Bug 1259466
| Summary: | Enhance ACIs to have more control over MODRDN operations | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.0 | CC: | ekeck, jkurik, mnavrati, nhosoi, nkinder, rmeggins, spichugi, tbordaz |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.3.1-21.el7_1 | Doc Type: | Bug Fix |
| Doc Text: |
This update fixes a macro definition problem that occurred when activating enhanced ACL for the MODRDN operation.
|
Story Points: | --- |
| Clone Of: | 1257294 | Environment: | |
| Last Closed: | 2015-11-03 08:21:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1257294 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2015-09-02 16:26:20 UTC
Build tested: 389-ds-base-1.3.3.1-21.el7_1.x86_64 Verification Steps: 1) Create two containers: ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 dn: ou=test_ou_1,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalunit ou: test_ou_1 adding new entry "ou=test_ou_1,dc=example,dc=com" dn: ou=test_ou_2,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalunit ou: test_ou_2 adding new entry "ou=test_ou_2,dc=example,dc=com" 2) Create a user within "ou=test_ou_1,dc=example,dc=com": ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 dn: cn=test_user,ou=test_ou_1,dc=example,dc=com changetype: add objectclass: top objectclass: person cn: test_user sn: test_user userpassword: Secret123 adding new entry "cn=test_user,ou=test_ou_1,dc=example,dc=com" 3) Add an aci with a rule "cn=test_user is allowed all" within these containers: ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 dn: ou=test_ou_1,dc=example,dc=com changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "All rights on the ou=test_ou_1,dc=example,dc=com"; allow (all) userdn="ldap:///cn=test_user,ou=test_ou_1,dc=example,dc=com";) modifying entry "ou=test_ou_1,dc=example,dc=com" dn: ou=test_ou_2,dc=example,dc=com changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "All rights on the ou=test_ou_2,dc=example,dc=com"; allow (all) userdn="ldap:///cn=test_user,ou=test_ou_1,dc=example,dc=com";) modifying entry "ou=test_ou_2,dc=example,dc=com" 4) Run MODRDN operation on the "cn=test_user" and set "newsuperior" to the "ou=test_ou_2,dc=example,dc=com": ldapmodify -h localhost -p 389 -D "cn=test_user,ou=test_ou_1,dc=example,dc=com" -w Secret123 dn: cn=test_user,ou=test_ou_1,dc=example,dc=com changetype: modrdn newrdn: cn=test_user deleteoldrdn: 1 newsuperior: ou=test_ou_2,dc=example,dc=com modifying rdn of entry "cn=test_user,ou=test_ou_1,dc=example,dc=com" 5) Check everything is alright: ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b ou=test_ou_1,dc=example,dc=com "(objectclass=*)" # test_ou_1, example.com dn: ou=test_ou_1,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: test_ou_1 ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b ou=test_ou_2,dc=example,dc=com "(objectclass=*)" # test_ou_2, example.com dn: ou=test_ou_2,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: test_ou_2 # test_user, test_ou_2, example.com dn: cn=test_user,ou=test_ou_2,dc=example,dc=com objectClass: top objectClass: person sn: test_user userPassword:: e1NTSEF9MUdES0NhZ2JFVlRPV1NWQjZ2OVZKdGFubWQzMXNUcTR2bUFPaGc9PQ= = cn: test_user Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1960.html |