Bug 802675

Summary: Invalid syntax with get-effective-rights
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: python-ldapAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: vanmeeuwen+fedora
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-20 16:14:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Kosek 2012-03-13 09:17:40 UTC
Description of problem:
New python-ldap (python-ldap-2.4.6-2.fc17.x86_64) can no longer retrieve effective rights for an LDAP object. I get the following traceback when I try to retrieve effective rights:

Traceback (most recent call last):
  File "/home/mkosek/bin/testaci.py", line 19, in <module>
    conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn'])
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 552, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in search_ext_s
    return self.result(msgid,all=1,timeout=timeout)[1]
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_SYNTAX: {'info': 'get-effective-rights: missing subject', 'desc': 'Invalid syntax'}

Error in dirsrv error log:
[13/Mar/2012:04:39:06 -0400] NSACLPlugin - get-effective-rights: missing subject
[13/Mar/2012:04:39:06 -0400] - Failed to get effective rights for entry (uid=admin,cn=users,           cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com), rc=21

Version-Release number of selected component (if applicable):
python-ldap-2.4.6-2.fc17.x86_64

How reproducible:

I have prepared a Python script to reproduce this issue:

./testaci.py:
#!/usr/bin/python
import ldap

HOST = "ldap://vm-068.idm.lab.bos.redhat.com"
USER_DN = "uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
USER_PWD = "ADMINPASSWORD"

conn = ldap.initialize(HOST)
conn.simple_bind_s(USER_DN, USER_PWD)

print "test search"
conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn'])

print "test search with effective rights control"
sctrl = [ldap.controls.LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: %s" % USER_DN)]
conn.set_option(ldap.OPT_SERVER_CONTROLS, sctrl)
conn.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['cn'])
conn.set_option(ldap.OPT_SERVER_CONTROLS, [])
conn.unbind_s()
print "TEST OK"


Steps to Reproduce:
1. Run the script against LDAP server
2. Check the result
3.
  
Actual results:
Operation fails with an exception.

Expected results:
Operation succeeds as it did before python-ldap upgrade (python-ldap-2.4.6-2.fc17.x86_64)

Additional info:

Comment 1 Jeroen van Meeuwen 2012-03-20 16:14:35 UTC
With additional debug information enabled:

test search with effective rights control
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7f0cd7584440> ldap://localhost - SimpleLDAPObject.set_option
((18, [('1.3.6.1.4.1.42.2.27.9.5.2', True, None)]), {})

Indeed python-ldap is sending None as the dn subject to search for.

Why not use GetEffectiveRightsControl from ldap.controls.simple?

I'm closing this ticket for now, as it seems to satisfy the requirement from my tests.