Bug 1387022

Summary: specific search with sizelimit=1 sometimes returns no entry incorrectly
Product: Red Hat Enterprise Linux 6 Reporter: Hiroko Miura <hmiura>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 6.9CC: mreynolds, msauton, nhosoi, nkinder, rmeggins, spichugi
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-84.el6 Doc Type: Bug Fix
Doc Text:
Group ACIs are now correctly evaluated Previously, if the number of members in a group in an access control instruction (ACI) exceeded the size limit of the result of the query, Directory Server incorrectly denied access. To fix the problem, the server size limit is no longer applied to the ACI group evaluation, and queries now operate correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 10:23:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sample ldif to reproduce the issue none

Description Hiroko Miura 2016-10-20 01:14:17 UTC 
Created attachment 1212288 [details]
sample ldif to reproduce the issue

Description of problem:

Customer reported that some specific search operation sometimes return no entry which should return the entry.

According to aci debug log, evaluation of aci with groupdn fails as ACL_DONT_KNOW.

[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluating DENY aci(7) " "disable Access""
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - ALLOCATING GROUP FOR:uid=ro_user,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluating user uid=ro_user,ou=profile,dc=example,dc=com in group cn=disableAccess,ou=Groups,dc=example,dc=com?
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in cn=disableAccess,ou=Groups,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in uid=guest1,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in uid=guest2,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - GroupEval:Looked at too many entries:(2, 3)
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluated ACL_DONT_KNOW
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Returning UNDEFINED for groupdn evaluation.
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Processed:7 DENY handles Result:2
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(uid=user1,ou=people,dc=example,dc=com).attr(sn) to uid=ro_user,ou=profile,dc=example,dc=com: error occurred by aci(7): aciname= "disable Access", acidn="ou=people,dc=example,dc=com"

This happens if client perform search by specifying sizelimit=1.


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.8 (Santiago)
389-ds-base-1.2.11.15-75.el6_8.x86_64


How reproducible:

attached reprodusable sample LDIF (example.ldif)

Steps to Reproduce:
1. create suffix with dc=example,dc=com and import sample ldif

2. perform the following ldapsearch 

 ldapsearch -D uid=ro_user,ou=profile,dc=example,dc=com -w password -b "ou=people,dc=example,dc=com" -z 1 "sn=user1"

   => Please note that option '-z 1' (i.e. sizelimit=1) is specified


3.perform the same search without '-z 1'

 ldapsearch -p 30389 -h ldapj -D uid=ro_user,ou=profile,dc=example,dc=com -w password -b "ou=people,dc=example,dc=com" "sn=user1"



Actual results:
no entry is returned in step2

Expected results:
entry is returned

Additional info:
Once problematic search performed without sizelimit like step3 and got succeeded, subsequent search would return the entry correctly even if client side sizelimit is specified as result of group evaluation is cached. 

This issue is fixed in the upstream ticket #47703.

https://fedorahosted.org/389/ticket/47703
Comment 1 Hiroko Miura 2016-10-20 01:52:12 UTC 
The problematic aci in attached example.ldif is:

aci: (targetattr = "*") (version 3.0;acl "disable Access";deny (all)(groupdn =
  "ldap:///cn=disableAccess,ou=Groups,dc=example,dc=com");)
Comment 3 mreynolds 2016-10-20 08:14:54 UTC 
Fixed upstream
Comment 6 Simon Pichugin 2016-11-25 13:10:26 UTC 
============================= test session starts =============================
platform linux2 -- Python 2.7.8, pytest-3.0.4, py-1.4.31, pluggy-0.4.0 -- /opt/rh/python27/root/usr/bin/python
cachedir: .cache
DS build: 1.2.11.15 B2016.312.1950
389-ds-base: 1.2.11.15-85.el6
nss: 3.27.1-7.el6
nspr: 4.13.1-1.el6
openldap: 2.4.40-14.el6
svrcore: 4.0.4-5.1.el6

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: html-1.11.1, cov-2.4.0, beakerlib-0.6
collected 2 items

ticket47703_test.py::test_ticket47703 PASSED
ticket47703_test.py::test_ticket47703_final PASSED

========================== 2 passed in 44.59 seconds ==========================

Marking as verified.
Comment 10 errata-xmlrpc 2017-03-21 10:23:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html