Bug 726466

Summary: HBAC rule evaluation does not support extended UTF-8 languages
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, grajaiya, jgalipea, jhrozek, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-46.el6 Doc Type: Bug Fix
Doc Text:
Cause: The host based access control part of SSSD treated all its attributes as plain strings Consequence: case-insensitive comparisons of attributes such as host group names would fail in case they contained UTF-8 characters Fix: The SSSD host based access control provider utilizes libunistring for performing string comparisons where applicable Result: SSSD is able to handle UTF-8 strings in host based access control rules
 Story Points: ---
Clone Of:
: 760166 (view as bug list) Environment:
Last Closed: 2011-12-06 16:39:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 726463    
Bug Blocks: 760166    

Description Stephen Gallagher 2011-07-28 17:45:24 UTC 
Description of problem:
Hosts, hostgroups and other attributes of IPA HBAC rules may have names in non-English UTF-8 languages. We need to support comparisons against these rules.

Version-Release number of selected component (if applicable):
sssd-1.5.1-43.el6

How reproducible:
Every time

Steps to Reproduce:
Use extended UTF-8 characters in a hostname or hostgroup in IPA's LDAP.
  
Actual results:
Case-insensitive omparisons fail against UTF-8 characters.

Expected results:
UTF-8 should be handled correctly.

Additional info:
Comment 2 Gowrishankar Rajaiyan 2011-10-03 19:56:31 UTC 
[root@bumblebee ~]# ipa hostgroup-find
-------------------
1 hostgroup matched
-------------------
  Host-group: ãœ
  Description: Ì
  Member hosts: mudflap.lab.eng.pnq.redhat.com
----------------------------
Number of entries returned 1
----------------------------


[root@bumblebee ~]# ipa hbacrule-show rule1
  Rule name: rule1
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: ãœ
  Services: sshd


[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks.eng.pnq.redhat.com's password: 
Last login: Mon Oct  3 14:06:09 2011 from mudflap.lab.eng.pnq.redhat.com


[root@bumblebee ~]# ipa hbacrule-disable rule1
--------------------------
Disabled HBAC rule "rule1"
--------------------------

[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks.eng.pnq.redhat.com's password: 
Connection closed by 10.65.201.64



[root@bumblebee ~]# ipa hbacrule-show ruleãœ
  Rule name: ruleãœ
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: ãœ
  Services: sshd

[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks.eng.pnq.redhat.com's password: 
Last login: Mon Oct  3 22:12:20 2011 from mudflap.lab.eng.pnq.redhat.com

[root@bumblebee ~]# ipa hbacrule-disable ruleãœ
---------------------------
Disabled HBAC rule "ruleãœ"
---------------------------

[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks.eng.pnq.redhat.com's password: 
Connection closed by 10.65.201.64


Verified.
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 53.el6                        Build Date: Fri 30 Sep 2011 10:08:08 AM EDT
Install Date: Mon 03 Oct 2011 08:28:17 AM EDT      Build Host: x86-005.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-53.el6.src.rpm
Size        : 3671137                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 3 Jakub Hrozek 2011-10-27 15:17:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The host based access control part of SSSD treated all its attributes as plain strings
Consequence: case-insensitive comparisons of attributes such as host group names would fail in case they contained UTF-8 characters
Fix: The SSSD host based access control provider utilizes libunistring for performing string comparisons where applicable
Result: SSSD is able to handle UTF-8 strings in host based access control rules
Comment 4 errata-xmlrpc 2011-12-06 16:39:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html