Bug 457156

Summary: GER: allow GER for non-existing entries (phase 2)
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Security - Access Control (GER)Assignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 1.1.1CC: benl, jgalipea, jlieskov, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: comment#8.review+nhosoi
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:05:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 249650, 452721    
Attachments:
Description Flags
cvs diff ldap/servers/plugins/acl/acleffectiverights.c
none
test ldif file
none
cvs diff ldap/servers/plugins/acl/acleffectiverights.c
none
cvs commit message
none
cvs diff ldap/servers/plugins/acl/acleffectiverights.c
none
cvs commit message
none
diffs - memory leaks
none
cvs commit log - mem leaks none

Description Noriko Hosoi 2008-07-29 21:56:38 UTC
Description of problem:
"437525: GER: allow GER for non-existing entries" introduced a new type of list
(e.g., "*@inetorgperson" "*@posixaccount") to the ldapsearch when the Get
Effective Rights Control OID is given.  If such list is given, a template entry
is internally created and the effective rights are evaluated.  Currently, the
entry is not associated with any suffix.  Therefore, no meaning ACIs are applied
to the template entry.

Since the search specifies the search base, we could use the dn as the template
entry is located.

Comment 1 Noriko Hosoi 2008-07-29 23:05:22 UTC
Created attachment 312947 [details]
cvs diff ldap/servers/plugins/acl/acleffectiverights.c

Description: get the target dn from the pblock and add it to the template entry
dn if available.  Plus a memory leak was found and fixed at the same time.

Comment 2 Noriko Hosoi 2008-07-30 15:29:03 UTC
Created attachment 313006 [details]
test ldif file

This test sets ACI:
aci: (target=ldap:///ou=Accounting,dc=example,dc=com)(targetattr="*")(version
3.
0; acl "tp25"; allow (read,search,compare) (userdn = "ldap:///anyone") ;)

That is, no ACI in dc=example,dc=com, nor entries under ou other than
ou=Accounting; entries under ou=Accounting,dc=example,dc=com have the
permission rsc.

Test cases:
1) search from dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b "dc=example,dc=com" -s base
-J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"
dn: cn=template_posixaccount_objectclass,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

2) search from ou=accounting,dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b
"ou=accounting,dc=example,dc=com" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"
dn: cn=template_posixaccount_objectclass,ou=accounting,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: v
attributeLevelRights: cn:rsc, uid:rsc, uidNumber:rsc, gidNumber:rsc, homeDirec
 tory:rsc, objectClass:rsc, userPassword:rsc, loginShell:rsc, gecos:rsc, desc
 ription:rsc, aci:rsc

3) search from ou=payroll,dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b
"ou=payroll,dc=example,dc=com" -s base -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn:
cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
dn: cn=template_posixaccount_objectclass,ou=payroll,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

4) search from "" (no acis are set):
ldapsearch D "cn=Directory Manager" -w <pw> -b "" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"version: 1
dn: cn=template_posixaccount_objectclass,
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

Comment 3 Noriko Hosoi 2008-07-31 17:21:25 UTC
Created attachment 313120 [details]
cvs diff ldap/servers/plugins/acl/acleffectiverights.c

Following the suggestion from Nathan, the "dummy" attributes are replaced with
"(template_attribute)".

Sample result:
$ ldapsearch -D "uid=TVradmin0, ou=Accounting, dc=example,dc=com" -w TVradmin0
-b "ou=accounting,dc=example,dc=com" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: uid=TVradmin0, ou=Accounting,
dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
version: 1
dn: cn=template_posixaccount_objectclass,ou=accounting,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: v
attributeLevelRights: cn:rsc, uid:rsc, uidNumber:rsc, gidNumber:rsc, homeDirec
 tory:rsc, objectClass:rsc, userPassword:rsc, loginShell:rsc, gecos:rsc, desc
 ription:rsc, aci:rsc

Comment 4 Noriko Hosoi 2008-07-31 17:26:49 UTC
Created attachment 313121 [details]
cvs commit message

Thanks to Nathan for his reviews and suggestions!

Checked in into CVS HEAD.

Comment 5 Noriko Hosoi 2008-07-31 21:04:23 UTC
Noticed one flaw.  When an empty string "" (rootdse) is the search base dn, ","
is added to the template objectclass rdn, which should not be.

$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b "" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: uid=tuser0, ou=Accounting,
dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
version: 1
dn: cn=template_posixaccount_objectclass, <==
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none


Comment 6 Noriko Hosoi 2008-07-31 21:25:53 UTC
Created attachment 313136 [details]
cvs diff ldap/servers/plugins/acl/acleffectiverights.c

Not just checking if dn is NULL or not, but also checking the length of dn is
greater than 0.  If both conditions are satisfied, locate the template entry at
the dn.

Comment 7 Noriko Hosoi 2008-07-31 21:28:03 UTC
Created attachment 313137 [details]
cvs commit message

Checked in into CVS HEAD.

Comment 8 Rich Megginson 2008-08-08 23:35:20 UTC
Created attachment 313854 [details]
diffs - memory leaks

Comment 9 Noriko Hosoi 2008-08-08 23:44:04 UTC
Thanks, Rich, for finding out the leaks.

Comment 10 Rich Megginson 2008-08-11 16:29:45 UTC
AFAICT, the leaks can be triggered by an anonymous search.  The leaks can be mitigated by disabling anonymous search, but some applications may not be able to do that.

Comment 11 Rich Megginson 2008-08-11 17:02:52 UTC
Created attachment 313980 [details]
cvs commit log - mem leaks

Reviewed by: nhosoi (Thanks!)
Fix Description: There are a couple of memory leaks in the code.  acleffectiverights.c line 617 calls slapi_attr_get_valueset to get the list of objectclass values in objclassvals - this function allocates memory (returns a dup of the list) but this is not freed.  The fix is to call slapi_valueset_free() to free it.  The allattrs and opattrs arrays are not freed in all conditions.  The fix is to make sure they are freed in all conditions.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no

Comment 12 Jenny Severance 2009-04-06 16:12:10 UTC
verified RHEL 5 DS 8.1

test 1:

[root@jennyv2 457156]# /usr/lib/mozldap/ldapsearch -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" -s base -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
version: 1
dn: cn=template_posixaccount_objectclass,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

test 2:

[root@jennyv2 457156]# /usr/lib/mozldap/ldapsearch -D "cn=Directory Manager" -w Secret123 -b "ou=accounting,dc=example,dc=com" -s base -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
version: 1
dn: cn=template_posixaccount_objectclass,ou=accounting,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: v
attributeLevelRights: cn:rsc, uid:rsc, uidNumber:rsc, gidNumber:rsc, homeDirec
 tory:rsc, objectClass:rsc, userPassword:rsc, loginShell:rsc, gecos:rsc, desc
 ription:rsc, aci:rsc

test:3

[root@jennyv2 457156]# /usr/lib/mozldap/ldapsearch -D "cn=Directory Manager" -w Secret123 -b "ou=payroll,dc=example,dc=com" -s base -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"
version: 1
dn: cn=template_posixaccount_objectclass,ou=payroll,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

test 4:

[root@jennyv2 457156]# /usr/lib/mozldap/ldapsearch -D "cn=Directory Manager" -w Secret123 -b "" -s base -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)" "*@posixaccount"version: 1
dn: cn=template_posixaccount_objectclass
objectClass: posixaccount
objectClass: top
homeDirectory: (template_attribute)
gidNumber: (template_attribute)
uidNumber: (template_attribute)
uid: (template_attribute)
cn: (template_attribute)
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
 irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
 one, description:none, aci:none

Comment 13 Chandrasekar Kannan 2009-04-29 23:05:18 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html