Bug 1008021
Summary: | Self entry access ACI not working properly | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Nathan Kinder <nkinder> |
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED ERRATA | QA Contact: | Sankar Ramalingam <sramling> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | jgalipea, nhosoi, nkinder, tbordaz, thang, vashirov |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.2.11.15-34.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: using self entry access aci, if an operation evaluates access on several entries (search returning several entries), the result of a granted access for an entry is cached and can erroneously be reused for all entries
Consequence: A bound client can retrieve entries/attributes he should not be allowed or can fail to retrieve entries/attributes he should be allowed
Fix: Some access are granted per entry, make sure that if granted access is cached it is purged for the next entry
Result: A self access aci, should be evaluated evaluated for each entry
|
Story Points: | --- |
Clone Of: | 951754 | Environment: | |
Last Closed: | 2014-10-14 07:50:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 951754 | ||
Bug Blocks: | 1061410 |
Description
Nathan Kinder
2013-09-13 19:49:17 UTC
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request. Reopening, as this is a bug that engineering wants to get in for RHEL 6.6. Was the qe_ack- flag set by accident for this? $ ldapadd -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1389 << EOF > dn: cn=test1,dc=example,dc=com > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > uid: test > sn: test1 > cn: test1 > userPassword: Secret12 > > dn: cn=test2,dc=example,dc=com > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > uid: test > sn: test2 > cn: test2 > userPassword: Secret12 > EOF adding new entry "cn=test1,dc=example,dc=com" adding new entry "cn=test2,dc=example,dc=com" $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1389 << EOF > dn: dc=example,dc=com > changetype: modify > delete: aci > EOF modifying entry "dc=example,dc=com" $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1389 << EOF > dn: dc=example,dc=com > changetype: modify > add: aci > aci: (targetattr="*")(version 3.0; acl "Allow self entry access"; allow (read,search,compare) userdn = "ldap:///self";) > EOF modifying entry "dc=example,dc=com" $ ldapsearch -LLL -D 'cn=test1,dc=example,dc=com' -w Secret12 -b 'dc=example,dc=com' 'uid=test' -H ldap://localhost:1389 dn: cn=test1,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: test sn: test1 cn: test1 userPassword:: e1NTSEF9QWpjMnh3NHRPZmd5MVBpRDZjUWtyaFgvdjFGY2ZrbU41d1N3V1E9PQ= = $ ldapsearch -LLL -D 'cn=test2,dc=example,dc=com' -w Secret12 -b 'dc=example,dc=com' 'uid=test' -H ldap://localhost:1389 dn: cn=test2,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: test sn: test2 cn: test2 userPassword:: e1NTSEF9YXNscG9DMEtvZGozcmRKSnp2emNrYVFhVHFIdEhKMDM1VWgvckE9PQ= = $ rpm -qa | grep 389 389-ds-base-debuginfo-1.2.11.15-36.el6.x86_64 389-ds-base-libs-1.2.11.15-36.el6.x86_64 389-ds-base-1.2.11.15-36.el6.x86_64 Without the fix, the test case described above should have return: ldapsearch -LLL -D 'cn=test1,dc=example,dc=com'... dn: cn=test1,dc=example,dc=com ... dn: cn=test2,dc=example,dc=com ... And bound with cn=test2: ldapsearch -LLL -D 'cn=test2,dc=example,dc=com'... <nothing> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1385.html |