Bug 893986

Summary: Multivalued rootdn-days-allowed in RootDN Access Control plugin always results in access control violation
Product: Red Hat Enterprise Linux 7 Reporter: Ján Rusnačko <jrusnack>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: amsharma, arubin, jgalipea, mreynolds, nhosoi, nkinder, vashirov
Target Milestone: rc   
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.1.2-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: Adding multiple rootdn-days-allowed attributes to the root dn access control plugin Consequence: Access is always denied, regardless of the day. Fix: Update schema definitions to properly set the expected syntax. Result: The root dn access plugin enforces proper configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:52:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ján Rusnačko 2013-01-10 13:01:02 UTC 
Description of problem:
RootDN Access Control plugin allows to configure additional restrictions for root account. Attribute rootdn-days-allowed specifies, on which days is RootDN allowed to bind. However, if rootdn-days-allowed has multiple values, root can never bind - attempt will always fail on access control violation.

Steps to Reproduce:

[jrusnack@rhel-63-ds ~]$ ldapsearch -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Root DN Access Control
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Root DN Access Control plugin
rootdn-open-time: 0800
rootdn-close-time: 1800
rootdn-days-allowed: Sat, Wed
rootdn-days-allowed: Mon, Thu

[jrusnack@rhel-63-ds ~]$ /usr/lib64/dirsrv/slapd-dstet/restart-slapd 
[jrusnack@rhel-63-ds ~]$ ldapsearch -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
ldap_bind: Server is unwilling to perform (53)
	additional info: RootDN access control violation
[jrusnack@rhel-63-ds ~]$ date
Thu Jan 10 12:09:47 EST 2013

[jrusnack@rhel-63-ds ~]$ rpm -qa 389*
389-ds-base-libs-1.2.11.15-9.el6.x86_64
389-ds-base-1.2.11.15-9.el6.x86_64
Comment 2 mreynolds 2013-01-10 15:00:17 UTC 
Created ticket:

https://fedorahosted.org/389/ticket/551
Comment 3 mreynolds 2013-01-10 21:01:00 UTC 
Committed upstream to 1.3.1

commit hash: 4569c95e91282a57b4b4a0a27f783cbea7bb0f59
Comment 5 Rich Megginson 2013-10-01 23:26:05 UTC 
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 7 Amita Sharma 2013-11-07 09:26:26 UTC 
dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Root DN Access Control
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Root DN Access Control plugin
rootdn-open-time: 0800
rootdn-close-time: 1800
rootdn-days-allowed: Sat, Wed
rootdn-days-allowed: Mon, Thu

/usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd
Nov 07 14:23:32 dhcp201-149.englab.pnq.redhat.com ns-slapd[31921]: [07/Nov/2013:14:23:32 +051800] - Entry "cn=RootDN Access Control,cn=plugins,cn=config" single-valued attribute "rootdn-days-allowed" has multiple values
Nov 07 14:23:32 dhcp201-149.englab.pnq.redhat.com ns-slapd[31921]: [07/Nov/2013:14:23:32 +051800] dse - Could not load config file [dse.ldif]
Nov 07 14:23:32 dhcp201-149.englab.pnq.redhat.com ns-slapd[31921]: [07/Nov/2013:14:23:32 +051800] dse - Please edit the file to correct the reported problems and then restart the server.

================================================================================
dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-open-time: 0800
rootdn-close-time: 1800
rootdn-days-allowed: Sat, Wed, Mon, Thu

[root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd 

Instance started successfully. Hence Verified.
Comment 8 Amita Sharma 2014-01-31 06:30:18 UTC 
rootdn-days-allowed: Sat, Wed, Mon, Thu

[root@dhcp201-149 ~]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
ldap_bind: Server is unwilling to perform (53)
	additional info: RootDN access control violation
[root@dhcp201-149 ~]# date
Fri Jan 31 11:37:34 IST 2014

=========================================================================


[root@dhcp201-149 ~]# vim /etc/dirsrv/slapd-dhcp201-149/dse.ldif
[root@dhcp201-149 ~]# /usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd 
[root@dhcp201-149 ~]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: rootDNPluginConfig
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-open-time: 0800
rootdn-close-time: 1800
rootdn-days-allowed: Sat, Wed, Mon, Fri
Comment 10 Ludek Smid 2014-06-13 09:52:40 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.