Bug 705222

Summary: aci on cn=monitor warning about connection attribute
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Security - Access Control (ACL)Assignee: Rich Megginson <rmeggins>
Status: CLOSED WORKSFORME QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.2.8CC: benl, nhosoi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-25 22:32:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 690319    

Description Rich Megginson 2011-05-17 02:15:01 UTC 
The aci on cn=monitor references an attribute named "connection" - the aci code warns because this attribute is not in the schema.  The effect is that the aci code ignores the aci.
Comment 3 Martin Kosek 2012-01-04 13:23:03 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/42
Comment 4 Noriko Hosoi 2012-01-25 22:32:43 UTC 
It had been fixed in this commit:
commit 0b7a84653e5819f52fc22f3783d9c2a1dc84e941
Date:   Fri Oct 15 10:56:45 2010 -0700
Bug 244229 - targetattr not verified against schema when setting an aci
https://bugzilla.redhat.com/show_bug.cgi?id=244229
    3. An attributeTypes "connection" is added to 01core389.ldif which
       is referred in an aci of cn=monitor.

Note: aci sets on cn=monitor:
aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || connection")(versio
 n 3.0; acl "monitor"; allow( read, search, compare ) userdn = "ldap:///anyone
 ";)

Anonymous search does not return connection and aci:
$ ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection
dn: cn=monitor

$ ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci
dn: cn=monitor

But the others:
$ ldapsearch -LLLx -h localhost -p 10389 -s base -b "cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.rc1.git0ac8d3a B2012.025.2145