Bug 664563
Summary: | GER: ger for non-present entry is not correct | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> | ||||
Component: | Security - Access Control (GER) | Assignee: | Noriko Hosoi <nhosoi> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 1.2.7 | CC: | amsharma, jgalipea, rcritten | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-12-07 16:57:51 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 639035 | ||||||
Attachments: |
|
Description
Noriko Hosoi
2010-12-20 19:15:24 UTC
Created attachment 470351 [details]
git patch file (master)
Description: To get the effective rights of non-present entry,
GER code takes @<objectclass> as a part of an attribute list
in the search. The code was generating the temporary, non-
present entry with the leaf RDN "cn=<value>". Instead of "cn",
an attribute type belonging to the objectclass whould be used.
This patch changes to allow either @<objectclass> or
@<objectclass>:<dntype>. If @<objectclass> is given, the first
MUST attribute type (or the first MAY attribute type if MUST
does not exist) is used for the attribyte type in the leaf RDN.
If @<objectclass>:<dntype> is given, <dntype> is used.
Plus, acl_check_for_target_macro in aclparse.c now checks an
invalid macro syntax [($dn)] and returns a syntax error.
Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge 664563 Updating 196f1ef..90f26ec Fast-forward ldap/servers/plugins/acl/acleffectiverights.c | 57 +++++++++++++++++++++---- ldap/servers/plugins/acl/aclparse.c | 16 +++++++- 2 files changed, 63 insertions(+), 10 deletions(-) $ git push Counting objects: 15, done. Delta compression using up to 4 threads. Compressing objects: 100% (8/8), done. Writing objects: 100% (8/8), 1.97 KiB, done. Total 8 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 196f1ef..90f26ec master -> master [root@testvm ~]# cd /home/amsharma/ [root@testvm amsharma]# ls -l total 80 drwxr-xr-x. 2 root root 4096 Jun 1 13:47 data drwxr-xr-x. 3 root root 4096 May 30 14:16 DS9.0 -rw-r--r--. 1 root root 59185 Jun 6 15:17 ipa_testdata.tar.gz -rw-r--r--. 1 root root 450 May 17 18:25 namepipeconfig.ldif drwxrwx---. 3 amsharma amsharma 4096 May 30 12:44 Samba drwxr-xr-x. 3 root root 4096 Jun 3 15:02 scripts [root@testvm amsharma]# tar -xvf ipa_testdata.tar.gz ipa.ldif ipa_schema/ ipa_schema/10rfc2307.ldif ipa_schema/60autofs.ldif ipa_schema/28pilot.ldif ipa_schema/25java-object.ldif ipa_schema/60basev2.ldif ipa_schema/50ns-admin.ldif ipa_schema/01core389.ldif ipa_schema/60pureftpd.ldif ipa_schema/00core.ldif ipa_schema/50ns-mail.ldif ipa_schema/02common.ldif ipa_schema/60sudo.ldif ipa_schema/05rfc4524.ldif ipa_schema/10mep-plugin.ldif ipa_schema/05rfc2927.ldif ipa_schema/05rfc4523.ldif ipa_schema/50ns-directory.ldif ipa_schema/60acctpolicy.ldif ipa_schema/50ns-value.ldif ipa_schema/50ns-web.ldif ipa_schema/60eduperson.ldif ipa_schema/60rfc3712.ldif ipa_schema/99user.ldif ipa_schema/60ipaconfig.ldif ipa_schema/50ns-certificate.ldif ipa_schema/30ns-common.ldif ipa_schema/60ipasudo.ldif ipa_schema/60mozilla.ldif ipa_schema/20subscriber.ldif ipa_schema/60nss-ldap.ldif ipa_schema/06inetorgperson.ldif ipa_schema/60trust.ldif ipa_schema/60sabayon.ldif ipa_schema/60samba.ldif ipa_schema/60rfc2739.ldif ipa_schema/60kerberos.ldif ipa_schema/60pam-plugin.ldif ipa_schema/60radius.ldif [root@testvm amsharma]# ls -l total 184 drwxr-xr-x. 2 root root 4096 Jun 1 13:47 data drwxr-xr-x. 3 root root 4096 May 30 14:16 DS9.0 -rw-rw-r--. 1 501 501 101653 Dec 23 05:57 ipa.ldif drwxrwxr-x. 2 501 501 4096 Dec 21 04:35 ipa_schema -rw-r--r--. 1 root root 59185 Jun 6 15:17 ipa_testdata.tar.gz -rw-r--r--. 1 root root 450 May 17 18:25 namepipeconfig.ldif drwxrwx---. 3 amsharma amsharma 4096 May 30 12:44 Samba drwxr-xr-x. 3 root root 4096 Jun 3 15:02 scripts [root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm slapd-testvm/ slapd-testvm1/ [root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm1/stop-slapd [root@testvm amsharma]# cd /etc/dirsrv/slapd-testvm1/schema/ [root@testvm schema]# cp /home/amsharma/ipa_schema/*.ldif . cp: overwrite `./00core.ldif'? yes cp: overwrite `./01core389.ldif'? yes cp: overwrite `./02common.ldif'? cp: overwrite `./05rfc2927.ldif'? cp: overwrite `./05rfc4523.ldif'? cp: overwrite `./05rfc4524.ldif'? cp: overwrite `./06inetorgperson.ldif'? cp: overwrite `./10mep-plugin.ldif'? cp: overwrite `./10rfc2307.ldif'? cp: overwrite `./20subscriber.ldif'? cp: overwrite `./25java-object.ldif'? cp: overwrite `./28pilot.ldif'? cp: overwrite `./30ns-common.ldif'? cp: overwrite `./50ns-admin.ldif'? cp: overwrite `./50ns-certificate.ldif'? cp: overwrite `./50ns-directory.ldif'? cp: overwrite `./50ns-mail.ldif'? cp: overwrite `./50ns-value.ldif'? cp: overwrite `./50ns-web.ldif'? cp: overwrite `./60acctpolicy.ldif'? cp: overwrite `./60autofs.ldif'? cp: overwrite `./60eduperson.ldif'? cp: overwrite `./60mozilla.ldif'? cp: overwrite `./60nss-ldap.ldif'? cp: overwrite `./60pam-plugin.ldif'? cp: overwrite `./60pureftpd.ldif'? cp: overwrite `./60rfc2739.ldif'? cp: overwrite `./60rfc3712.ldif'? cp: overwrite `./60sabayon.ldif'? cp: overwrite `./60sudo.ldif'? cp: overwrite `./60trust.ldif'? cp: overwrite `./99user.ldif'? while importing ipa.ldif [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 140 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 141 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 142 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 143 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 144 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 145 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 146 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 147 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 148 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 149 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 150 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 151 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 152 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 153 [06/Jun/2011:15:28:38 +051800] - import userRoot: Workers finished; cleaning up... [06/Jun/2011:15:28:39 +051800] - import userRoot: Workers cleaned up. [06/Jun/2011:15:28:39 +051800] - import userRoot: Cleaning up producer thread... [06/Jun/2011:15:28:39 +051800] - import userRoot: Indexing complete. Post-processing... [06/Jun/2011:15:28:39 +051800] - Nothing to do to build ancestorid index [06/Jun/2011:15:28:39 +051800] - import userRoot: Flushing caches... [06/Jun/2011:15:28:39 +051800] - import userRoot: Closing files... [06/Jun/2011:15:28:39 +051800] - All database threads now stopped [06/Jun/2011:15:28:39 +051800] - import userRoot: Import complete. Processed 153 entries (155 were skipped) in 107 seconds. (1.43 entries/sec) There could be some configuration mismatch. Can I login your system? Or attach your dse.ldif and errors log to this bug. Thanks, --noriko Hey thanks Noriko, I have verified it successfully now : [root@testvm slapd-testvm]# /usr/lib64/mozldap/ldapsearch -x -h localhost -p 1389 -D "uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" -w tuser1 -b "cn=entitlements,cn=etc,dc=greyoak,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" "(objectclass=*)" @ipaentitlement:userCertificate version: 1 dn: cn=entitlements,cn=etc,dc=greyoak,dc=com entryLevelRights: v attributeLevelRights: objectClass:rsc, cn:rsc dn: userCertificate=template_ipaentitlement_objectclass,cn=entitlements,cn=etc ,dc=greyoak,dc=com entryLevelRights: v attributeLevelRights: userCertificate:rsc, userPKCS12:none, ipaEntitlementId:r sc, objectClass:rsc |