Bug 863415
| Summary: | Possible to add invalid attribute values to PAM PTA plugin configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ján Rusnačko <jrusnack> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED DUPLICATE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | jgalipea, nkinder, tbordaz |
| Target Milestone: | rc | ||
| Target Release: | 7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-31 17:57:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ján Rusnačko
2012-10-05 12:33:05 UTC
QA Acked. (In reply to comment #2) > QA Acked. Oops, sorry, by mistake added for this bug. Upstream ticket: https://fedorahosted.org/389/ticket/487 Hi Jan, The test case expects a modify failure with the return code 21 (syntax error). This is right the modify should fail but with a return code 53 (unwilling to perform). In fact, from a syntax point of view all the modify are valid but the semantic should be rejected by the server. So "unwilling to perform" seems the appropriate code. Also this bug was discovered on 1.2.10 but fixed in 1.2.11 and later. The bug being fixed on master, do we keep this bug open until the test case is fixed ? best regards (In reply to comment #8) > Hi Jan, > > The test case expects a modify failure with the return code 21 (syntax > error). > This is right the modify should fail but with a return code 53 (unwilling > to perform). In fact, from a syntax point of view all the modify are valid > but the semantic should be rejected by the server. So "unwilling to perform" > seems the appropriate code. > > Also this bug was discovered on 1.2.10 but fixed in 1.2.11 and later. It was fixed in 1.2.11? I don't see that in https://fedorahosted.org/389/ticket/487 > > The bug being fixed on master, do we keep this bug open until the test > case is fixed ? > > best regards (In reply to comment #9) > It was fixed in 1.2.11? I don't see that in > https://fedorahosted.org/389/ticket/487 > Proper configuration validation was added as a part of the multiple PAM Pass-through config enhancement in this upstream ticket: https://fedorahosted.org/389/ticket/181 (In reply to comment #8) > Hi Jan, > > The test case expects a modify failure with the return code 21 (syntax > error). > This is right the modify should fail but with a return code 53 (unwilling > to perform). In fact, from a syntax point of view all the modify are valid > but the semantic should be rejected by the server. So "unwilling to perform" > seems the appropriate code. > > Also this bug was discovered on 1.2.10 but fixed in 1.2.11 and later. > > The bug being fixed on master, do we keep this bug open until the test > case is fixed ? > > best regards Hi Thierry, thank you for the fix and explanation. I have fixed testcase for this in trunk. I tried to verify this on RHEL64 with 389-ds-base-1.2.11.13-1.el6.x86_64 from latest-RHEL6.4-DSRV-9.0 repo, but fix is not there. Can you please check again to which version was this fix added ? Thanks, Jan Hi Jan,
I verified the original bug on RHEL 64 and 1.2.11.15-11.
The bug is fixed in 1.2.11.15-11.
[thierry@rhel-63-1 /]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)
[thierry@rhel-63-1 /]$ rpm -qa |grep 389
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.11.15-11.el6.x86_64
389-ds-base-libs-1.2.11.15-11.el6.x86_64
389-dsgw-1.1.9-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-admin-1.1.29-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
[thierry@rhel-63-1 /]$ ldapmodify -h localhost -p 10478 -D "cn=directory manager" -w secret12
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamMissingSuffix
pamMissingSuffix: invalid
modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE
You mentioned you tested (unsuccessfully) on 1.2.11.13.el6. I am surprised because so far I was thinking that the bug fix which fixed this issue (https://bugzilla.redhat.com/show_bug.cgi?id=746642) was introduced in 1.2.11.12
I do not know how to install 1.2.11.13.el6 on top of RHEL6.4 as 'yum install 389-ds' installed 1.2.11.15-11
best regards
Hi Thierry,
this is what it looks like on my machine (actually, on both that I checked):
[jrusnack@dstet ~]$ rpm -qa 389*
389-ds-base-1.2.11.15-11.el6.x86_64
389-ds-base-libs-1.2.11.15-11.el6.x86_64
[jrusnack@dstet ~]$ service dirsrv status
dirsrv dstet (pid 2780) is running...
[jrusnack@dstet ~]$
[jrusnack@dstet ~]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> changetype: modify
> replace: pamMissingSuffix
> pamMissingSuffix: invalid
> EOF
modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
[jrusnack@dstet ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)
Reinstall didn`t help. I will investigate further.
1.2.11.13.el6 is from latest-RHEL6.4-DSRV-9.0 repo, which IIRC is supposed to be closer to main RHEL 6.4 devel branch than official one.
Ok, got it. Since the plugin was disabled, error messages were correctly logged to error log. [31/Jan/2013:05:45:18 -0500] - 389-Directory/1.2.11.15 B2013.021.196 starting up [31/Jan/2013:05:45:18 -0500] pam_passthru-plugin - Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE [31/Jan/2013:05:45:19 -0500] pam_passthru-plugin - pam_passthru_load_config: skipping invalid config entry "cn=pam pass through auth,cn=plugins,cn=config" [jrusnack@dstet ~]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamMissingSuffix pamMissingSuffix: invalid EOF modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE [jrusnack@dstet ~]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: pamIDMapMethod pamIDMapMethod: invalid EOF modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: The map method in the string [invalid] is invalid: must be one of DN or RDN or ENTRY |