Bug 1151287
| Summary: | dynamically added macro aci is not evaluated on the fly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | nkinder, rmeggins, vashirov |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.3.1-6.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: When macro aci is dynamically added and if the aci's
macro target dn is not normalized, the following operation that requires
the aci could fail with Insufficient access since matching the target dn
and the macro target dn fails since the code expects normalized macro
target dn.
Fix: Before setting the macro target dn, the dn is normalized.
Result: Even if an aci that contains pre-normalized macro target dn is dynamically added, it's correctly used to evaluate the access rights.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 09:36:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Noriko Hosoi
2014-10-10 03:46:59 UTC
$ rpm -qa | grep 389 389-ds-base-1.3.3.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64 389-ds-base-libs-1.3.3.1-9.el7.x86_64 1. I did a fresh install of DS, added test entries. 2. Checked that UserA cannot modify UserB sn attribute: $ ldapmodify -h localhost:389 -D "cn=UserA,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com" -w Secret123 dn: cn=UserB,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com changetype: modify replace: sn sn: UserB_modified_by_UserA modifying entry "cn=UserB,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com" ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'sn' attribute of entry 'cn=userb,ou=people,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com'. 3. Added aci to ou=people,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com: aci: (target="ldap:///ou=People, ($dn), dc=example,dc=com") (targetattr!="userPassword")(targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl "Admin access to all users in this and lower domains"; allow (write,read,search) groupdn="ldap:///cn=Domain Administrators, ou=Groups, [$dn], dc=example,dc=com";) 4. Checked that UserA can modify UserB sn attribute: $ ldapmodify -h localhost:389 -D "cn=UserA,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com" -w Secret123 dn: cn=UserB,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com changetype: modify replace: sn sn: UserB_modified_by_UserA modifying entry "cn=UserB,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com" $ ldapsearch -o ldif-wrap=no -LLL -x -H ldap://localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com "(cn=UserB)" sn dn: cn=UserB,ou=People,dc=subdomain1,dc=hostedcompany1,dc=example,dc=com sn: UserB_modified_by_UserA Dynamically added macro aci was evaluated without server restart. Hence marking this bug as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |