Bug 1044152
| Summary: | ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathan Kinder <nkinder> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | lkrispen, nhosoi, nkinder, vashirov |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.3.1-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 09:31:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nathan Kinder
2013-12-17 21:29:50 UTC
the 2 testscenarios and expected behaviour are described in the corresponding ticket in comment #15 (In reply to Ludwig from comment #3) > the 2 testscenarios and expected behaviour are described in the > corresponding ticket in comment #15 The correct link - https://fedorahosted.org/389/ticket/314#comment:15 $ rpm -qa | grep 389 389-ds-base-1.3.3.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64 389-ds-base-libs-1.3.3.1-9.el7.x86_64 [0] Setup: Master-Consumer replication - M1 (1189) and C1 (1389) [1] Configure chain on update: 1. Add aci to M1: $ ldapmodify -v -h localhost:1189 -D "cn=Directory Manager" -w "Secret123" << EOF dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database l inks";allow (proxy) (userdn = "ldap:///cn=SyncManager,cn=config");) - EOF 2. Add new database link DBLink1 to C1 for suffix dc=example,dc=com : $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance cn: DBLink1 nsslapd-suffix: dc=example,dc=com nsslapd-parent-suffix: dc=example,dc=com nsmultiplexorbinddn: cn=SyncManager,cn=config nsfarmserverurl: ldap://localhost:1189/ nsmultiplexorcredentials: Secret123 EOF 3. Add second backend and distribution plugin to suffix on C1: $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: nsslapd-backend nsslapd-backend: DBLink1 - add: nsslapd-distribution-funct nsslapd-distribution-funct: repl_chain_on_update - add: nsslapd-distribution-plugin nsslapd-distribution-plugin: libreplication-plugin - replace: nsslapd-state nsslapd-state: backend - EOF 4. Restart servers $ sudo systemctl restart dirsrv.target [2] Configure nsslapd-distribution-root-update: $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsslapd-distribution-root-update nsslapd-distribution-root-update: referral - EOF and restart C1 [2.1] nsslapd-distribution-root-update: referral $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: ou=People,dc=example,dc=com changetype: modify replace: description description: root update EOF ldap_initialize( ldap://localhost:1389 ) replace description: root update modifying entry "ou=People,dc=example,dc=com" ldap_modify: Referral (10) matched DN: dc=example,dc=com referrals: ldap://rhel7ds.brq.redhat.com:1189 Entry doesn't get updated neither on M1 nor on C1 since chaining doesn't work as root -> PASS [2.2] nsslapd-distribution-root-update: reject $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: ou=People,dc=example,dc=com changetype: modify replace: description description: root update EOF ldap_initialize( ldap://localhost:1389 ) replace description: root update modifying entry "ou=People,dc=example,dc=com" ldap_modify: Server is unwilling to perform (53) Entry doesn't get updated neither on M1 nor on C1 since server rejects such modifications. This is a default option, when nsslapd-distribution-root-update is not explicitly set in cn=config -> PASS [2.3] nsslapd-distribution-root-update: local $ ldapmodify -v -h localhost:1389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: ou=People,dc=example,dc=com changetype: modify replace: description description: root update EOF ldap_initialize( ldap://localhost:1389 ) replace description: root update modifying entry "ou=People,dc=example,dc=com" modify complete On M1: $ ldapsearch -v -h localhost:1189 -x -LLL -o ldif-wrap=no -b dc=example,dc=com '(ou=People)' description ldap_initialize( ldap://localhost:1189 ) filter: (ou=People) requesting: description dn: ou=People,dc=example,dc=com On C1: $ ldapsearch -v -h localhost:1389 -x -LLL -o ldif-wrap=no -b dc=example,dc=com '(ou=People)' description ldap_initialize( ldap://localhost:1389 ) filter: (ou=People) requesting: description dn: ou=People,dc=example,dc=com description: root update Entry was updated on C1 -> PASS One minor issue is that nsslapd-distribution-root-update is multivalued attribute and it can be set to contradicting values. Other than that everything works as expected, thus marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |