Bug 1445176
Summary: | case sensitivity in ACI | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | urgent | ||
Version: | 7.3 | CC: | amsharma, mreynolds, msauton, nhosoi, nkinder, pbokoc, rmeggins |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.5.10-21.el7_3 | Doc Type: | Bug Fix |
Doc Text: |
Previously, target attributes used in access control lists were processed in a case-sensitive manner. This caused ACLs to behave unexpectedly when entry an entry's attributes used a different case than the attribute in the ACL. This bug has been fixed by ensuring that evaluating target attributes uses case-insensitive comparisons, and ACLs now work as expected regardless of the case of the attribute names.
|
Story Points: | --- |
Clone Of: | 1417344 | Environment: | |
Last Closed: | 2017-05-25 15:52:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1417344 | ||
Bug Blocks: |
Description
Jaroslav Reznik
2017-04-25 08:02:20 UTC
Platform = Linux-3.10.0-514.el7.x86_64-x86_64-with-redhat-7.3-Maipo
rpm -qa | grep 389
389-ds-base-1.3.5.10-21.el7_3.x86_64
389-ds-base-debuginfo-1.3.5.10-21.el7_3.x86_64
389-ds-base-snmp-1.3.5.10-21.el7_3.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64
Automated test -
---------------------------- Captured stdout setup -----------------------------
OK group dirsrv exists OK user dirsrv exists ----------------------------- Captured stderr call -----------------------------
INFO:tests.tickets.ticket49095_test:Test Passed
Manual Testing -
============
[0 root@qeos-212 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (targetattr != "postal* || tele*") (version 3.0; acl "test case"; allow (read,compare,search)(userdn = "ldap:///anyone");)
> EOF
modifying entry "dc=example,dc=com"
[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" aci -o ldif-wrap=no
dn: dc=example,dc=com
aci: (targetattr != "postal* || tele*") (version 3.0; acl "test case"; allow (read,compare,search)(userdn = "ldap:///anyone");)
[0 root@qeos-212 yum.repos.d]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <o=REDHAT,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# REDHAT, example.com
dn: o=REDHAT,dc=example,dc=com
objectClass: organization
objectClass: top
o: REDHAT
userPassword:: e1NTSEF9cjZhc0RRNW5LaVNwOUtlWkRQOVJ2SEY3N0dkTDdyT0NXTlpLelE9PQ=
=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[0 root@qeos-212 yum.repos.d]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" postaladdress
# extended LDIF
#
# LDAPv3
# base <o=REDHAT,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: postaladdress
#
# REDHAT, example.com
dn: o=REDHAT,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com" postaladdress
dn: o=REDHAT,dc=example,dc=com
postaladdress: 12345
[0 root@qeos-212 yum.repos.d]# rpm -qa | grep 389
389-ds-base-1.3.5.10-21.el7_3.x86_64
389-ds-base-debuginfo-1.3.5.10-21.el7_3.x86_64
389-ds-base-snmp-1.3.5.10-21.el7_3.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64
[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com"
dn: o=REDHAT,dc=example,dc=com
objectClass: organization
objectClass: top
telexNumber: 12345$023$ABCDE
teletexTerminalIdentifier: 12345
telephoneNumber: 12345
postalCode: 12345
postalAddress: 12345
o: REDHAT
userPassword:: e1NTSEF9cjZhc0RRNW5LaVNwOUtlWkRQOVJ2SEY3N0dkTDdyT0NXTlpLelE9PQ=
=
LOGS
====
[28/Apr/2017:09:49:18.904151008 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:18.904714653 -0400] NSACLPlugin - Processed attr:o for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:18.905249927 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:18.905847416 -0400] NSACLPlugin - Found READ ALLOW in cache
[28/Apr/2017:09:49:18.906422300 -0400] NSACLPlugin - conn=26 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(o) to anonymous: cached allow by aci(23)
[28/Apr/2017:09:49:18.907007652 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:18.907591878 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:18.908179307 -0400] NSACLPlugin - ACL Index:23 ACL_ELEVEL:0
[28/Apr/2017:09:49:18.908887135 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:18.909464192 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:18.909994727 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:18.910575281 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:18.911166875 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:18.911847266 -0400] NSACLPlugin - Processed attr:userPassword for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:18.912407820 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:18.912995622 -0400] NSACLPlugin - Found READ ALLOW in cache
[28/Apr/2017:09:49:18.913580341 -0400] NSACLPlugin - conn=26 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(userPassword) to anonymous: cached allow by aci(23)
[28/Apr/2017:09:49:38.805304691 -0400] NSACLPlugin - Failed to find root for base: o=REDHAT,dc=example,dc=com
[28/Apr/2017:09:49:38.806611119 -0400] NSACLPlugin - Failed to find root for base: dc=com
[28/Apr/2017:09:49:38.807504987 -0400] NSACLPlugin - #### conn=27 op=1 binddn=""
[28/Apr/2017:09:49:38.808291499 -0400] NSACLPlugin - ************ RESOURCE INFO STARTS *********
[28/Apr/2017:09:49:38.808988688 -0400] NSACLPlugin - Client DN:
[28/Apr/2017:09:49:38.809672291 -0400] NSACLPlugin - resource type:256(search target_DN )
[28/Apr/2017:09:49:38.810276008 -0400] NSACLPlugin - Slapi_Entry DN: o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.810918402 -0400] NSACLPlugin - ATTR: objectClass
[28/Apr/2017:09:49:38.811480357 -0400] NSACLPlugin - rights:search
[28/Apr/2017:09:49:38.812038876 -0400] NSACLPlugin - ************ RESOURCE INFO ENDS *********
[28/Apr/2017:09:49:38.812624126 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.813406607 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:38.813978975 -0400] NSACLPlugin - ACL Index:23 ACL_ELEVEL:0
[28/Apr/2017:09:49:38.814577532 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:38.815153536 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:38.815773656 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:38.816365462 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:38.816945291 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:38.817530854 -0400] NSACLPlugin - Processed attr:objectClass for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.818049445 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:38.818667306 -0400] NSACLPlugin - conn=27 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(23): aciname= "test case", acidn="dc=example,dc=com"
[28/Apr/2017:09:49:38.819420294 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.819966149 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:38.820490260 -0400] NSACLPlugin - ACL Index:23 ACL_ELEVEL:0
[28/Apr/2017:09:49:38.821020761 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:38.821558692 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:38.822189499 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:38.822771820 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:38.823329583 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:38.823844172 -0400] NSACLPlugin - Processed attr:objectClass for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.824362391 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:38.825034903 -0400] NSACLPlugin - conn=27 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(23): aciname= "test case", acidn="dc=example,dc=com"
[28/Apr/2017:09:49:38.825632912 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.826225361 -0400] NSACLPlugin - Num of ALLOW Handles:0, DENY handles:0
[28/Apr/2017:09:49:38.826808120 -0400] NSACLPlugin - conn=27 op=1 (main): Deny read on entry(o=redhat,dc=example,dc=com).attr(postalAddress) to anonymous: no aci matched the resource
[28/Apr/2017:09:50:09.061791619 -0400] NSACLPlugin - conn=28 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com): root user
[28/Apr/2017:09:50:09.063032867 -0400] NSACLPlugin - Root access (read) allowed on entry(o=redhat,dc=example,dc=com)
[28/Apr/2017:09:50:09.063881744 -0400] NSACLPlugin - Root access (read) allowed on entry(o=redhat,dc=example,dc=com)
[0 root@qeos-212 tickets]# py.test -v ticket49095_test.py =========================================================== test session starts ============================================================ platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python cachedir: .cache metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-514.el7.x86_64-x86_64-with-redhat-7.3-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.4.0', 'metadata': '1.3.0'}} DS build: 1.3.5.10 389-ds-base: 1.3.5.10-21.el7_3 nss: 3.28.4-1.0.el7_3 nspr: 4.13.1-1.0.el7_3 openldap: 2.4.40-13.el7 svrcore: 4.1.2-1.el7 rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/tickets, inifile: plugins: metadata-1.3.0, html-1.14.2, cov-2.4.0, beakerlib-0.7.1 collected 1 items ticket49095_test.py::test_ticket49095 PASSED ======================================================== 1 passed in 25.10 seconds ========================================================= [0 root@qeos-212 t Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1313 |