Bug 1171357

Summary:	Bind DN tracking unable to write to internalModifiersName without special permissions
Product:	Red Hat Enterprise Linux 6	Reporter:	Noriko Hosoi <nhosoi>
Component:	389-ds-base	Assignee:	Noriko Hosoi <nhosoi>
Status:	CLOSED ERRATA	QA Contact:	Viktor Ashirov <vashirov>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.0	CC:	amsharma, jgalipea, nkinder, rmeggins
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	389-ds-base-1.2.11.15-51.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-07-22 06:36:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2014-12-06 00:04:48 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47950


I've activated bind dn tracking (nsslapd-plugin-binddn-tracking: on). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
{{{
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
aci: (targetattr = "objectClass || uniqueMember || owner || cn || description || businessCategory" ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att
ributs";allow (add, delete, read,compare,search,write)(userdn="ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
}}}

Any attempt to modify an authorized attribute from the list above (for ex., description) results in

{{{
ldap_modify: Insufficient access (50)
        additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.

}}}
{{{
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000
}}}

The workaround is to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute (if i add it, everything is fine and the attribute internalModifiersName becomes "cn=ldbm database,cn=plugins,cn=config").

Expected behavior : internalModifiersName should be written like modifiersname without  any explicit permission.

Comment 2 Noriko Hosoi 2015-02-20 01:28:20 UTC

Verification steps:
https://bugzilla.redhat.com/show_bug.cgi?id=1171356#c5

Comment 3 Amita Sharma 2015-03-18 11:24:28 UTC

part 1
=======
[root@qe-blade-01 yum.repos.d]# ps -aef | grep slapd
root     18470     1  0 06:58 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-qe-blade-01 -i /var/run/dirsrv/slapd-qe-blade-01.pid -w /var/run/dirsrv/slapd-qe-blade-01.startpid
root     20961     1  0 07:02 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M1 -i /var/run/dirsrv/slapd-M1.pid -w /var/run/dirsrv/slapd-M1.startpid
root     21310     1  0 07:03 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M2 -i /var/run/dirsrv/slapd-M2.pid -w /var/run/dirsrv/slapd-M2.startpid
root     21659     1  0 07:04 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M3 -i /var/run/dirsrv/slapd-M3.pid -w /var/run/dirsrv/slapd-M3.startpid
root     22010     1  0 07:05 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M4 -i /var/run/dirsrv/slapd-M4.pid -w /var/run/dirsrv/slapd-M4.startpid
root     23395 12342  0 07:17 pts/0    00:00:00 grep slapd
[root@qe-blade-01 yum.repos.d]# netstat -nlp | grep slapd
tcp        0      0 :::30100                    :::*                        LISTEN      20961/./ns-slapd    
tcp        0      0 :::30101                    :::*                        LISTEN      20961/./ns-slapd    
tcp        0      0 :::18997                    :::*                        LISTEN      18470/./ns-slapd    
tcp        0      0 :::30102                    :::*                        LISTEN      21310/./ns-slapd    
tcp        0      0 :::30103                    :::*                        LISTEN      21310/./ns-slapd    
tcp        0      0 :::30104                    :::*                        LISTEN      21659/./ns-slapd    
tcp        0      0 :::30105                    :::*                        LISTEN      21659/./ns-slapd    
tcp        0      0 :::30106                    :::*                        LISTEN      22010/./ns-slapd    
tcp        0      0 :::30107                    :::*                        LISTEN      22010/./ns-slapd    
[root@qe-blade-01 yum.repos.d]# ldapmodify -D "cn=directory manager" -w Secret123 -p 30100 -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-plugin-binddn-tracking
> nsslapd-plugin-binddn-tracking: on
> EO
> ^C
[root@qe-blade-01 yum.repos.d]# ldapmodify -D "cn=directory manager" -w Secret123 -p 30100 -h localhost << EOF
dn: cn=config
changetype: modify
replace: nsslapd-plugin-binddn-tracking
nsslapd-plugin-binddn-tracking: on
EOF
modifying entry "cn=config"

[root@qe-blade-01 yum.repos.d]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: uid=ami,dc=example,dc=com
> cn: ams
> sn: ams
> givenname: ams
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: ami
> mail: ams
> userpassword: Secret123
> EOF
adding new entry "uid=ami,dc=example,dc=com"

[root@qe-blade-01 yum.repos.d]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: uid=B,dc=example,dc=com
> cn: B
> sn: B
> givenname: B
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: B
> mail: B
> userpassword: Secret123
> EOF
adding new entry "uid=B,dc=example,dc=com"

[root@qe-blade-01 yum.repos.d]# ldapmodify -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (targetattr="*")(version 3.0; acl "Managerami"; allow (all) (userdn="ldap:///uid=ami,dc=example,dc=com");)
> EOF
modifying entry "dc=example,dc=com"

[root@qe-blade-01 yum.repos.d]# ldapmodify -h localhost -p 30100 -D "uid=ami,dc=example,dc=com" -w Secret123 << EOF
> dn: uid=B,dc=example,dc=com
> changetype: modify
> replace: sn
> sn: new
> EOF
modifying entry "uid=B,dc=example,dc=com"

[root@qe-blade-01 yum.repos.d]# ldapsearch -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 -b "uid=B,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=B,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# B, example.com
dn: uid=B,dc=example,dc=com
sn: new
cn: B
givenName: B
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: B
mail: B
userPassword:: e1NTSEF9QlFMb0hWNEh0OXNTcENieW0wNFErcjg4T0g2YWhSaFVuUnMxcXc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


part2
=====
[root@qe-blade-01 yum.repos.d]# ldapmodify -h localhost -p 30100 -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsDS5ReplicaType
> nsDS5ReplicaType: 2
> EOF
modifying entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@qe-blade-01 yum.repos.d]# ldapmodify -h localhost -p 30100 -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=M1_to_M2,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsDS5ReplicaPort
> nsDS5ReplicaPort: 9999
> EOF
modifying entry "cn=M1_to_M2,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@qe-blade-01 yum.repos.d]# rpm -qa | grep 389
389-ds-base-debuginfo-1.2.11.15-52.el6.x86_64
389-ds-base-1.2.11.15-52.el6.x86_64
389-ds-base-libs-1.2.11.15-52.el6.x86_64
389-adminutil-1.1.21-1.el6dsrv.x86_64
[root@qe-blade-01 yum.repos.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.7 Beta (Santiago)
[root@qe-blade-01 yum.repos.d]# 

Marking bug as verified.

Comment 4 errata-xmlrpc 2015-07-22 06:36:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html