Bug 1251854

Summary: ipa aci plugin is not parsing aci's correctly.
Product: Red Hat Enterprise Linux 7 Reporter: Jan Cholasta <jcholast>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: akasurde, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:05:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2015-08-10 07:09:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5037

Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 6''): [https://bugzilla.redhat.com/show_bug.cgi?id=1222999 Bug 1222999]

{{{
Description of problem:

in some cases, some aci's with quite right syntax are being parsed wrong by ipa
aci plugin.

Version-Release number of selected component (if applicable):

I am testing this in RHEL6: ipa-server-3.0.0-42.el6.x86_64


Steps to Reproduce:
1.

Add these custom aci's:

aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)

2. Try changing self service permission:

ipa selfservice-mod "Self can write own password" --permission=read
ipa: ERROR: an internal error has occurred
[root@ipa ~]#

tail -f /var/log/httpd/error_log
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Tue May 19 15:50:11 2015] [error]     return self.execute(*args, **options)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 582, in execute
[Tue May 19 15:50:11 2015] [error]     candidate = ACI(a)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 56, in __init__
[Tue May 19 15:50:11 2015] [error]     self._parse_acistr(acistr)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 144, in _parse_acistr
[Tue May 19 15:50:11 2015] [error]     raise SyntaxError, "malformed ACI,
permissions match failed %s" % acistr
[Tue May 19 15:50:11 2015] [error] SyntaxError: malformed ACI, permissions
match failed (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)
[Tue May 19 15:50:11 2015] [error] ipa: INFO: admin:
selfservice_mod(u'Self can write own password', permissions=(u'read',),
all=False, raw=False, version=u'2.49'): SyntaxError


Additional info:


Workaround is to replace the aci's by ones not using parenthesis on the bind
rule:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)


And re-add them with a slightly different syntax:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search) userdn = "ldap:///anyone";)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)


Then, the sefservice mod command will work fine.

Thanks to Petr Viktorin for suggesting the workaround.
}}}
Comment 1 Jan Cholasta 2015-08-10 07:10:38 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a2ba9373070b19c158be8be78f7fbeee5ccab081/
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/d85f92c0e75f3b389edac353de2cf08105b33cc4/
Comment 3 Abhijeet Kasurde 2015-10-06 08:22:13 UTC 
Verified.

IPA Server version ::

ipa-server-4.2.0-12.el7.x86_64
Comment 4 errata-xmlrpc 2015-11-19 12:05:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html