Bug 664563

Summary: GER: ger for non-present entry is not correct
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Security - Access Control (GER)Assignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.7CC: amsharma, jgalipea, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:57:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035    
Attachments:
Description Flags
git patch file (master) nkinder: review+

Description Noriko Hosoi 2010-12-20 19:15:24 UTC 
Description of problem:
Entry cn=entitlements,cn=etc,dc=example,dc=com exists.

Requirement: get the info if a user "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" is able to create a new entry "ipaEntitlementId=<valu>,cn=entitlements,cn=etc,dc=example,dc=com" under "cn=entitlements,cn=etc,dc=example,dc=com".

Mozldap command line
    $ ldapsearch ... -D 'uid=tuser1,cn=users,cn=accounts,dc=example,dc=com' -w <password> -b 'cn=entitlements,cn=etc,dc=example,dc=com' -J '1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tuser1,cn=users,cn=accounts,dc=example,dc=com' "(objectclass=*)" @ipaentitlement
is supposed to return the access right for the user "uid=tuser1".

But the current code blindly sets "cn=" in the leaf RDN:
dn: cn=template_ipaentitlement_objectclass,cn=entitlements,cn=etc,dc=example,dc=com
entryLevelRights: v
attributeLevelRights:: Om5vbmU=

It makes the GER evaluation fail against the expected ACI: (e.g.,)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
 ts,dc=example,dc=com")(version 3.0;acl "Add user to default group";allow (wr
 ite) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accou
 nts,dc=example,dc=com";)
Comment 1 Noriko Hosoi 2010-12-23 00:24:34 UTC 
Created attachment 470351 [details]
git patch file (master)

Description: To get the effective rights of non-present entry,
GER code takes @<objectclass> as a part of an attribute list
in the search.  The code was generating the temporary, non-
present entry with the leaf RDN "cn=<value>".  Instead of "cn",
an attribute type belonging to the objectclass whould be used.
This patch changes to allow either @<objectclass> or
@<objectclass>:<dntype>.  If @<objectclass> is given, the first
MUST attribute type (or the first MAY attribute type if MUST
does not exist) is used for the attribyte type in the leaf RDN.
If @<objectclass>:<dntype> is given, <dntype> is used.

Plus, acl_check_for_target_macro in aclparse.c now checks an
invalid macro syntax [($dn)] and returns a syntax error.
Comment 3 Noriko Hosoi 2011-01-04 00:32:40 UTC 
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 664563
Updating 196f1ef..90f26ec
Fast-forward
 ldap/servers/plugins/acl/acleffectiverights.c |   57 +++++++++++++++++++++----
 ldap/servers/plugins/acl/aclparse.c           |   16 +++++++-
 2 files changed, 63 insertions(+), 10 deletions(-)

$ git push
Counting objects: 15, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.97 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   196f1ef..90f26ec  master -> master
Comment 5 Amita Sharma 2011-06-06 10:07:37 UTC 
[root@testvm ~]# cd /home/amsharma/
[root@testvm amsharma]# ls -l
total 80
drwxr-xr-x. 2 root     root      4096 Jun  1 13:47 data
drwxr-xr-x. 3 root     root      4096 May 30 14:16 DS9.0
-rw-r--r--. 1 root     root     59185 Jun  6 15:17 ipa_testdata.tar.gz
-rw-r--r--. 1 root     root       450 May 17 18:25 namepipeconfig.ldif
drwxrwx---. 3 amsharma amsharma  4096 May 30 12:44 Samba
drwxr-xr-x. 3 root     root      4096 Jun  3 15:02 scripts
[root@testvm amsharma]# tar -xvf ipa_testdata.tar.gz
ipa.ldif
ipa_schema/
ipa_schema/10rfc2307.ldif
ipa_schema/60autofs.ldif
ipa_schema/28pilot.ldif
ipa_schema/25java-object.ldif
ipa_schema/60basev2.ldif
ipa_schema/50ns-admin.ldif
ipa_schema/01core389.ldif
ipa_schema/60pureftpd.ldif
ipa_schema/00core.ldif
ipa_schema/50ns-mail.ldif
ipa_schema/02common.ldif
ipa_schema/60sudo.ldif
ipa_schema/05rfc4524.ldif
ipa_schema/10mep-plugin.ldif
ipa_schema/05rfc2927.ldif
ipa_schema/05rfc4523.ldif
ipa_schema/50ns-directory.ldif
ipa_schema/60acctpolicy.ldif
ipa_schema/50ns-value.ldif
ipa_schema/50ns-web.ldif
ipa_schema/60eduperson.ldif
ipa_schema/60rfc3712.ldif
ipa_schema/99user.ldif
ipa_schema/60ipaconfig.ldif
ipa_schema/50ns-certificate.ldif
ipa_schema/30ns-common.ldif
ipa_schema/60ipasudo.ldif
ipa_schema/60mozilla.ldif
ipa_schema/20subscriber.ldif
ipa_schema/60nss-ldap.ldif
ipa_schema/06inetorgperson.ldif
ipa_schema/60trust.ldif
ipa_schema/60sabayon.ldif
ipa_schema/60samba.ldif
ipa_schema/60rfc2739.ldif
ipa_schema/60kerberos.ldif
ipa_schema/60pam-plugin.ldif
ipa_schema/60radius.ldif
[root@testvm amsharma]# ls -l
total 184
drwxr-xr-x. 2 root     root       4096 Jun  1 13:47 data
drwxr-xr-x. 3 root     root       4096 May 30 14:16 DS9.0
-rw-rw-r--. 1      501      501 101653 Dec 23 05:57 ipa.ldif
drwxrwxr-x. 2      501      501   4096 Dec 21 04:35 ipa_schema
-rw-r--r--. 1 root     root      59185 Jun  6 15:17 ipa_testdata.tar.gz
-rw-r--r--. 1 root     root        450 May 17 18:25 namepipeconfig.ldif
drwxrwx---. 3 amsharma amsharma   4096 May 30 12:44 Samba
drwxr-xr-x. 3 root     root       4096 Jun  3 15:02 scripts
[root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm
slapd-testvm/  slapd-testvm1/ 
[root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm1/stop-slapd 
[root@testvm amsharma]# cd /etc/dirsrv/slapd-testvm1/schema/
[root@testvm schema]# cp /home/amsharma/ipa_schema/*.ldif .
cp: overwrite `./00core.ldif'? yes
cp: overwrite `./01core389.ldif'? yes
cp: overwrite `./02common.ldif'? 
cp: overwrite `./05rfc2927.ldif'? 
cp: overwrite `./05rfc4523.ldif'? 
cp: overwrite `./05rfc4524.ldif'? 
cp: overwrite `./06inetorgperson.ldif'? 
cp: overwrite `./10mep-plugin.ldif'? 
cp: overwrite `./10rfc2307.ldif'? 
cp: overwrite `./20subscriber.ldif'? 
cp: overwrite `./25java-object.ldif'? 
cp: overwrite `./28pilot.ldif'? 
cp: overwrite `./30ns-common.ldif'? 
cp: overwrite `./50ns-admin.ldif'? 
cp: overwrite `./50ns-certificate.ldif'? 
cp: overwrite `./50ns-directory.ldif'? 
cp: overwrite `./50ns-mail.ldif'? 
cp: overwrite `./50ns-value.ldif'? 
cp: overwrite `./50ns-web.ldif'? 
cp: overwrite `./60acctpolicy.ldif'? 
cp: overwrite `./60autofs.ldif'? 
cp: overwrite `./60eduperson.ldif'? 
cp: overwrite `./60mozilla.ldif'? 
cp: overwrite `./60nss-ldap.ldif'? 
cp: overwrite `./60pam-plugin.ldif'? 
cp: overwrite `./60pureftpd.ldif'? 
cp: overwrite `./60rfc2739.ldif'? 
cp: overwrite `./60rfc3712.ldif'? 
cp: overwrite `./60sabayon.ldif'? 
cp: overwrite `./60sudo.ldif'? 
cp: overwrite `./60trust.ldif'? 
cp: overwrite `./99user.ldif'? 


while importing ipa.ldif
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 140
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 141
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 142
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 143
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 144
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 145
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 146
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 147
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 148
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 149
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 150
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 151
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 152
[06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 153
[06/Jun/2011:15:28:38 +051800] - import userRoot: Workers finished; cleaning up...
[06/Jun/2011:15:28:39 +051800] - import userRoot: Workers cleaned up.
[06/Jun/2011:15:28:39 +051800] - import userRoot: Cleaning up producer thread...
[06/Jun/2011:15:28:39 +051800] - import userRoot: Indexing complete.  Post-processing...
[06/Jun/2011:15:28:39 +051800] - Nothing to do to build ancestorid index
[06/Jun/2011:15:28:39 +051800] - import userRoot: Flushing caches...
[06/Jun/2011:15:28:39 +051800] - import userRoot: Closing files...
[06/Jun/2011:15:28:39 +051800] - All database threads now stopped
[06/Jun/2011:15:28:39 +051800] - import userRoot: Import complete.  Processed 153 entries (155 were skipped) in 107 seconds. (1.43 entries/sec)
Comment 6 Noriko Hosoi 2011-06-06 16:35:04 UTC 
There could be some configuration mismatch.  Can I login your system?  Or attach your dse.ldif and errors log to this bug.
Thanks,
--noriko
Comment 9 Amita Sharma 2011-06-08 07:44:15 UTC 
Hey thanks Noriko,
I have verified it successfully now :

[root@testvm slapd-testvm]# /usr/lib64/mozldap/ldapsearch -x -h localhost -p 1389 -D "uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com"  -w tuser1 -b "cn=entitlements,cn=etc,dc=greyoak,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" "(objectclass=*)" @ipaentitlement:userCertificate
version: 1
dn: cn=entitlements,cn=etc,dc=greyoak,dc=com
entryLevelRights: v
attributeLevelRights: objectClass:rsc, cn:rsc

dn: userCertificate=template_ipaentitlement_objectclass,cn=entitlements,cn=etc
 ,dc=greyoak,dc=com
entryLevelRights: v
attributeLevelRights: userCertificate:rsc, userPKCS12:none, ipaEntitlementId:r
 sc, objectClass:rsc