Bug 560827
| Summary: | Admin Server: DistinguishName validation fails | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> | ||||||||||||||||
| Component: | Admin | Assignee: | Noriko Hosoi <nhosoi> | ||||||||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||||||
| Priority: | low | ||||||||||||||||||
| Version: | 1.3.0 | CC: | jgalipea, rmeggins | ||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||
| Hardware: | All | ||||||||||||||||||
| OS: | Linux | ||||||||||||||||||
| Whiteboard: | |||||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||
| Last Closed: | 2015-12-07 17:03:24 UTC | Type: | --- | ||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
| Embargoed: | |||||||||||||||||||
| Bug Depends On: | |||||||||||||||||||
| Bug Blocks: | 434914, 543590 | ||||||||||||||||||
| Attachments: |
|
||||||||||||||||||
|
Description
Noriko Hosoi
2010-02-01 23:15:24 UTC
Created attachment 388163 [details]
git patch file
Files:
admserv/schema/ldif/00nsroot_backend.ldif.tmpl
admserv/schema/ldif/01nsroot.ldif.tmpl
admserv/schema/ldif/10dsdata.ldif.tmpl
admserv/schema/ldif/10rm_dsdata.ldif.tmpl
admserv/schema/ldif/20asdata.ldif.tmpl
Fix Description: Escaping double quotes '"' appeared in the DN string.
Tests: setup-ds-admin.pl successfully installs the Configuration Directory
Server. "o=netscaperoot" and its subtree is able to expand in the Console.
Note: The escaped backslash \\ appears on the Console pane. For instance,
On the Directory panel, choose netscaperoot | <domain> | UserPreferences. Then UserPreferences are displayed with \\" under UserPreferences.
\\"uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot\
\" (1 aci)
\\"cn=slapd-kiki, cn=389 Directory Server, cn=Server Group, cn=kiki.use
rsys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
\\"cn=Directory Manager\\" (1 aci)
\\"cn=admin-serv-kiki, cn=389 Administration Server, cn=Server Group, c
n=kiki.usersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
\\"cn=slapd-kiki0, cn=389 Directory Server, cn=Server Group, cn=kiki.us
ersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
I think we should be using LDAPv3 escape sequences - double quotes are LDAPv2 and are deprecated. In addition, any time we use a DN as part of another DN, we must make sure that the DN is normalized, otherwise, matching becomes quite difficult, as we usually do this with attributes that are not DN syntax. Instead of cn="o=NetscapeRoot",cn=mapping tree,cn=config we should use cn=o\3Dnetscaperoot,cn=mapping tree,cn=config Instead of ou="uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",ou=UserPreferences, ou=%domain%, o=NetscapeRoot we should use ou=uid\3D%as_uid%\2Cou\3Dadministrators\2Cou\3Dtopologymanagement\2Co\3Dnetscaperoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot And we must make sure that %as_uid% here is properly escaped and normalized before we use it in the value - we will probably have to add another token like %as_uid_dn_escaped% for use in DN values. Note that the space after the comma is not really RFC compliant - http://www.ietf.org/rfc/rfc4514.txt - but all LDAPv3 implementations will normalize the space away. We should avoid using spaces in our DNs. There are other related bugs - https://bugzilla.redhat.com/show_bug.cgi?id=509201 - and many other places in our code where we use a DN value in the RDN of another DN - the mapping tree/suffix/database code, replication, roles, CoS, password policy, bind resource limits - and there is code in the core server, in the admin server, in the console, and in the various perl scripts that need to be aware of DN escaping and normalization. Created attachment 388648 [details]
git patch file (ldapserver)
Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.
Created attachment 388650 [details]
git patch file (adminserver)
Description:
admserv/newinst/src/dirserver.map.in
/register_param.map.in
--- added escapedrootdn key, which is an escaped rootdn compliant
with RFC4514
admserv/schema/ldif/*.tmpl
--- removed unescaped '"' from dn strings, which violates RFC4514.
escaped special characters ('=' and ',') which used to be a
value surrounded in the double quotes '"'.
removed spaces around ','
Created attachment 388665 [details]
git patch file (ldapserver)
Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.
Fixed a typo pointed by Nathan (Thank you!!!)
<nkinder> It says "surrownding". Should be "surrounding".
(In reply to comment #5) > Created an attachment (id=388665) [details] > git patch file (ldapserver) Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge work Updating 0544378..5c859f5 Fast forward ldap/admin/src/scripts/DSUtil.pm.in | 31 +++++++++++++++++++++++++++++++ 1 files changed, 31 insertions(+), 0 deletions(-) $ git push Counting objects: 13, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 1.15 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 0544378..5c859f5 master -> master (In reply to comment #4) > Created an attachment (id=388650) [details] > git patch file (adminserver) Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge work Updating 46f127a..d7b1055 Fast forward admserv/newinst/src/dirserver.map.in | 1 + admserv/newinst/src/register_param.map.in | 1 + admserv/schema/ldif/00nsroot_backend.ldif.tmpl | 5 +- admserv/schema/ldif/01nsroot.ldif.tmpl | 26 ++++---- admserv/schema/ldif/02globalpreferences.ldif.tmpl | 46 ++++++------ admserv/schema/ldif/10dsdata.ldif.tmpl | 64 +++++++++--------- admserv/schema/ldif/10rm_dsdata.ldif.tmpl | 10 ++-- admserv/schema/ldif/11dstasks.ldif.tmpl | 68 +++++++++--------- admserv/schema/ldif/12dsconfig.mod.tmpl | 6 +- admserv/schema/ldif/13dsschema.mod.tmpl | 6 +- admserv/schema/ldif/16dssuffixadmin.mod.tmpl | 6 +- admserv/schema/ldif/20asdata.ldif.tmpl | 54 +++++++------- admserv/schema/ldif/21astasks.ldif.tmpl | 78 ++++++++++---------- admserv/schema/ldif/22ascommands.ldif.tmpl | 8 +- admserv/schema/ldif/asmigrate.ldif.tmpl | 10 ++-- 15 files changed, 195 insertions(+), 194 deletions(-) $ git push Counting objects: 41, done. Delta compression using 4 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (22/22), 5.04 KiB, done. Total 22 (delta 18), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 46f127a..d7b1055 master -> master Still invalid DNs are sent to the server. [..] conn=9 op=10 ADD dn="ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:32 -0800] conn=9 op=10 RESULT err=34 tag=105 nentries=0 etime=0 [..] conn=9 op=23 ADD dn="ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:33 -0800] conn=9 op=23 RESULT err=34 tag=105 nentries=0 etime=0 [..] conn=9 op=25 ADD dn="ou=1.1,ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:33 -0800] conn=9 op=25 RESULT err=34 tag=105 nentries=0 etime=0 They are from the admin server and console. Created attachment 390422 [details]
git patch file (adminserver)
Files:
admserv/cgi-src40/htmladmin.c
include/libadmin/libadmin.h
lib/libadmin/util.c
Description: get_all_users_views was generating an invalid DN
which included nested DN surrounded by unescaped double quotes.
Instead of escaping the double quotes, introduced a escape_for_dn
function which escape special characters in the nested DN.
Created attachment 390423 [details]
cvs diff file (idm-console-framework)
Files:
src/com/netscape/management/client/console/Console.java
src/com/netscape/management/client/util/LDAPUtil.java
Description: userPreferenceDN included a nested DN surrounded by unescaped
double quotes. Instead of escaping the double quotes, introduced a method escapeDnString in LDPAUtil which escapes special characters in the nested DN.
Reviewed by Rich (Thank you!!) Adminserver: Pushed to master. $ git merge work Updating 0734638..f637daf Fast-forward admserv/cgi-src40/htmladmin.c | 15 +++++- include/libadmin/libadmin.h | 13 +++++ lib/libadmin/util.c | 121 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+), 2 deletions(-) $ git push Counting objects: 21, done. Delta compression using up to 2 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 2.44 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 0734638..f637daf master -> master =============================================================================== idm-console-framework: Checked in into HEAD Resolves: 560827 - Admin Server: DistinguishName validation fails Description: userPreferenceDN included a nested DN surrounded by unescaped double quotes. Instead of escaping the double quotes, introduced a method escapeDnString in LDPAUtil which escapes special characters in the nested DN. CVS: ---------------------------------------------------------------------- CVS: Enter Log. Lines beginning with `CVS:' are removed automatically CVS: CVS: Committing in . CVS: CVS: Modified Files: CVS: src/com/netscape/management/client/console/Console.java CVS: src/com/netscape/management/client/util/LDAPUtil.java CVS: ---------------------------------------------------------------------- Checking in src/com/netscape/management/client/console/Console.java; /cvs/dirsec/console/src/com/netscape/management/client/console/Console.java,v <-- Console.java new revision: 1.16; previous revision: 1.15 done Checking in src/com/netscape/management/client/util/LDAPUtil.java; /cvs/dirsec/console/src/com/netscape/management/client/util/LDAPUtil.java,v <-- LDAPUtil.java new revision: 1.3; previous revision: 1.2 done Pushed to Directory_Server_8_2_Branch, as well. $ git push origin admin82-local:Directory_Server_8_2_Branch Counting objects: 21, done. Delta compression using up to 2 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 2.45 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 3fe633f..43f94de admin82-local -> Directory_Server_8_2_Branch 389-admin-1.1.11-0.2.a2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc13 389-admin-1.1.11-0.2.a2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.el5 389-admin-1.1.11-0.2.a2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc12 389-admin-1.1.11-0.2.a2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc11 Created attachment 421287 [details]
screen shot
Console looks fine - see attached screenshot
but ...
# egrep UserPreferences 01nsroot.ldif.tmpl
dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot
ou: UserPreferences
dn: ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot
Is this okay?
(In reply to comment #17) > Created an attachment (id=421287) [details] > screen shot > > Console looks fine - see attached screenshot > > but ... > > # egrep UserPreferences 01nsroot.ldif.tmpl > dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot > ou: UserPreferences > dn: > ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > Is this okay? I think so. The server should treat \= as \3D. Noriko/Nathan, can you confirm? (In reply to comment #18) > (In reply to comment #17) > > Created an attachment (id=421287) [details] [details] > > screen shot > > > > Console looks fine - see attached screenshot > > > > but ... > > > > # egrep UserPreferences 01nsroot.ldif.tmpl > > dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > ou: UserPreferences > > dn: > > ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > > > Is this okay? > > I think so. The server should treat \= as \3D. Noriko/Nathan, can you > confirm? Yes, that's correct. Now, the server can handle the old style DN ou="uid=%as_uid%,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot",ou=UserPreferences,ou=%domain%,o=NetscapeRoot as well as new styles: ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot and ou=uid\3D%as_uid%\2Cou\3DAdministrators\2Cou\3DTopologyManagement\2Co\3DNetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot thank for the confirmation - verified - RHEL 4 version: redhat-ds-base-8.2.0-2010060304.el4dsrv |