Bug 635987

Summary: Incorrect sub scope search result with ACL containing ldap:///self
Product: [Retired] 389 Reporter: Andrey Ivanov <andrey.ivanov>
Component: Database - Indexes/SearchesAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2.6CC: rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:36:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 576869, 639035    
Attachments:
Description Flags
LDIF test case for the bug
none
git patch file (master)
rmeggins: review+
revised git patch file (master) nhosoi: review?, nhosoi: review?, rmeggins: review+

Description Andrey Ivanov 2010-09-21 09:06:38 UTC 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

When a search on an attribute contained in ACL with ldap://self is performed with sub scope the entry is not returned. The same search with base scope correctly returns the entry.

Reproducible: Always

Steps to Reproduce:
1. Import the bug-acl.ldif (attachment)
2. With openldap utilities :
[root@ldap-model /]# ldapsearch -x  -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s sub -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=*
# extended LDIF
#
# LDAPv3
# base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope subtree
# filter: carLicense=*
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root@ldap-model /]# ldapsearch -x  -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s base -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=* 
# extended LDIF
#
# LDAPv3
# base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope baseObject
# filter: carLicense=*
# requesting: ALL
#

# TVradmin0, Accounting, example.com
dn: uid=TVradmin0,ou=Accounting,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Teena Vradmin
sn: Vradmin
uid: TVradmin0
givenName: Teena
telephoneNumber: +1 303 703-2147
carLicense: ZSN6DM3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

3.
Actual Results:  
The base search correctly returns the entry and the sub search with the same filter and base does not return the entry.

Expected Results:  
The sub scope search should return the entry.

The ACL is clearly calculated differently for base and sub scope searches. The bug may be caused by the new entryrdn model, though i have not tested it on previous versions.
Comment 1 Andrey Ivanov 2010-09-21 09:08:10 UTC 
Created attachment 448655 [details]
LDIF test case for the bug
Comment 2 Noriko Hosoi 2010-09-21 22:33:38 UTC 
Created attachment 448824 [details]
git patch file (master)

Thank you so much, Andrey.  This bug is pretty bad for the search when the basedn is a leaf in DIT as you discovered.  Not just for the ACL, but there should have been a performance impact in such cases.  As you guessed, it was introduced with the entryrdn.  So, 389 v1.2.6 contains this bug (not 1.2.5 and older).

Description: When a basedn has no descendants, the code to take an
intersection of idl (which was returned from the filter search --
filter_candidates) and the basedn was skipped in subtree_candidates
(ldbm_search.c).  Regardless of descendants, the intersection should
be taken for the idl and a tree starting with the basedn.
Note: This bug was introduced with entryrdn.
Comment 3 Noriko Hosoi 2010-09-22 16:24:12 UTC 
Reviewed by Rich (Thanks!!!)

Pushed to master.

$ git merge 635987
Updating 62cc84c..8ac525e
Fast-forward
 ldap/servers/slapd/back-ldbm/ldbm_search.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 896 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   62cc84c..8ac525e  master -> master
Comment 5 Noriko Hosoi 2010-09-24 18:46:48 UTC 
Created attachment 449487 [details]
revised git patch file (master)

Thanks to Rich for analysing the bug introduced by the previous commit.  The attached patch should fix it.

Description:
This commit made for the bug 635987 introduced a bug to replication.
commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5
Author: Noriko Hosoi <nhosoi>
Date:   Tue Sep 21 15:12:07 2010 -0700

subtree_candidates (ldbm_search.c)
If you do have a tombstone filter, descendants will be NULL,
and idl_intersection of candidates and descendents will wipe
out all of the candidates, leaving just the one entry, e->ep_id.

Changed to call idl_intersection only when the filter is not
for tombstone or entryrdn_get_noancestorid (false, by default).
Comment 7 Noriko Hosoi 2010-09-24 19:07:33 UTC 
Reviewed by Rich (Thank you!!!)

Pushed to master.

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.04 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   dcfd94b..a7de5f2  master -> master
Comment 8 Noriko Hosoi 2011-07-26 22:29:58 UTC 
Since nightly GER acceptance test passes 100%, mark verified.
Ger run(o=ace industry,c=us) Tests PASS      : 100% (360/360)