Bug 788753

Summary: aci on cn=monitor warning about connection attribute
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: amsharma, jgalipea, mreynolds, nhosoi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.10.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: do an anonymous search on cn=monitor, and request the "connection" attribute, which should be denied by the default aci Consequence: "connection" is returned Fix: Still process the aci even though the attribute is not in the schema Result: do not display "connection" if an aci denies access to it
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 07:14:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Megginson 2012-02-08 23:07:37 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/42

https://bugzilla.redhat.com/show_bug.cgi?id=705222

{{{
The aci on cn=monitor references an attribute named "connection" - the aci code
warns because this attribute is not in the schema.  The effect is that the aci
code ignores the aci.
}}}

Comment 1 Jenny Severance 2012-02-14 19:42:29 UTC
see upstream ticket for steps to verify

Comment 3 mreynolds 2012-05-11 20:23:32 UTC
This should be the expected results:

[1]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection
dn: cn=monitor

[2]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci
dn: cn=monitor

[3]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.rc1.git0ac8d3a B2012.025.2145

Comment 4 Amita Sharma 2012-05-14 07:26:30 UTC
[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.2 B2012.124.1435

[root@dhcp201-194 /]# 
1. -->> Why this one blank line appended in all the results??

Comment 5 Rich Megginson 2012-05-14 13:26:52 UTC
LDIF usually ends with a single blank line - in LDIF an empty line denotes the end of an entry or change record.

Comment 6 Noriko Hosoi 2012-05-16 01:13:55 UTC
Added a test case for trac42 (bug 788753)
--  --
M    acl/search.sh

Cleared the NEEDINFO flag.

Comment 7 Amita Sharma 2012-05-16 05:32:57 UTC
Marking the bug as VERIFIED.
[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" connection
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" aci
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.2 B2012.124.1435

Comment 8 mreynolds 2012-05-25 15:37:57 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: do an anonymous search on cn=monitor, and request the "connection" attribute, which should be denied by the default aci
Consequence: "connection" is returned
Fix: Still process the aci even though the attribute is not in the schema
Result: do not display "connection" if an aci denies access to it

Comment 9 errata-xmlrpc 2012-06-20 07:14:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html