Bug 1417344
Summary: | case sensitivity in ACI | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> | |
Component: | 389-ds-base | Assignee: | mreynolds | |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.3 | CC: | amsharma, mreynolds, msauton, nkinder, rmeggins | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 389-ds-base-1.3.6.1-4.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1444962 1445176 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 21:14:10 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1444962, 1445176 |
Description
Noriko Hosoi
2017-01-28 02:24:02 UTC
Fixed upstream *** Bug 1444962 has been marked as a duplicate of this bug. *** [0 root@qeos-135 ~]# rpm -qa | grep 389 389-ds-base-1.3.6.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64 389-ds-base-snmp-1.3.6.1-9.el7.x86_64 389-ds-base-libs-1.3.6.1-9.el7.x86_64 Platform - Linux-3.10.0-657.el7.x86_64-x86_64-with-redhat-7.4-Maipo ========================================================== Test Case 1 - Test case executed - tickets/ticket49095_test.py::test_ticket49095 PASSED 1 passed in 4.64 seconds :: [ PASS ] :: Running py.test (Expected 0, got 0) ========================================================== Test Case 2 - [0 root@qeos-135 schema]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" aci -o ldif-wrap=no dn: dc=example,dc=com aci: (targetattr != "postal*") (version 3.0; acl "test case3"; allow (read,compare,search)(userdn = "ldap:///anyone");) [0 root@qeos-135 schema]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com" postalcode dn: o=REDHAT,dc=example,dc=com postalcode: 12345 [0 root@qeos-135 schema]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com" postalAddress dn: o=REDHAT,dc=example,dc=com postalAddress: 12345 [0 root@qeos-135 schema]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" postalcode # extended LDIF # # LDAPv3 # base <o=REDHAT,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: postalcode # # REDHAT, example.com dn: o=REDHAT,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Error logs- [28/Apr/2017:08:00:27.316335046 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(48) " "test case3"" [28/Apr/2017:08:00:27.316888661 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=84 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(48): aciname= "test case3", acidn="dc=example,dc=com" [28/Apr/2017:08:00:27.317406785 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [28/Apr/2017:08:00:27.317895178 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0 [28/Apr/2017:08:00:27.318412736 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=84 op=1 (main): Deny read on entry(o=redhat,dc=example,dc=com).attr(postalCode) to anonymous: no aci matched the resource ========================================================== Test Case 3- [0 root@qeos-135 schema]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" aci -o ldif-wrap=no dn: dc=example,dc=com aci: (targetattr != "postal* || tele*") (version 3.0; acl "test case"; allow (read,compare,search)(userdn = "ldap:///anyone");) [0 root@qeos-135 schema]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" postalcode # extended LDIF # # LDAPv3 # base <o=REDHAT,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: postalcode # # REDHAT, example.com dn: o=REDHAT,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [0 root@qeos-135 schema]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" # extended LDIF # # LDAPv3 # base <o=REDHAT,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # REDHAT, example.com dn: o=REDHAT,dc=example,dc=com objectClass: organization objectClass: top o: REDHAT userPassword:: e1NTSEE1MTJ9UVJ6NlJHanpyUzRkSjFyTUFrK1Z0U1FtT0ptUEhYdVAxNkVncW9 6QTU2V1h2RFV3SHkxVGpEQUt6bmRWa2JidjN4bUFBWEhBZ04wS0hvUEZHMFR2MXUvL0M3bzhaWUF1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [0 root@qeos-135 schema]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" telephoneNumber # extended LDIF # # LDAPv3 # base <o=REDHAT,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: telephoneNumber # # REDHAT, example.com dn: o=REDHAT,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [0 root@qeos-135 schema]# [0 root@qeos-135 schema]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com" dn: o=REDHAT,dc=example,dc=com objectClass: organization objectClass: top telexNumber: 12345$023$ABCDE teletexTerminalIdentifier: 12345 telephoneNumber: 12345 postalCode: 12345 postalAddress: 12345 o: REDHAT userPassword:: e1NTSEE1MTJ9UVJ6NlJHanpyUzRkSjFyTUFrK1Z0U1FtT0ptUEhYdVAxNkVncW9 6QTU2V1h2RFV3SHkxVGpEQUt6bmRWa2JidjN4bUFBWEhBZ04wS0hvUEZHMFR2MXUvL0M3bzhaWUF1 LOGS ==== [28/Apr/2017:08:18:04.482162626 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=99 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(52): aciname= "test case", acidn="dc=example,dc=com" [28/Apr/2017:08:18:04.482871240 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [28/Apr/2017:08:18:04.483594437 -0400] - DEBUG - NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]*** [28/Apr/2017:08:18:04.484348615 -0400] - DEBUG - NSACLPlugin - ACL Index:52 ACL_ELEVEL:0 [28/Apr/2017:08:18:04.485038987 -0400] - DEBUG - NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [28/Apr/2017:08:18:04.485743408 -0400] - DEBUG - NSACLPlugin - ACI RULE type:(userdn ) [28/Apr/2017:08:18:04.486365104 -0400] - DEBUG - NSACLPlugin - Slapi_Entry DN:dc=example,dc=com [28/Apr/2017:08:18:04.486985305 -0400] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [28/Apr/2017:08:18:04.487713121 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:1, DENY handles:0 [28/Apr/2017:08:18:04.488307524 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:objectClass for entry:o=redhat,dc=example,dc=com [28/Apr/2017:08:18:04.488915416 -0400] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(52) " "test case"" [28/Apr/2017:08:18:04.489518103 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=99 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(52): aciname= "test case", acidn="dc=example,dc=com" [28/Apr/2017:08:18:04.490320844 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Using ACL Container:0 for evaluation [28/Apr/2017:08:18:04.490957374 -0400] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0 [28/Apr/2017:08:18:04.491692571 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=99 op=1 (main): Deny read on entry(o=redhat,dc=example,dc=com).attr(telephoneNumber) to anonymous: no aci matched the resource [28/Apr/2017:08:19:17.106095355 -0400] - DEBUG - NSACLPlugin - acl_access_allowed - conn=100 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com): root user [28/Apr/2017:08:19:17.107649825 -0400] - DEBUG - NSACLPlugin - acl_read_access_allowed_on_entry - Root access (read) allowed on entry(o=redhat,dc=example,dc=com) [28/Apr/2017:08:19:17.108511078 -0400] - DEBUG - NSACLPlugin - Root access (read) allowed on entry(o=redhat,dc=example,dc=com) Marking Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2086 |