Bug 1052751

Summary: Page control does not work if effective rights control is specified
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: amsharma
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:33:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2014-01-14 01:11:09 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47664

Paging controls are ignored if the effective rights control is specified.  This can be recreated with the command: ldapsearch -x  -H ldap://My389Server.somedomain.net:389    -D "cn=Directory Manager" -w "MyPassword"  -E "pr=5/prompt" -E "1.3.6.1.4.1.42.2.27.9.5.2=:dn:cn=Directory Manager"  -b "dc=example,dc=com"   "(Cn=*)"
Comment 2 Amita Sharma 2015-01-09 07:11:59 UTC 
[root@dhcp201-126 ~]# ldapsearch -x  -H ldap://dhcp201-126.englab.pnq.redhat.com:389    -D "cn=Directory Manager" -w "Secret123"  -E "pr=1/prompt" -E "1.3.6.1.4.1.42.2.27.9.5.2=:dn:cn=Directory Manager"  -b "dc=example,dc=com"   "(Cn=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (Cn=*)
# requesting: ALL
# with pagedResults control: size=1
#

# Directory Administrators, example.com
dn: cn=Directory Administrators,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
entryLevelRights: vadnn
attributeLevelRights: objectClass:rscwo, cn:rscwo, uniqueMember:rscwo

# search result
search: 2
result: 0 Success
control: 1.3.6.1.4.1.42.2.27.9.5.2 false MAMKAQA=
control: 1.2.840.113556.1.4.319 false MAYCAQUEATA=
pagedresults: estimate=5 cookie=MA==
Press [size] Enter for the next {1|size} entries.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (Cn=*)
# requesting: ALL
# with pagedResults control: size=1
#

# Accounting Managers, Groups, example.com
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
entryLevelRights: vadnn
attributeLevelRights: objectClass:rscwo, cn:rscwo, ou:rscwo, description:rscwo
 , uniqueMember:rscwo

# search result
search: 3
result: 0 Success
control: 1.3.6.1.4.1.42.2.27.9.5.2 false MAMKAQA=
control: 1.2.840.113556.1.4.319 false MAYCAQQEATA=
pagedresults: estimate=4 cookie=MA==
Press [size] Enter for the next {1|size} entries.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (Cn=*)
# requesting: ALL
# with pagedResults control: size=1
#

# HR Managers, Groups, example.com
dn: cn=HR Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
entryLevelRights: vadnn
attributeLevelRights: objectClass:rscwo, cn:rscwo, ou:rscwo, description:rscwo
 , uniqueMember:rscwo

# search result
search: 4
result: 0 Success
control: 1.3.6.1.4.1.42.2.27.9.5.2 false MAMKAQA=
control: 1.2.840.113556.1.4.319 false MAYCAQMEATA=
pagedresults: estimate=3 cookie=MA==
Press [size] Enter for the next {1|size} entries.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (Cn=*)
# requesting: ALL
# with pagedResults control: size=1
#

# QA Managers, Groups, example.com
dn: cn=QA Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
entryLevelRights: vadnn
attributeLevelRights: objectClass:rscwo, cn:rscwo, ou:rscwo, description:rscwo
 , uniqueMember:rscwo

# search result
search: 5
result: 0 Success
control: 1.3.6.1.4.1.42.2.27.9.5.2 false MAMKAQA=
control: 1.2.840.113556.1.4.319 false MAYCAQIEATA=
pagedresults: estimate=2 cookie=MA==
Press [size] Enter for the next {1|size} entries.

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (Cn=*)
# requesting: ALL
# with pagedResults control: size=1
#

# PD Managers, Groups, example.com
dn: cn=PD Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
entryLevelRights: vadnn
attributeLevelRights: objectClass:rscwo, cn:rscwo, ou:rscwo, description:rscwo
 , uniqueMember:rscwo

# search result
search: 6
result: 0 Success
control: 1.3.6.1.4.1.42.2.27.9.5.2 false MAMKAQA=
control: 1.2.840.113556.1.4.319 false MAUCAQAEAA==
pagedresults: cookie=

# numResponses: 10
# numEntries: 5

Hence VERIFIED.
Comment 4 errata-xmlrpc 2015-03-05 09:33:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html