Bug 1316328
| Summary: | search returns no entry when OR filter component contains non readable attribute | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | kbanerje, lkrispen, nkinder, rmeggins |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.5.5-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-03 20:40:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thanks Ludwig, for clearing my doubt. I verified this bug; Step perform [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "dc=example, dc=com" "(cn=foo)" dn cn # foo, example.com dn: cn=foo,dc=example,dc=com cn: foo ----------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=0*)(cn=bar))" dn No Result ---------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=1*)(cn=bar))" dn # foo, example.com dn: cn=foo,dc=example,dc=com ---------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=10*)(cn=bar))" dn No Result --------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=11*)(cn=bar))" dn No Result -------------------- ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=12*)(cn=bar))" dn [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=12*)(cn=bar))" dn # foo, example.com dn: cn=foo,dc=example,dc=com -------------------- dn: dc=example,dc=com changetype: modify replace: aci aci: (targetattr = "cn")(version 3.0;acl "cn allow";allow (read)(userdn = "ldap:///cn=user,dc=example,dc=com");) - aci: (targetattr = "telephoneNumber")(version 3.0;acl "deny Read and seach";deny (read)(userdn = "ldap:///cn=user,dc=example,dc=com");) -------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "dc=example, dc=com" "(cn=foo)" dn cn No Result ---------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=0*)(cn=bar))" dn No Result ---------------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=1*)(cn=bar))" dn No Result ----------------- ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=10*)(cn=bar))" dn No Result --------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=12*)(cn=bar))" dn No Result -------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=*)(cn=foo))" dn No Result ------------- [root@test ~]# ldapsearch -D "cn=user,dc=example,dc=com" -w test1234 -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=*)(cn=foo))" dn telephonenumber cn No Result Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html |
Problem description access control requires that a user has read access to all attributes in OR filter components. Else no entry is returned, even if the filter matches some entries. This is to prevent guessing of attribute values using OR filter. The problem is that this requirement prevents to use non readable attribute in filter. If we make sure that component, with non readable attributes, do not match the selected entry. then guessing would be prevented and it will allow non readable attributes in the filter. For example, 'user' has read access on 'cn' but no read access over 'telephonenumber' attribute dn: cn=foo,dc=example,dc=com objectClass: top objectClass: person sn: foo cn: foo telephoneNumber: 123 Without this access control guessing could be done this way ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "dc=example, dc=com" "(cn=foo)" dn cn dn: cn=foo,dc=example,dc=com cn: foo ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=0*)(cn=bar))" dn <no entry> ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=1*)(cn=bar))" dn dn: cn=foo,dc=example,dc=com ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=10*)(cn=bar))" dn <no entry> ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=11*)(cn=bar))" dn <no entry> ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=12*)(cn=bar))" dn dn: cn=foo,dc=example,dc=com ... With the current access control, last 5 searches return <no entry> (preventing guessing) But also ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=*)(cn=foo))" dn <no entry> Now if access control allows non readable attribute ('telephonenumber') but systematically reject matching with it the last 5 searches also return <no entry> But the following searches would be successfull ldapsearch -D "cn=user,dc=example,dc=com" -w xxx -b "cn=foo,dc=example, dc=com" "(|(telephonenumber=*)(cn=foo))" dn telephonenumber cn dn: cn=foo,dc=example,dc=com cn: foo