only attribute for a userCertificate attribute type. |
| DN | cn=Quintain Hogg, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The certificate stored in certs1/quintain_hogg |
| Expected results | Entry should now have no userCertificate attributes. |
| Purpose | Verify that a userCertificate attribute can be replaced. |
| Procedure | Replace an attribute value for an attribute type using a Modify request. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) |
| DN | cn=John Prescott, ou=<client-ID>, ou=<vendor-ID>, ou=CertificateModify, ou=CA1, ou=CAs, o=IMC, c=US |
| Attribute type | userCertificate |
| Attribute value | The John Prescott Current Certificate in file certs1/john_prescott_current |
| Expected results | The value of the userCertificate attribute should be changed as above. |
| Purpose | Page completely through a multi-page set of results. |
| Reference | [PAGING] (paragraphs 2, 3, 4) |
| Procedure | Make a search request asking for paged results
with a page size of 3. After initial response, request the next page. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber<=91100105 |
| Expected results | Initial request results in three entries plus an indication
of 5 total entries in the search result. Second request results in a further two entries plus an indication that there are no more entries. |
| Purpose | Abort paging part-way through a multi-page set of results. |
| Reference | [PAGING] (paragraphs 2, 3) |
| Procedure | Make a search request asking for paged results
with a page size of 3. After initial response, request the next page. After second page displayed, abort the search. Then make a new search with a different filter. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter for First Request | givenname=Adam |
| Filter for Second Request | givenname=Adrian |
| Expected results | Initial request results in three entries plus an indication
of 26 total entries in the search result. Second request results in a further three entries plus an indication that there are more entries. Third request indicates that there are no matching entries. |
| Purpose | Sort a set of results on a single numeric attribute. |
| Reference | [SORTING] (paragraphs 3, 4) |
| Procedure | Make a search request asking for sorted results. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber<=91100105 |
| Sort Key | employeenumber |
| Expected results | Five entries are displayed in order of employee number (and reverse alphabetical order of name). |
| Purpose | Sort a set of results on a single alphabetic attribute. |
| Reference | [SORTING] (paragraphs 3, 4) |
| Procedure | Make a search request asking for sorted results. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber<=91100105 |
| Sort Key | givenname |
| Expected results | Five entries are displayed in alphabetical order of name. |
| Purpose | Sort a set of results on multiple attributes. |
| Reference | [SORTING] (paragraphs 3, 4) |
| Procedure | Make a search request asking for sorted results using two sort keys. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (&(employeenumber>=91100125)(employeenumber<=91100128)) |
| First Sort Key | sn |
| Second Sort Key | employeenumber |
| Expected results | Four entries are displayed in order Zoe York, Yuri York, Belinda Zions, Adam Zions. |
| Purpose | Sort in reverse order. |
| Reference | [SORTING] (paragraphs 3, 4) |
| Procedure | Make a search request asking for sorted results in reverse order. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber<=91100105 |
| Sort Key | employeenumber |
| Expected results | Five entries are displayed in alphabetical order of name (but reverse order of employee number). |
| Purpose | Test that a Paged, Sorted Set is in Correct Order. |
| Reference | [PAGING] (paragraphs 2, 3) [SORTING] (paragraphs 3, 4, 5) |
| Procedure | Make a search request asking for results to be sorted
and paged with a page size of 3. Page through the results. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter for First Request | givenname=Adam |
| Sort Key | employeenumber |
| Expected results | Results are displayed in order of employee number (which is inverse alphabetical order) consistently across all pages, not just within each page. |
| Purpose | Scroll Completely Through Large Set of results. |
| Reference | [SORTING] (paragraphs 3, 4), [VLV] (paragraph 5) |
| Procedure | Make a search request asking for sorted results in reverse order. When first page of results is displayed, drag the scroll bar slider down to the bottom of its range. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber>=0 |
| Sort Key | employeenumber |
| Expected results | The first page (starting with Adam Adams) is displayed initially. When the slider is dragged down, the last page (ending with Zoe Zions) is displayed. |
| Purpose | Scroll incrementally through set of results. |
| Reference | [SORTING] (paragraphs 3, 4), [VLV] (paragraph 5) |
| Procedure | Make a search request asking for sorted results in reverse order. When the first page of results is displayed, click on scroll bar just below slider. When a new page is displayed, click on scroll bar just above slider. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber>=0 |
| Sort Key | employeenumber |
| Expected results | The first page (starting with Adam Adams) is displayed initially. When the scroll bar is clicked below the slider, the next page is displayed. When the scroll bar is then clicked above the slider, the first page is displayed again. |
| Purpose | Scroll Part Way Through Large Set of results. |
| Reference | [SORTING] (paragraphs 3, 4), [VLV] (paragraph 5) |
| Procedure | Make a search request asking for sorted results in reverse order. When first page of results is displayed, drag the scroll bar about half way down its range. |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber>=0 |
| Sort Key | employeenumber |
| Expected results | The first page (starting with Adam Adams) is displayed initially. When the slider is dragged down, a page about half way through (employees with surnames starting with M, N or similar) is displayed. |
| Purpose | Go to Arbitrary Place in Large Set of results. |
| Reference | [SORTING] (paragraphs 3, 4), [VLV] (paragraph 5) |
| Procedure | Make a search request asking for sorted results in reverse order. When first page of results is displayed, type "91100533". |
| Base | ou=Corporate, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Corporate, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | employeenumber>=0 |
| Sort Key | employeenumber |
| Expected results | The first page (starting with Adam Adams) is displayed initially. After typing the number, the page of results starting with "Jacky Jones" is displayed. |
| Purpose | Search for entries with attributes having particular language tags. |
| Reference | [RFC 2596] (paragraph 3.3) |
| Procedure | Make a search request. |
| Base | ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | title;lang-en-us=President |
| Expected results | The entries for George Washington, Thomas Jefferson and Abraham Lincoln are returned. |
| Purpose | Search for entries with attributes that are subtypes of a tagged type. |
| Reference | [RFC 2596] (paragraph 3.3) |
| Procedure | Make a search request. |
| Base | ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | name;lang-fr=* |
| Expected results | The entries for Marie Antoinette and Thomas Jefferson are returned. |
| Purpose | Search entries whose attributes have language tags without specifying language tags in the search request. |
| Reference | [RFC 2596] (paragraph 3.3) |
| Procedure | Make a search request. |
| Base | ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | Title=Queen |
| Expected results | The entry for Marie Antoinette is returned. |
| Purpose | Verify return of TRUE return code for Compare request including a language tag. |
| Reference | [RFC 2596] (paragraph 3.4) |
| Procedure | Send a Compare request to a server constructed using the information shown below. |
| DN | cn=William Pitt, ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Attribute type | title |
| Attribute value | lang-en-gb;Prime Minister |
| Expected results | Result code 6 (compareTrue) should be returned. |
| Purpose | Verify that server generates a noSuchAttribute error message for Compare request that includes a language tag not present in an entry. |
| Reference | [RFC 2596] (paragraph 3.4) |
| Procedure | Send a Compare request to a server constructed using the information shown below. |
| DN | cn=William Pitt, ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Attribute type | title |
| Attribute value | lang-en;Prime Minister |
| Expected results | Result code 16 (noSuchAttribute) should be returned. |
| Purpose | Verify appropriate behavior when the list of attributes to be retrieved for an entry includes an attribute with language tags. |
| Reference | [RFC 2596] (paragraph 3.5) |
| Procedure | Submit a Search request with a search filter, base, scope, and attributes list as indicated below. |
| Base | ou=Languages, ou=ExtendedSearch, o=IMC, c=US |
| Base (dc-naming) | dc=Languages, dc=ExtendedSearch, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Attributes | cn;lang-en-gb, cn;lang-en-us |
| Filter | employeenumber<=91101102 |
| Expected results | The entries for George Washington and Marie Antoinette should be returned with attributes cn;lang-en-us: George Washington, cn;lang-en-GB: George Washington and cn;lang-en: Marie Antionette. |
To perform the tests in paragraph 3.3.12.5.7, you must authenticate as:
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
There are two parameters in all of the DNs found in paragraph 3.3.12.5.7; definitions for these parameters are as follows:
You should replace the bracketed place holder for these parameters in all DNs found in this paragraph prior to performing the tests.
| Purpose | Verify capability to add a new entry to the directory with attributes that have language tags. |
| Reference | [RFC 2596] (paragraph 3.6) |
| Procedure | Add an entire new directory entry using the information below. |
| DN | cn=Florence Nightingale, ou=<client-ID>, ou=<vendor-ID>, ou=ExtendedAdd, o=IMC, c=US |
| Attribute type | objectclass |
| Attribute values | top person organizationalPerson inetOrgPerson |
| Attribute type | sn |
| Attribute value | Nightingale |
| Attribute type | cn |
| Attribute value | Florence Nightingale |
| Attribute type | telephoneNumber |
| Attribute value | + 44 171 999 1854 |
| Attribute type | |
| Attribute value | florence@nhs.gov.uk |
| Attribute type | description;lang-en |
| Attribute value | The lady with the lamp |
| Attribute type | description;lang-fr |
| Attribute value | La femme au lumiere |
| Expected results | A new entry should now be present in the directory with the above attributes. |
| Purpose | Verify that a single-valued attribute with language tags can be replaced. |
| Procedure | Replace an attribute value for an attribute type using a Modify request. |
| Reference | [RFC 2251] (paragraph 4.6, pp. 32-33) [RFC 2596] (paragraph 3.7) |
| DN | cn=Tony Blair, ou=<client-ID>, ou=<vendor-ID>, ou=ExtendedModify, o=IMC, c=US |
| Attribute type | title;lang-en-gb |
| Attribute value | First Minister |
| Expected results | The value of the title;lang-en-gb attribute (but not the title;lang-en-us attribute) should be changed as above. |
| Purpose | Verify that the subSchemaSubEntry is present in the root DSE. |
| Reference | [RFC 2251] (paragraph 3.4) |
| Procedure | Make a search request. |
| Base | zero length DN "" |
| Scope | base |
| Filter | (objectclass=*) |
| Requested Attributes | subschemasubentry |
| Expected results | The attribute subschemasubentry is returned for the root DSE Entry. |
| Purpose | Verify that the subSchemaSubEntry is present in any entry of the Directory. |
| Reference | [RFC 2251] (paragraph 3.2.1) |
| Procedure | Make a search request. |
| Base | ou=Search, o=IMC, c=us |
| Base (dc-naming) | dc=Search, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | (cn=margaret*) |
| Requested Attributes | subschemasubentry |
| Expected results | 2 entries are returned with only the attribute subschemasubentry. |
| Purpose | Verify that the schema is accessible via LDAP. |
| Reference | [RFC 2251] (paragraph 3.2.2) |
| Procedure | Make a search request on root DSE to get the attribute subSchemaSubEntry. Then make a base search request with the value of subSchemaSubEntry. |
| Base | zero length DN "" |
| Scope | base |
| Filter | (objectclass=*) |
| Requested Attributes | subschemasubentry |
| Expected results | The root DSE is returned with only the attribute subschemasubentry. |
| Second Search | |
| Base | The value of the subschemasubentry attribute |
| Scope | base |
| Filter | (objectclass=subschema) |
| Requested Attributes | objectclasses, attributetypes |
| Expected results | the schema entry is returned with the 2 requested attributes. Each attribute contains several values. |
dn: cn=Directory Manager, o=IMC, c=US
with password: controller
Note that these tests cannot be performed by several clients at the same time because the schema is in one unique entry.
| Purpose | Verify that an objectclass can be added in the schema. |
| Reference | [RFC 2251] (paragraph TBD) |
| Procedure | Add an attribute value to the attribute "objectclasses" (using the modify-add operation). |
| DN | The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type | objectclasses |
| Attribute Value | ( 1.1.1.1.1.1111 NAME 'IMCTestObject' DESC 'Useless ObjectClass for testing' SUP 'top' MUST ( cn $ telephoneNumber ) MAY ( description $ seeAlso ) ) |
| Requested Attributes | subschemasubentry |
| Expected results | The schema entry should have one more "objectclasses" attribute value containing the above value. |
| Purpose | Verify that an objectclass can be deleted from the schema. |
| Reference | [RFC 2251] (paragraph TBD) |
| Procedure | Delete an attribute value to the attribute "objectclasses" (using the modify-delete operation).This test must be run just after test 3.3.13.2.1 |
| DN | The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type | objectclasses |
| Attribute Value | ( 1.1.1.1.1.1111 NAME 'IMCTestObject' DESC 'Useless ObjectClass for testing' SUP 'top' MUST ( cn $ telephoneNumber ) MAY ( description $ seeAlso ) ) |
| Expected results | The schema entry should not have the "objectclasses" attribute value for IMCTestObject. |
| Purpose | Verify that an attribute definition can be added in the schema. |
| Reference | [RFC 2251] (paragraph TBD) |
| Procedure | Add an attribute value to the attribute "attributetypes" (using the modify-add operation). |
| DN | The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type | attributetypes |
| Attribute Value | ( 1.1.1.1.1.1111 NAME 'IMCTestAttr' DESC 'Useless attribute type for testing' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
| Requested Attributes | subschemasubentry |
| Expected results | The schema entry should have one more "attributetypes" attribute value containing the above value. |
| Purpose | Verify that an attribute definition can be deleted from the schema. |
| Reference | [RFC 2251] (paragraph TBD) |
| Procedure | Delete an attribute value to the attribute "attributetypes" (using the modify-delete operation).This test must be run just after test 3.3.13.2.3 |
| DN | The schema DN is read in the root DSE (attribute subschemasubentry) |
| Attribute type | attributetypes |
| Attribute Value | ( 1.1.1.1.1.1111 NAME 'IMCTestAttr' DESC 'Useless attribute type for testing' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) |
| Expected results | The schema entry should not have the "attributetypes" attribute value for IMCTestAttr. |
Note that RFC 2251 does not actually require the server to return a referral in this case, and that the referral returned (if one is returned at all) will be configuration-dependant).
| Purpose | Test return of superior reference referral. |
| Reference | [RFC 2251] (paragraphs 4.1.11, 4.5.3.1) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | o=IMC, c=US |
| Base (dc-naming) | dc=IMC, dc=org |
| Scope | subtree |
| Filter | ou=Server<n> |
| Expected results | A referral to another server should be returned. |
Note that RFC 2251 does not actually require the server to return a referral in this case, and that the referral returned (if one is returned at all) will be configuration-dependant).
| Purpose | Test return of subordinate reference referral. |
| Reference | [RFC 2251] (paragraphs 4.1.11, 4.5.3.1) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below. |
| Base | ou=Referrals, o=IMC, c=US |
| Base (dc-naming) | dc=Referrals, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | ou=Server<n> |
| Expected results | A referral to another server should be returned. |
| Purpose | Test return of referral for search operation where the base contains a ref attribute. |
| Reference | [NAMEDREF] (paragraph 5.1.1.2, case 2) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below, when bound to a server other than server<n>. |
| Base | ou=Server<n>, ou=Servers, o=IMC, c=US |
| Base (dc-naming) | dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope | base/single-level/subtree |
| Filter | ou=Server<n> |
| Expected results | The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>, ou=Servers, o=IMC, c=US (x.500 naming) or ldap://server<n>.dc.opengroup.org/dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org (dc naming) |
| Purpose | Test return of referral for modify operation where the target contains a ref attribute. |
| Reference | [NAMEDREF] (paragraph 5.1.1.2, case 2) |
| Procedure | Attempt to add an attribute value, when bound to a server other than server<n>. |
| DN (X.500 naming) | ou=Server<n>, ou=Servers, o=IMC, c=US |
| DN (dc naming) | dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Attribute type | telephoneNumber |
| Attribute value | +33 1 234 5678 |
| Expected results | The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ (x.500 naming) or ldap://server<n>.dc.opengroup.org/ (dc naming) |
| Purpose | Test return of referral for search operation where the base is subordinate to an entry that contains a ref attribute. |
| Reference | [NAMEDREF] (paragraph 5.1.1.2, case 3) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below, when bound to a server other than server<n>. |
| Base | cn=John Humphries, ou=Server<n>, ou=Servers, o=IMC, c=US |
| Base (dc-naming) | cn=John Humphries, dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope | base |
| Filter | telephoneNumber=* |
| Expected results | The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>, ou=Servers, o=IMC, c=US (x.500 naming) or ldap://server<n>.dc.opengroup.org/dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org (dc naming) |
| Purpose | Test return of referral for modify operation where the target contains a ref attribute. |
| Reference | [NAMEDREF] (paragraph 5.1.1.2, case 3) |
| Procedure | Attempt to add an attribute value, when bound to a server other than server<n>. |
| DN (X.500 naming) | cn=John Humphries, ou=Server<n>, ou=Servers, o=IMC, c=US |
| DN (dc naming) | cn=John Humphries, dc=Server<n>, dc=Servers, dc=Relative, dc=IMC, dc=org |
| Attribute type | facsimileTelephoneNumber |
| Attribute value | +44 181 432 2000 |
| Expected results | The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ (x.500 naming) or ldap://server<n>.dc.opengroup.org/ (dc naming) |
| Purpose | Test return of referral for single-level search operation where an entry that contains a ref attribute is found. |
| Reference | [NAMEDREF] (paragraph 5.1.1.3) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below, when bound to a server other than server<n>. |
| Base | ou=Servers, o=IMC, c=US |
| Base (dc-naming) | dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope | single-level |
| Filter (X.500 naming) | ou=Server<n> |
| Filter (dc naming) | dc=Server<n> |
| Expected results | The following referral should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,ou=Servers,o=IMC,c=US??base (x.500 naming) or ldap://server<n>.dc.opengroup.org/dc=Server<n>, dc=Servers,dc=Relative,dc=IMC,dc=org??base (dc naming) |
| Purpose | Test return of referral for subtree search operation where an entry that contains a ref attribute is found. |
| Reference | [NAMEDREF] (paragraph 5.1.1.4) |
| Procedure | Submit a Search request with a search filter, base, and scope as indicated below, when bound to a server other than server<n>. |
| Base | ou=Servers, o=IMC, c=US |
| Base (dc-naming) | dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | cn=John Humphries |
| Expected results | The following continuation references should be returned:
ldap://server<n>.dc.opengroup.org/ou=Server<n>,ou=Servers,o=IMC,c=US (x.500 naming) or ldap://server<n>.dc.opengroup.org/dc=Server<n>, dc=Servers,dc=Relative,dc=IMC,dc=org (dc naming) There should be 19 continuation references returned: <n>=1, . . 20, except the value of <n> for the server to which the client is bound. |
The tests in this section are designed to be performed with multiple certificate generation products. Their descriptions refer to "CA1" and "CA2", but if other sets of certificates as described in CATS are available, then these could be substituted. See the description in 3.3.11.
Each participating server is allocated a unique number <n>. Server <n> should use the Server<n> certificate generated by CA1 (in file certs1/ serv<n>) to secure TLS connections.Clients that can validate server certificates should be set up to accept certificates that can be validated by the CA1 root certificate (which is in file certs1/ca_root).
The servers should be set up as follows:
| Purpose | Test TLS-protected simple anonymous bind. |
| Reference | [RFC 2829] (paragraph 5.2), [RFC 2830] (paragraph 2.1) [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS. Issue an LDAP anonymous BIND request. |
| Expected results | The test is successful if the LDAP connection can be established without errors. Search requests should now be accepted and processed by the server.. |
| Purpose | Test authenticated TLS-protected simple bind with correct credentials. |
| Reference | [RFC 2829] (paragraph 6.2), [RFC 2830] (paragraph 2.1) [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS. Test authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri001 |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test TLS Certificate bind with valid certificate. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2830] (paragraph 2.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
Pablo Picasso (file certs1/pablo_picasso).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN | cn=Pablo Picasso, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test TLS Certificate bind with expired certificate. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2830] (paragraph 2.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
John Constable (file certs1/john_constable).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN | cn=John Constable, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test TLS Certificate bind with an end-user certificate that must be validated by a root certificate generated by a product other than that used to generate the end-user certificate. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2830] (paragraph 2.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
William CA2 Turner in the CA1 branch of the DIT (file
certs2/william_ca1_turner). Configure server to use the CA1 Root Certificate
(file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN | cn=William CA2 Turner, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
(NB - this test will not work with currently supplied CRLs.)
| Purpose | Test TLS Certificate bind when there is a revoked certificate in the certification path. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2830] (paragraph 2.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
Georges CA2 Braque in the CA1 branch of the DIT (in file
certs2/georges_ca1_braque).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Test authenticated Bind as user with DN below. |
| DN | cn=Georges CA2 Braque, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test authenticated TLS-protected simple bind with incorrect credentials. |
| Reference | [RFC 2829] (paragraph 6.2), [RFC 2830] (paragraph 2.1), [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Configure client to use TLS. Test authenticated Bind as 'Henri Matisse' with incorrect password ('Henri111'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri111 |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test bind without using TLS when TLS is required. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2.3) |
| Procedure | Configure client to not use TLS. Test simple authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri001 |
| Expected results | Result code 8 (strongAuthRequired) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test abrubt closure of TLS connection. |
| Reference | [RFC 2829] (paragraph 6.2), [RFC 2830] (paragraphs 2.1 and 4.2) [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS and establish connection. Make any search request and await results. Take some action that will close the underlying TCP connection. Then make it possible for the TCP connection to be re-established. Make the same search request again. |
| Expected results | The test is successful if the second search request is rejected with an indication that the service is not available or if the client is required to re-establish credentials. |
| Purpose | Test TLS-protected simple anonymous bind. |
| Reference | [RFC 2829] (paragraph 5.2), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS. Connect to server using port 636, and issue an LDAP anonymous BIND request. |
| Expected results | The test is successful if the LDAP connection can be established without errors. Search requests should now be accepted and processed by the server.. |
| Purpose | Test authenticated TLS-protected simple bind with correct credentials. |
| Reference | [RFC 2829] (paragraph 6.2), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS. Connect to server using port 636, and test authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri001 |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test TLS Certificate bind with valid certificate. |
| Reference | [RFC 2829] (paragraph 9.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
Pablo Picasso (file certs1/pablo_picasso).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN | cn=Pablo Picasso, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
| Purpose | Test TLS Certificate bind with expired certificate. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA1 for
John Constable (file certs1/john_constable).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN | cn=John Constable, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test TLS Certificate bind with an end-user certificate that must be validated by a root certificate generated by a product other than that used to generate the end-user certificate. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
William CA2 Turner in the CA1 branch of the DIT (file
certs2/william_ca1_turner).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN | cn=William CA2 Turner, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | The test is successful if the Bind is successful. Search requests should now be accepted and processed by the server. |
(NB. This test will not work with currently-supplied CRLs).
| Purpose | Test TLS Certificate bind when there is a revoked certificate in the certification path. |
| Reference | [RFC 2829] (paragraph 7.1), [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS with Certificate authentication.
Load certificate generated by product with id CA2 for
Georges CA2 Braque in the CA1 branch of the DIT (in file
certs2/georges_ca1_braque).
Configure server to use the CA1 Root Certificate (file certs1/ca_root) to authenticate
clients binding as users with entries in the ou=CA1, ou=CAs, o=IMC, c=US
subtree of the DIT.
Connect to server using port 636, and test authenticated Bind as user with DN below. |
| DN | cn=Georges CA2 Braque, ou=TLS, ou=CA1, ou=CAs, o=IMC, c=US |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test authenticated TLS-protected simple bind with incorrect credentials. |
| Reference | [RFC 2829] (paragraph 6.2), [RFC 2251] (paragraphs 4.1.10, 4.2) |
| Procedure | Configure client to use TLS. Connect to server using port 636, and test authenticated Bind as 'Henri Matisse' with incorrect password ('Henri111'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri111 |
| Expected results | Result code 49 (invalidCredentials) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test bind without using TLS when TLS is required. |
| Reference | [RFC 2251] (paragraphs 4.1.10, 4.2.3) |
| Procedure | Configure client to not use TLS. Connect to server using normal LDAP port, and test simple authenticated Bind as 'Henri Matisse' with a correct password ('Henri001'). |
| DN | cn=Henri Matisse, ou=Security, o=IMC, c=US |
| Password | Henri001 |
| Expected results | Result code 8 (strongAuthRequired) should be returned. The Bind should fail. The server may not accept and process requests; if they are accepted, they should be treated as anonymous requests. |
| Purpose | Test abrupt closure of TLS connection. |
| Reference | [RFC 2251] (paragraph 4.2) |
| Procedure | Configure client to use TLS and establish connection. Make any search request and await results. Take some action that will close the underlying TCP connection. Then make it possible for the TCP connection to be re-established. Make the same search request again. |
| Expected results | The test is successful if the second search request is rejected with an indication that the service is not available or if the client is required to re-establish credentials. |
The tests in this section are designed to be performed in conjunction with DNS servers that implement SRV records. Each server participating in the tests is assigned a server identity server1, server2, . . through server 20. There is a specific LDIF file for each server, which should be loaded by that server prior to testing. Since the SRV record format assumes dc-naming (see [SRV] paragraph 2), these LDIF files are provided in dc format and dc-relative format only.
The tests pre-suppose that there is a DNS available that contains the following SRV records (<n>=1, . . 20).
_ldap_tcp.server<n>.Servers.Relative.imc.org. IN SRV 0 0 389 server<n>.dc.opengroup.org.
| Purpose | Bind Anonymously to an LDAP server which is located by looking up SRV records in the DNS. |
| Reference | [RFC 2251] (paragraph 4.2, pp. 20-23), [SRV] (paragraphs 3, 4). |
| Procedure | Request to bind anonymously to the server for the DN given below. On successful bind, submit a Search request with a filter, base, and scope as indicated below. |
| DN (dc naming) | dc=Server<n>, dc=Servers, dc=Relative, dc=imc, dc=org |
| Base (dc-naming) | dc=Servers, dc=Relative, dc=IMC, dc=org |
| Scope | subtree |
| Filter | cn=John Humphreys |
| Requested Attributes | telephonenumber |
| Expected Results | The test is successful if the LDAP connection to server n is established without errors, and if the search request returns a telephone number that ends with <n>. Eg. the telephone number returned by server 3 will be +44 181 432103. |
To be added.
The EuroSInet Consortium gave the IMC permission to use their test suite during the DirConnect 1 event; their test suite document was instrumental in prompting DirConnect 1 participants to verify that their implementations could support search, retrieval, and update functions as well as international character sets. The test entries that accompanied the EuroSInet test suite inspired the creation of some of the entries in this document.
The participants of DirConnect 1 deserve much thanks for pointing out deficiencies in the test suite documentation and LDIF file prepared for that event. Their comments and suggestions for improvement were incorporated into this document. (I'll list the ames of the participants if I can find them; I think they're on the IMC web site).
Chris Apple, Room 2F-165
AT&T Laboratories
600 Mountain Ave.
Murray Hill, NJ 07974-0636
USA
E-Mail: capple@att.com
Voice: +1 908 582 2409
FAX: +1 908 582 3296
Chris Harding
The Open Group
Apex Plaza
Forbury Road
Reading, Berks. RG1 1AX
UK
E-Mail: c.harding@opengroup.org
Voice: +44 118 9508311 X 2262
FAX: +44 118 9500110
Ludovic Poitou
Sun Microsystems
32 chemin du vieux chene
3240 MEYLAN
FRANCE
E-Mail: ludovic.poitou@france.sun.com
Voice: +33 476 414 212
FAX: +33 476 414 241