Bug 651571

Summary: When attrcrypt is on, entrydn is stored in the backend db
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Database - GeneralAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2.7CC: amsharma, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 576869, 639035    
Attachments:
Description Flags
git patch file (master) nhosoi: review?, rmeggins: review+

Description Noriko Hosoi 2010-11-09 20:01:58 UTC 
Description of problem:
Steps to reproduce:
1. set up attribute encryption
2. add an entry which contains the to-be-encrypted attribute
3. check the entry with dbscan -f id2entry.db#:
    id #
	rdn: uid=tuser0
	objectClass: top
        [...]
	entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here
	telephoneNumber:: FUQqsUefe137W56ksNVwfQ==
Comment 1 Noriko Hosoi 2010-11-09 20:16:19 UTC 
Created attachment 459236 [details]
git patch file (master)

Description: If an entry contains a to-be-encrypted attribute,
id2entry_add_ext handles a copy of the entry in which the attribute
is encrypted, then the copy is being stored in the backend db.
On the other hand, an entrydn attribute is supposed to remove from
the entry before storing the entry in the db.  There was a bug
there: the removal was done on the original entry, but not on the
encrypted copy.  This patch correctly removes the entrydn attribute
from the encrypted entry to be stored in the db.

File:
 ldap/servers/slapd/back-ldbm/id2entry.c
Comment 2 Noriko Hosoi 2010-11-11 01:12:23 UTC 
Reviewed by Rich (Thank you!!!)

Pushed to master.

$ git merge work
Updating 6b38f80..220bfa6
Fast-forward
 ldap/servers/slapd/back-ldbm/id2entry.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.02 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   6b38f80..220bfa6  master -> master
Comment 3 Noriko Hosoi 2011-07-26 21:41:17 UTC 
Please use the first comment/Description of problem for steps to verify.
Comment 4 Amita Sharma 2011-07-29 07:10:15 UTC 
Thanks for the steps Noriko, followed comment#0
1. set up attribute encryption

ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=telephoneNumber,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectclass: top
objectclass: nsAttributeEncryption
cn: telephoneNumber
nsEncryptionAlgorithm: AES
EOF

2. add an entry which contains the to-be-encrypted attribute


ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=amstest,dc=pnq,dc=redhat,dc=com
uid: amstest
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: new100
cn: new100
telephoneNumber: 98100
mail: new100
givenName: new100
userPassword: ams

3. check the entry with dbscan -f id2entry.db#:
    id #
 rdn: uid=tuser0
 objectClass: top
        [...]
 entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here
 telephoneNumber:: FUQqsUefe137W56ksNVwfQ==

	rdn: uid=amstest
	uid: amstest
	objectClass: top
	objectClass: person
	objectClass: inetorgperson
	objectClass: organizationalPerson
	sn: new100
	cn: new100
	mail: new100
	givenName: new100
	userPassword:: e1NTSEF9YXNxQXdVZnB4bFRVZUdXZzFFMzNUdUdLRGhOQ3VVRkFoQnZ2Z3c9PQ=
	 =
	creatorsName: cn=directory manager
	modifiersName: cn=directory manager
	createTimestamp: 20110729065126Z
	modifyTimestamp: 20110729065126Z
	nsUniqueId: 273f7381-b9af11e0-b0b0b38a-6ef97ef3
	parentid: 1
	entryid: 111
	telephoneNumber:: fBajD6zB3979IvQOwp79Hg==

entrydn is not stored in backend db. Hence marking VERIFIED.