Bug 1453155
| Summary: | unable to retrieve specific cosAttribute when subtree password policy is configured. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Hiroko Miura <hmiura> | ||||||
| Component: | 389-ds-base | Assignee: | mreynolds | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | ||||||
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||||
| Priority: | high | ||||||||
| Version: | 7.1 | CC: | gparente, hmiura, mreynolds, nkinder, rmeggins, tkubota, tscherf | ||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 389-ds-base-1.3.7.5-5.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Directory Server now correctly sets whether virtual attributes are operational
The "pwdpolicysubentry" subtree password policy attribute in Directory Server is flagged as operational. However, in the previous version of Directory Server, this flag was incorrectly applied to following virtual attributes that were processed. As a consequence, the search results were not visible to the client. With this update, the server now resets the attribute before processing the next virtual attribute and Class of Service (CoS). As a result, the expected virtual attributes and CoS are now returned to the client.
|
Story Points: | --- | ||||||
| Clone Of: | |||||||||
| : | 1498958 (view as bug list) | Environment: | |||||||
| Last Closed: | 2018-04-10 14:16:50 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1298243, 1420851, 1498958 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1281302 [details]
custom schema and sample LDIF
Upstream ticket: https://pagure.io/389-ds-base/issue/49389 I was able to reproduce the problem. The issue is that when a subtree password policy attribute was encountered during the virtual attribute processing it set a flag that said the attribute was operational (which is correct for the password policy attr: pwdpolicysubentry). However, this flag was accidentally carried over to the following virtual attributes that were being processed. In this case "x-department" was accidentally still seen as operational which is why it was no longer being returned to the client. Fix is in progress... Fixed upstream. I will ask my manager to add a 7.4-z flag (as I can not do that). But, this fix would not go into an official RHEL build for many months (batch update 3), but support can generate a hotfix for the customer now that the fix is upstream. ============================================================================ test session starts ============================================================================
platform linux2 -- Python 2.7.5, pytest-3.2.5, py-1.5.2, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-768.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'py': '1.5.2', 'pytest': '3.2.5', 'pluggy': '0.4.0'}, 'Plugins': {'html': '1.16.0', 'metadata': '1.5.0'}}
389-ds-base: 1.3.7.5-9.el7
nss: 3.34.0-0.1.beta1.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-9.el7
svrcore: 4.1.3-2.el7
rootdir: /export/tests, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 1 item
suites/cos/indirect_cos_test.py::test_indirect_cos PASSED
------------------------------------------------------- generated xml file: /mnt/tests/rhds/tests/upstream/report.xml -------------------------------------------------------
------------------------------------------------------ generated html file: /mnt/tests/rhds/tests/upstream/report.html ------------------------------------------------------
========================================================================= 1 passed in 12.54 seconds =========================================================================
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0811 |
Created attachment 1280972 [details] custom schema and sample LDIF Description of problem: Indirect Cos is defined with custom attributes like the following. --- dn: cn=cosDefinition,dc=test,dc=com objectClass: top objectClass: ldapsubentry objectClass: cossuperdefinition objectClass: cosIndirectDefinition cosAttribute: ou merge-schemes cosAttribute: x-department merge-schemes cosAttribute: x-en-ou merge-schemes cn: cosDefinition cosIndirectSpecifier: seeAlso --- This worked without problem. But specific cosAttribute(custom attribute) 'x-department' is not returned in search with no attribute specified after Subtree password policy is configured. Version-Release number of selected component (if applicable): 389-ds-base-1.3.4.0-29.el7_2.x86_64 How reproducible: This can be reproduced with attached custom schema and sample LDIF. Steps to Reproduce: 1. configure custom schema # ldapmodify -D "cn=directory manager -W -f modSchema.ldif 2. create suffix dc=test,dc=com and import test.ldif => please note that 2 CoS are defined at dc=test,dc=com. nsPwPolicy_CoS - CoS for sub-tree password policy cosDefinition - problematic CoS above 3. do search user1 which looks like below in test.ldif --- dn: uid=user1,ou=sub1,dc=test,dc=com uid: user1 seeAlso: uid=GManager,ou=Org,dc=test,dc=com givenName: user1 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: xperson sn: user1 cn: user1 --- $ ldapsearch -D "cn=directory manager" -w dirmanager -b dc=test,dc=com uid=user1 dn: uid=user1,ou=sub1,dc=test,dc=com uid: user1 seeAlso: uid=GManager,ou=Org,dc=test,dc=com givenName: user1 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: xperson sn: user1 cn: user1 ou: OU_CoS x-en-ou: OU-en_CoS $ => 'x-department' is not returned even though the other cosAttribute 'ou' and 'x-en-ou' are returned. But if problematic cosAttribute 'x-department' is specified explicitly, it can be retrieved. $ ldapsearch -D "cn=directory manager" -w dirmanager -b dc=test,dc=com uid=user1 x-department dn: uid=user1,ou=sub1,dc=test,dc=com x-department: x-department_CoS $ Actual results: cosAttribute(custom attribute) 'x-department' is not returned. Expected results: cosAttribute(custom attribute) 'x-department' is returned even in search without specifying it. Additional info: