Examples with AuthorizationIdentityResponseControl com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl used on opensource projects

Example 1 with AuthorizationIdentityResponseControl

use of com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl in project ldapsdk by pingidentity.

the class InMemoryRequestHandler method processBindRequest.

/**
 * Attempts to process the provided bind request.  The attempt will fail if
 * any of the following conditions is true:
 * <UL>
 *   <LI>There is a problem with any of the request controls.</LI>
 *   <LI>The bind request is for a SASL bind for which no SASL mechanism
 *       handler is defined.</LI>
 *   <LI>The bind request contains a malformed bind DN.</LI>
 *   <LI>The bind DN is not the null DN and is not the DN of any entry in the
 *       data set.</LI>
 *   <LI>The bind password is empty and the bind DN is not the null DN.</LI>
 *   <LI>The target user does not have any password value that matches the
 *       provided bind password.</LI>
 * </UL>
 *
 * @param  messageID  The message ID of the LDAP message containing the bind
 *                    request.
 * @param  request    The bind request that was included in the LDAP message
 *                    that was received.
 * @param  controls   The set of controls included in the LDAP message.  It
 *                    may be empty if there were no controls, but will not be
 *                    {@code null}.
 *
 * @return  The {@link LDAPMessage} containing the response to send to the
 *          client.  The protocol op in the {@code LDAPMessage} must be a
 *          {@code BindResponseProtocolOp}.
 */
@Override()
@NotNull()
public LDAPMessage processBindRequest(final int messageID, @NotNull final BindRequestProtocolOp request, @NotNull final List<Control> controls) {
    synchronized (entryMap) {
        // Sleep before processing, if appropriate.
        sleepBeforeProcessing();
        // If this operation type is not allowed, then reject it.
        if (!config.getAllowedOperationTypes().contains(OperationType.BIND)) {
            return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.UNWILLING_TO_PERFORM_INT_VALUE, null, ERR_MEM_HANDLER_BIND_NOT_ALLOWED.get(), null, null));
        }
        authenticatedDN = DN.NULL_DN;
        // request, then ensure that the request includes credentials.
        if ((authenticatedDN.isNullDN() && config.getAuthenticationRequiredOperationTypes().contains(OperationType.BIND))) {
            if ((request.getCredentialsType() == BindRequestProtocolOp.CRED_TYPE_SIMPLE) && ((request.getSimplePassword() == null) || request.getSimplePassword().getValueLength() == 0)) {
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_REQUIRES_AUTH.get(), null, null));
            }
        }
        // Get the parsed bind DN.
        final DN bindDN;
        try {
            bindDN = new DN(request.getBindDN(), schemaRef.get());
        } catch (final LDAPException le) {
            Debug.debugException(le);
            return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_DN_SYNTAX_INT_VALUE, null, ERR_MEM_HANDLER_BIND_MALFORMED_DN.get(request.getBindDN(), le.getMessage()), null, null));
        }
        // mechanism handler that can be used to process it.
        if (request.getCredentialsType() == BindRequestProtocolOp.CRED_TYPE_SASL) {
            final String mechanism = request.getSASLMechanism();
            final InMemorySASLBindHandler handler = saslBindHandlers.get(mechanism);
            if (handler == null) {
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.AUTH_METHOD_NOT_SUPPORTED_INT_VALUE, null, ERR_MEM_HANDLER_SASL_MECH_NOT_SUPPORTED.get(mechanism), null, null));
            }
            try {
                final BindResult bindResult = handler.processSASLBind(this, messageID, bindDN, request.getSASLCredentials(), controls);
                // unauthenticated, then see if we allow that.
                if ((bindResult.getResultCode() == ResultCode.SUCCESS) && (authenticatedDN == DN.NULL_DN) && config.getAuthenticationRequiredOperationTypes().contains(OperationType.BIND)) {
                    return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_REQUIRES_AUTH.get(), null, null));
                }
                return new LDAPMessage(messageID, new BindResponseProtocolOp(bindResult.getResultCode().intValue(), bindResult.getMatchedDN(), bindResult.getDiagnosticMessage(), Arrays.asList(bindResult.getReferralURLs()), bindResult.getServerSASLCredentials()), Arrays.asList(bindResult.getResponseControls()));
            } catch (final Exception e) {
                Debug.debugException(e);
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.OTHER_INT_VALUE, null, ERR_MEM_HANDLER_SASL_BIND_FAILURE.get(StaticUtils.getExceptionMessage(e)), null, null));
            }
        }
        // If we've gotten here, then the bind must use simple authentication.
        // Process the provided request controls.
        final Map<String, Control> controlMap;
        try {
            controlMap = RequestControlPreProcessor.processControls(LDAPMessage.PROTOCOL_OP_TYPE_BIND_REQUEST, controls);
        } catch (final LDAPException le) {
            Debug.debugException(le);
            return new LDAPMessage(messageID, new BindResponseProtocolOp(le.getResultCode().intValue(), null, le.getMessage(), null, null));
        }
        final ArrayList<Control> responseControls = new ArrayList<>(1);
        // If the bind DN is the null DN, then the bind will be considered
        // successful as long as the password is also empty.
        final ASN1OctetString bindPassword = request.getSimplePassword();
        if (bindDN.isNullDN()) {
            if (bindPassword.getValueLength() == 0) {
                if (controlMap.containsKey(AuthorizationIdentityRequestControl.AUTHORIZATION_IDENTITY_REQUEST_OID)) {
                    responseControls.add(new AuthorizationIdentityResponseControl(""));
                }
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.SUCCESS_INT_VALUE, null, null, null, null), responseControls);
            } else {
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_WRONG_PASSWORD.get(request.getBindDN()), null, null));
            }
        }
        // request.
        if ((!bindDN.isNullDN()) && (bindPassword.getValueLength() == 0)) {
            return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.UNWILLING_TO_PERFORM_INT_VALUE, null, ERR_MEM_HANDLER_BIND_SIMPLE_DN_WITHOUT_PASSWORD.get(), null, null));
        }
        // See if the bind DN is in the set of additional bind credentials.  If
        // so, then use the password there.
        final byte[] additionalCreds = additionalBindCredentials.get(bindDN);
        if (additionalCreds != null) {
            if (Arrays.equals(additionalCreds, bindPassword.getValue())) {
                authenticatedDN = bindDN;
                if (controlMap.containsKey(AuthorizationIdentityRequestControl.AUTHORIZATION_IDENTITY_REQUEST_OID)) {
                    responseControls.add(new AuthorizationIdentityResponseControl("dn:" + bindDN.toString()));
                }
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.SUCCESS_INT_VALUE, null, null, null, null), responseControls);
            } else {
                return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_WRONG_PASSWORD.get(request.getBindDN()), null, null));
            }
        }
        // If the target user doesn't exist, then reject the request.
        final ReadOnlyEntry userEntry = entryMap.get(bindDN);
        if (userEntry == null) {
            return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_NO_SUCH_USER.get(request.getBindDN()), null, null));
        }
        // Get a list of the user's passwords, restricted to those that match the
        // provided clear-text password.  If the list is empty, then the
        // authentication failed.
        final List<InMemoryDirectoryServerPassword> matchingPasswords = getPasswordsInEntry(userEntry, bindPassword);
        if (matchingPasswords.isEmpty()) {
            return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.INVALID_CREDENTIALS_INT_VALUE, null, ERR_MEM_HANDLER_BIND_WRONG_PASSWORD.get(request.getBindDN()), null, null));
        }
        // If we've gotten here, then authentication was successful.
        authenticatedDN = bindDN;
        if (controlMap.containsKey(AuthorizationIdentityRequestControl.AUTHORIZATION_IDENTITY_REQUEST_OID)) {
            responseControls.add(new AuthorizationIdentityResponseControl("dn:" + bindDN.toString()));
        }
        return new LDAPMessage(messageID, new BindResponseProtocolOp(ResultCode.SUCCESS_INT_VALUE, null, null, null, null), responseControls);
    }
}

Example 2 with AuthorizationIdentityResponseControl

use of com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl in project ldapsdk by pingidentity.

the class InMemoryDirectoryServerTestCase method testSASLBindWithAuthorizationIdentity.

/**
 * Provides test coverage for the ability to process a SASL bind operation,
 * including the authorization identity request control.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testSASLBindWithAuthorizationIdentity() throws Exception {
    final InMemoryDirectoryServer ds = getTestDS(true, true);
    final LDAPConnection conn = ds.getConnection();
    final RootDSE rootDSE = conn.getRootDSE();
    assertNotNull(rootDSE);
    assertTrue(rootDSE.supportsSASLMechanism("PLAIN"));
    assertTrue(rootDSE.supportsControl(AuthorizationIdentityRequestControl.AUTHORIZATION_IDENTITY_REQUEST_OID));
    // Test a successful anonymous bind.
    PLAINBindRequest bindRequest = new PLAINBindRequest("dn:", "", new AuthorizationIdentityRequestControl());
    BindResult bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    AuthorizationIdentityResponseControl authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    String authzID = authzIDResponse.getAuthorizationID();
    assertNotNull(authzID);
    assertTrue(authzID.equals("dn:"));
    // Perform the same test without the authorization identity request control.
    bindRequest = new PLAINBindRequest("dn:", "");
    bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    assertFalse(bindResult.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    // Test an anonymous bind with a password.
    bindRequest = new PLAINBindRequest("dn:", "password");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind anonymously with a " + "password");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test an anonymous bind with an authzID.
    bindRequest = new PLAINBindRequest("dn:", "dn:cn=Directory Manager", "");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind anonymously with an " + "authorization ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test with a DN-style authID and no authzID.
    bindRequest = new PLAINBindRequest("dn:uid=test.user,ou=People,dc=example,dc=com", "password", new AuthorizationIdentityRequestControl());
    bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    authzID = authzIDResponse.getAuthorizationID();
    assertNotNull(authzID);
    assertTrue(authzID.startsWith("dn:"));
    assertEquals(new DN(authzID.substring(3)), new DN("uid=test.user,ou=People,dc=example,dc=com"));
    // Test with a DN-style authID that is an additional bind user.
    bindRequest = new PLAINBindRequest("dn:cn=Directory Manager", "password", new AuthorizationIdentityRequestControl());
    bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    authzID = authzIDResponse.getAuthorizationID();
    assertNotNull(authzID);
    assertTrue(authzID.startsWith("dn:"));
    assertEquals(new DN(authzID.substring(3)), new DN("cn=Directory Manager"));
    // Test with a u-style authID and an authzID that is an additional bind
    // user.
    bindRequest = new PLAINBindRequest("u:test.user", "dn:cn=Directory Manager", "password", new AuthorizationIdentityRequestControl());
    bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    authzID = authzIDResponse.getAuthorizationID();
    assertNotNull(authzID);
    assertTrue(authzID.startsWith("dn:"));
    assertEquals(new DN(authzID.substring(3)), new DN("cn=Directory Manager"));
    // Test a bind as a nonexistent dn-style authentication ID.
    bindRequest = new PLAINBindRequest("dn:cn=missing", "password");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind with a nonexistent " + "dn-style authentication ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test a bind as a nonexistent u-style authentication ID.
    bindRequest = new PLAINBindRequest("u:missing", "password");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind with a nonexistent " + "u-style authentication ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test a bind as a nonexistent dn-style authorization ID.
    bindRequest = new PLAINBindRequest("dn:cn=Directory Manager", "dn:cn=missing", "password");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind with a nonexistent " + "authorization ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test a bind with an incorrect password.
    bindRequest = new PLAINBindRequest("u:test.user", "wrong");
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind anonymously with an " + "authorization ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
    }
    // Test a bind with an unsupported critical control.
    bindRequest = new PLAINBindRequest("u:test.user", "wrong", new Control("1.2.3.4", true));
    try {
        bindResult = conn.bind(bindRequest);
        fail("Expected an exception when trying to bind anonymously with an " + "authorization ID");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
    }
    final Control[] unbindControls = { new Control("1.2.3.4", false), new Control("1.2.3.5", false, new ASN1OctetString("foo")) };
    conn.close(unbindControls);
}

Example 3 with AuthorizationIdentityResponseControl

use of com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl in project ldapsdk by pingidentity.

the class RetainIdentityRequestControlTestCase method testSendAuthenticatedPLAINRequest.

/**
 * Sends a request to the server containing the retain identity request
 * control.  It will establish an unauthenticated connection, then send a SASL
 * PLAIN bind including the retain identity request control  It will verify
 * that the identity of the client connection has not changed.
 * <BR><BR>
 * Access to a Directory Server instance is required for complete processing.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testSendAuthenticatedPLAINRequest() throws Exception {
    if (!isDirectoryInstanceAvailable()) {
        return;
    }
    LDAPConnection conn = getAdminConnection();
    conn.add(getTestBaseDN(), getBaseEntryAttributes());
    conn.add("dn: uid=test," + getTestBaseDN(), "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", "objectClass: inetOrgPerson", "givenName: Test", "sn: User", "cn: Test User", "uid: test", "userPassword: password");
    // First, use the "Who Am I?" request to get the current authorization
    // identity.
    WhoAmIExtendedResult whoAmIResult = (WhoAmIExtendedResult) conn.processExtendedOperation(new WhoAmIExtendedRequest());
    String authzID = whoAmIResult.getAuthorizationID();
    assertNotNull(authzID);
    // Perform an authenticated simple bind that includes both the retain
    // identity request control and the authorization identity request control.
    Control[] controls = { new RetainIdentityRequestControl(), new AuthorizationIdentityRequestControl() };
    PLAINBindRequest bindRequest = new PLAINBindRequest("dn:uid=test," + getTestBaseDN(), "password", controls);
    BindResult bindResult = conn.bind(bindRequest);
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    boolean authzIDFound = false;
    for (Control c : bindResult.getResponseControls()) {
        if (c instanceof AuthorizationIdentityResponseControl) {
            authzIDFound = true;
            String bindAuthzID = ((AuthorizationIdentityResponseControl) c).getAuthorizationID();
            assertNotNull(bindAuthzID);
            assertFalse(bindAuthzID.equals(authzID));
            break;
        }
    }
    assertTrue(authzIDFound);
    // Use the "Who Am I?" request again to verify that the client identity
    // hasn't really changed.
    whoAmIResult = (WhoAmIExtendedResult) conn.processExtendedOperation(new WhoAmIExtendedRequest());
    assertNotNull(whoAmIResult.getAuthorizationID());
    assertEquals(whoAmIResult.getAuthorizationID(), authzID);
    conn.delete("uid=test," + getTestBaseDN());
    conn.delete(getTestBaseDN());
    conn.close();
}

Example 4 with AuthorizationIdentityResponseControl

use of com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl in project ldapsdk by pingidentity.

the class DSEETestCase method testAuthorizationIdentityControls.

/**
 * Tests the ability to use the authorization identity request and response
 * controls.
 * <BR><BR>
 * Access to a Sun DSEE instance is required for complete processing.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testAuthorizationIdentityControls() throws Exception {
    if (!available) {
        return;
    }
    LDAPConnection conn = getUnauthenticatedDSEEConnection();
    try {
        SimpleBindRequest bindRequest = new SimpleBindRequest(getTestBindDN(), getTestBindPassword(), new AuthorizationIdentityRequestControl());
        BindResult bindResult = conn.bind(bindRequest);
        String oid = AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID;
        assertTrue(bindResult.hasResponseControl(oid));
        Control c = bindResult.getResponseControl(oid);
        assertTrue(c instanceof AuthorizationIdentityResponseControl);
        AuthorizationIdentityResponseControl authzIDResponseControl = (AuthorizationIdentityResponseControl) c;
        String authzID = authzIDResponseControl.getAuthorizationID();
        assertNotNull(authzID);
        assertTrue(authzID.startsWith("dn:"));
        assertEquals(new DN(authzID.substring(3)), new DN(getTestBindDN()));
    } finally {
        conn.close();
    }
}

Example 5 with AuthorizationIdentityResponseControl

use of com.unboundid.ldap.sdk.controls.AuthorizationIdentityResponseControl in project ldapsdk by pingidentity.

the class InMemoryDirectoryControlsTestCase method testAuthorizationIdentityControl.

/**
 * Provides test coverage for the authorization identity request control.
 *
 * @throws  Exception  If an unexpected problem occurs.
 */
@Test()
public void testAuthorizationIdentityControl() throws Exception {
    final InMemoryDirectoryServer ds = getTestDS(true, true);
    final LDAPConnection conn = ds.getConnection();
    final AuthorizationIdentityRequestControl authzIDRequest = new AuthorizationIdentityRequestControl();
    conn.add(generateUserEntry("another.user", "ou=People,dc=example,dc=com", "Another", "User", "password"));
    // Test a simple bind without the authorization identity request control.
    BindResult bindResult = conn.bind(new SimpleBindRequest("uid=test.user,ou=People,dc=example,dc=com", "password"));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    assertFalse(bindResult.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    // Test an anonymous simple bind.
    bindResult = conn.bind(new SimpleBindRequest("", "", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    AuthorizationIdentityResponseControl authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertEquals(authzIDResponse.getAuthorizationID(), "");
    // Test a valid simple bind as a normal user.
    bindResult = conn.bind(new SimpleBindRequest("uid=test.user,ou=People,dc=example,dc=com", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("uid=test.user,ou=People,dc=example,dc=com"));
    // Test a valid simple bind as an additional bind user.
    bindResult = conn.bind(new SimpleBindRequest("cn=Directory Manager", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("cn=Directory Manager"));
    // Test a failed simple bind as a normal user.
    try {
        conn.bind(new SimpleBindRequest("uid=test.user,ou=People,dc=example,dc=com", "wrongPassword", authzIDRequest));
        fail("Expected an exception from a failed simple bind as a normal user.");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
        assertFalse(le.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    }
    // Test a failed simple bind as an additional bind user.
    try {
        conn.bind(new SimpleBindRequest("cn=Directory Manager", "wrongPassword", authzIDRequest));
        fail("Expected an exception from a failed simple bind as an additional " + "bind user.");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
        assertFalse(le.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    }
    // Test a SASL PLAIN bind without the authorization identity request
    // control.
    bindResult = conn.bind(new PLAINBindRequest("dn:uid=test.user,ou=People,dc=example,dc=com", "password"));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    assertFalse(bindResult.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    // Test a valid SASL PLAIN bind as an anonymous user.
    bindResult = conn.bind(new PLAINBindRequest("dn:", "", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertEquals(authzIDResponse.getAuthorizationID(), "dn:");
    // Test a valid SASL PLAIN bind as a normal user with a dn-style auth ID and
    // no authz ID.
    bindResult = conn.bind(new PLAINBindRequest("dn:uid=test.user,ou=People,dc=example,dc=com", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("uid=test.user,ou=People,dc=example,dc=com"));
    // Test a valid SASL PLAIN bind as an additional bind user with a dn-style
    // auth ID and no authz ID.
    bindResult = conn.bind(new PLAINBindRequest("dn:cn=Directory Manager", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("cn=Directory Manager"));
    // Test a valid SASL PLAIN bind as a normal user with a u-style auth ID and
    // no authz ID.
    bindResult = conn.bind(new PLAINBindRequest("u:test.user", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("uid=test.user,ou=People,dc=example,dc=com"));
    // Test a valid SASL PLAIN bind as a normal user with a dn-style authz ID.
    bindResult = conn.bind(new PLAINBindRequest("dn:uid=test.user,ou=People,dc=example,dc=com", "dn:uid=another.user,ou=People,dc=example,dc=com", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("uid=another.user,ou=People,dc=example,dc=com"));
    // Test a valid SASL PLAIN bind as an additional bind user with a dn-style
    // authz ID.
    bindResult = conn.bind(new PLAINBindRequest("dn:cn=Directory Manager", "dn:cn=Manager", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("cn=Manager"));
    // Test a valid SASL PLAIN bind as a normal user with a u-style authz ID.
    bindResult = conn.bind(new PLAINBindRequest("u:test.user", "u:another.user", "password", authzIDRequest));
    assertEquals(bindResult.getResultCode(), ResultCode.SUCCESS);
    authzIDResponse = AuthorizationIdentityResponseControl.get(bindResult);
    assertNotNull(authzIDResponse);
    assertTrue(authzIDResponse.getAuthorizationID().startsWith("dn:"));
    assertEquals(new DN(authzIDResponse.getAuthorizationID().substring(3)), new DN("uid=another.user,ou=People,dc=example,dc=com"));
    // Test a failed SASL PLAIN bind as a normal user.
    try {
        conn.bind(new PLAINBindRequest("dn:uid=test.user,ou=People,dc=example,dc=com", "wrongPassword", authzIDRequest));
        fail("Expected an exception from a failed PLAIN bind as a normal user.");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
        assertFalse(le.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    }
    // Test a failed SASL PLAIN bind as an additional bind user.
    try {
        conn.bind(new PLAINBindRequest("dn:cn=Directory Manager", "wrongPassword", authzIDRequest));
        fail("Expected an exception from a failed PLAIN bind as an additional " + "bind user.");
    } catch (final LDAPException le) {
        assertEquals(le.getResultCode(), ResultCode.INVALID_CREDENTIALS);
        assertFalse(le.hasResponseControl(AuthorizationIdentityResponseControl.AUTHORIZATION_IDENTITY_RESPONSE_OID));
    }
    conn.close();
}