Bug 1382386
| Summary: | Directory Server accepts a wrong userdn macro ACI | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Simon Pichugin <spichugi> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 6.8 | CC: | nhosoi, nkinder, rmeggins |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.11.15-84.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Directory Server now validates macros in ACIs
Previously, the Red Hat Directory Server did not validate macros in an access control instruction (ACI). As a result, users were able to set incorrect macros in an ACI. This update improves the code underlying validation, and Directory Server rejects invalid macros and logs an error.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 10:23:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Simon Pichugin
2016-10-06 14:22:17 UTC
Build tested:
389-ds-base-1.2.11.15-85.el6.x86_64
Verification steps:
1. Install an instance with 'dc=example,dc=com' suffix
2. Add the setup like this:
$ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123
dn: o=MACRO.com, dc=example,dc=com
changetype: add
objectClass: top
objectClass: organization
o: MACRO.com
description: ou=Groups
adding new entry "o=MACRO.com, dc=example,dc=com"
dn: ou=Groups, o=MACRO.com, dc=example,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: Groups
adding new entry "ou=Groups, o=MACRO.com, dc=example,dc=com"
dn: cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
cn: Macro
sn: Macro
userPassword: Macro
adding new entry "cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com"
3. Try to add ACI with a wrong userdn macro in it.
Check the following macros, they all should be "Invalid syntax":
- ($attr..description)
- ($attribute.description)
- ($att.$attr.description)
- ($attr#description)
$ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123
dn: o=MACRO.com, dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///o=MACRO.com, dc=example,dc=com")(version 3.0; acl "Wrong_ACI_25"; allow (all) userdn="ldap:///cn=Macro, ($attr..description), o=MACRO.com, dc=example,dc=com";)
modifying entry "o=MACRO.com, dc=example,dc=com"
ldap_modify: Invalid syntax (21)
additional info: ACL Syntax Error(-5):(target=\22ldap:///o=MACRO.com, dc=example,dc=com\22)(version 3.0; acl \22Wrong_ACI_25\22; allow (all) userdn=\22ldap:///cn=Macro, ($attr..description), o=MACRO.com, dc=example,dc=com\22;)
Wrong syntax macros fails. Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0667.html |