Bug 1445176

Summary: case sensitivity in ACI
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Reznik <jreznik>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.3CC: amsharma, mreynolds, msauton, nhosoi, nkinder, pbokoc, rmeggins
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.5.10-21.el7_3 Doc Type: Bug Fix
Doc Text:
Previously, target attributes used in access control lists were processed in a case-sensitive manner. This caused ACLs to behave unexpectedly when entry an entry's attributes used a different case than the attribute in the ACL. This bug has been fixed by ensuring that evaluating target attributes uses case-insensitive comparisons, and ACLs now work as expected regardless of the case of the attribute names.
 Story Points: ---
Clone Of: 1417344 Environment:
Last Closed: 2017-05-25 15:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1417344    
Bug Blocks:    

Description Jaroslav Reznik 2017-04-25 08:02:20 UTC 
This bug has been copied from bug #1417344 and has been proposed
to be backported to 7.3 z-stream (EUS).
Comment 5 Amita Sharma 2017-04-28 13:56:57 UTC 
Platform = Linux-3.10.0-514.el7.x86_64-x86_64-with-redhat-7.3-Maipo

rpm -qa | grep 389
389-ds-base-1.3.5.10-21.el7_3.x86_64
389-ds-base-debuginfo-1.3.5.10-21.el7_3.x86_64
389-ds-base-snmp-1.3.5.10-21.el7_3.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64

Automated test -
---------------------------- Captured stdout setup -----------------------------
OK group dirsrv exists OK user dirsrv exists ----------------------------- Captured stderr call -----------------------------
INFO:tests.tickets.ticket49095_test:Test Passed 

Manual Testing -
============
[0 root@qeos-212 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (targetattr != "postal* || tele*") (version 3.0; acl "test case"; allow (read,compare,search)(userdn = "ldap:///anyone");)
> EOF
modifying entry "dc=example,dc=com"

[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" aci -o ldif-wrap=no
dn: dc=example,dc=com
aci: (targetattr != "postal* || tele*") (version 3.0; acl "test case"; allow (read,compare,search)(userdn = "ldap:///anyone");)

[0 root@qeos-212 yum.repos.d]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <o=REDHAT,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# REDHAT, example.com
dn: o=REDHAT,dc=example,dc=com
objectClass: organization
objectClass: top
o: REDHAT
userPassword:: e1NTSEF9cjZhc0RRNW5LaVNwOUtlWkRQOVJ2SEY3N0dkTDdyT0NXTlpLelE9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[0 root@qeos-212 yum.repos.d]# ldapsearch -x -h localhost -p 389 -b "o=REDHAT,dc=example,dc=com" postaladdress
# extended LDIF
#
# LDAPv3
# base <o=REDHAT,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: postaladdress 
#

# REDHAT, example.com
dn: o=REDHAT,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com" postaladdress
dn: o=REDHAT,dc=example,dc=com
postaladdress: 12345

[0 root@qeos-212 yum.repos.d]# rpm -qa | grep 389
389-ds-base-1.3.5.10-21.el7_3.x86_64
389-ds-base-debuginfo-1.3.5.10-21.el7_3.x86_64
389-ds-base-snmp-1.3.5.10-21.el7_3.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64
[0 root@qeos-212 yum.repos.d]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -w Secret123 -b "o=REDHAT,dc=example,dc=com"
dn: o=REDHAT,dc=example,dc=com
objectClass: organization
objectClass: top
telexNumber: 12345$023$ABCDE
teletexTerminalIdentifier: 12345
telephoneNumber: 12345
postalCode: 12345
postalAddress: 12345
o: REDHAT
userPassword:: e1NTSEF9cjZhc0RRNW5LaVNwOUtlWkRQOVJ2SEY3N0dkTDdyT0NXTlpLelE9PQ=
 =

LOGS
====
[28/Apr/2017:09:49:18.904151008 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:18.904714653 -0400] NSACLPlugin - Processed attr:o for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:18.905249927 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:18.905847416 -0400] NSACLPlugin - Found READ ALLOW in cache
[28/Apr/2017:09:49:18.906422300 -0400] NSACLPlugin - conn=26 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(o) to anonymous: cached allow by aci(23)
[28/Apr/2017:09:49:18.907007652 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:18.907591878 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:18.908179307 -0400] NSACLPlugin - ACL Index:23   ACL_ELEVEL:0
[28/Apr/2017:09:49:18.908887135 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:18.909464192 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:18.909994727 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:18.910575281 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:18.911166875 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:18.911847266 -0400] NSACLPlugin - Processed attr:userPassword for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:18.912407820 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:18.912995622 -0400] NSACLPlugin - Found READ ALLOW in cache
[28/Apr/2017:09:49:18.913580341 -0400] NSACLPlugin - conn=26 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(userPassword) to anonymous: cached allow by aci(23)
[28/Apr/2017:09:49:38.805304691 -0400] NSACLPlugin - Failed to find root for base: o=REDHAT,dc=example,dc=com 
[28/Apr/2017:09:49:38.806611119 -0400] NSACLPlugin - Failed to find root for base: dc=com 
[28/Apr/2017:09:49:38.807504987 -0400] NSACLPlugin - #### conn=27 op=1 binddn=""
[28/Apr/2017:09:49:38.808291499 -0400] NSACLPlugin -     ************ RESOURCE INFO STARTS *********
[28/Apr/2017:09:49:38.808988688 -0400] NSACLPlugin -     Client DN: 
[28/Apr/2017:09:49:38.809672291 -0400] NSACLPlugin -     resource type:256(search target_DN )
[28/Apr/2017:09:49:38.810276008 -0400] NSACLPlugin -     Slapi_Entry DN: o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.810918402 -0400] NSACLPlugin -     ATTR: objectClass
[28/Apr/2017:09:49:38.811480357 -0400] NSACLPlugin -     rights:search
[28/Apr/2017:09:49:38.812038876 -0400] NSACLPlugin -     ************ RESOURCE INFO ENDS   *********
[28/Apr/2017:09:49:38.812624126 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.813406607 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:38.813978975 -0400] NSACLPlugin - ACL Index:23   ACL_ELEVEL:0
[28/Apr/2017:09:49:38.814577532 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:38.815153536 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:38.815773656 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:38.816365462 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:38.816945291 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:38.817530854 -0400] NSACLPlugin - Processed attr:objectClass for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.818049445 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:38.818667306 -0400] NSACLPlugin - conn=27 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(23): aciname= "test case", acidn="dc=example,dc=com"
[28/Apr/2017:09:49:38.819420294 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.819966149 -0400] NSACLPlugin - ***BEGIN ACL INFO[ Name: "test case"]***
[28/Apr/2017:09:49:38.820490260 -0400] NSACLPlugin - ACL Index:23   ACL_ELEVEL:0
[28/Apr/2017:09:49:38.821020761 -0400] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
[28/Apr/2017:09:49:38.821558692 -0400] NSACLPlugin - ACI RULE type:(userdn )
[28/Apr/2017:09:49:38.822189499 -0400] NSACLPlugin - Slapi_Entry DN:dc=example,dc=com
[28/Apr/2017:09:49:38.822771820 -0400] NSACLPlugin - ***END ACL INFO*****************************
[28/Apr/2017:09:49:38.823329583 -0400] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[28/Apr/2017:09:49:38.823844172 -0400] NSACLPlugin - Processed attr:objectClass for entry:o=redhat,dc=example,dc=com
[28/Apr/2017:09:49:38.824362391 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(23) " "test case""
[28/Apr/2017:09:49:38.825034903 -0400] NSACLPlugin - conn=27 op=1 (main): Allow read on entry(o=redhat,dc=example,dc=com).attr(objectClass) to anonymous: allowed by aci(23): aciname= "test case", acidn="dc=example,dc=com"
[28/Apr/2017:09:49:38.825632912 -0400] NSACLPlugin - Using ACL Container:0 for evaluation
[28/Apr/2017:09:49:38.826225361 -0400] NSACLPlugin - Num of ALLOW Handles:0, DENY handles:0
[28/Apr/2017:09:49:38.826808120 -0400] NSACLPlugin - conn=27 op=1 (main): Deny read on entry(o=redhat,dc=example,dc=com).attr(postalAddress) to anonymous: no aci matched the resource
[28/Apr/2017:09:50:09.061791619 -0400] NSACLPlugin - conn=28 op=1 (main): Allow search on entry(o=redhat,dc=example,dc=com): root user
[28/Apr/2017:09:50:09.063032867 -0400] NSACLPlugin - Root access (read) allowed on entry(o=redhat,dc=example,dc=com)
[28/Apr/2017:09:50:09.063881744 -0400] NSACLPlugin - Root access (read) allowed on entry(o=redhat,dc=example,dc=com)
Comment 6 Amita Sharma 2017-04-28 14:07:12 UTC 
[0 root@qeos-212 tickets]# py.test -v ticket49095_test.py 
=========================================================== test session starts ============================================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-514.el7.x86_64-x86_64-with-redhat-7.3-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.4.0', 'metadata': '1.3.0'}}
DS build: 1.3.5.10
389-ds-base: 1.3.5.10-21.el7_3
nss: 3.28.4-1.0.el7_3
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.40-13.el7
svrcore: 4.1.2-1.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/tickets, inifile:
plugins: metadata-1.3.0, html-1.14.2, cov-2.4.0, beakerlib-0.7.1
collected 1 items 

ticket49095_test.py::test_ticket49095 PASSED

======================================================== 1 passed in 25.10 seconds =========================================================
[0 root@qeos-212 t
Comment 8 errata-xmlrpc 2017-05-25 15:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1313