Bug 951754
| Summary: | Self entry access ACI not working properly | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Thang Nguyen <thang> | |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> | |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.1 | CC: | nhosoi, nkinder, rmeggins, tbordaz | |
| Target Milestone: | rc | |||
| Target Release: | 7.1 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | 389-ds-base-1.3.3.1-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1008021 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 09:30:28 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1008021 | |||
|
Description
Thang Nguyen
2013-04-13 01:46:27 UTC
In your example, you are searching for "uid=user1" under "ou=people,dc=localdomain", but no such entry exists. The entry beneath "ou=people,dc=localdomain" has "uid=thang", so your search filter will never match that entry. The ACI debugging shows that you are properly denied "search" access to "uid=user1,ou=unix_users,dc=localdomain" since you are bound as a different user. Hi Nathan, Sorry... I had a typo. The uid on both record has the same value, "uid=user1". You can reproduce by creating two records in separate OU with the same value for "uid". Then create the aci aci: (targetattr="*")(version 3.0; acl "Allow self entry access"; allow (read,search,compare) userdn = "ldap:///self";) Then you can do a self search for the "uid=<value>" from both DNs you just added. When you bind as the first DN you added, you will get a back the record. If you bind as the second DN you added, you will not get back anything. Thanks for looking into this. Regards, --thang Upstream ticket: https://fedorahosted.org/389/ticket/47331 Hi Nathan, Is it possible that you put this fix in the 389-ds-base package on Red Hat Enterprise Linux 6? (In reply to Thang Nguyen from comment #4) > Hi Nathan, > > Is it possible that you put this fix in the 389-ds-base package on Red Hat > Enterprise Linux 6? This is not currently targeted for inclusion in RHEL6. We can certainly consider it for a future RHEL 6 update. Thanks Nathan. Please highly consider adding this fix to the new release of 389-ds-base package in RHEL 6. This feature is very important in our environment. Can you please let me know the ETA to have this available in RHEL 6? I just want to let our users who affected by this bug know. Thank you. Regards, --thang (In reply to Thang Nguyen from comment #6) > Thanks Nathan. Please highly consider adding this fix to the new release of > 389-ds-base package in RHEL 6. This feature is very important in our > environment. Can you please let me know the ETA to have this available in > RHEL 6? I just want to let our users who affected by this bug know. Thank > you. > > Regards, > > --thang I don't have an exact ETA, but it would still be quite a ways out. If you want this to be prioritized, you should open up a Red Hat support ticket against Red Hat Directory Server (if you have a support contract). For continued discussion about fixing this in RHEL6, please update the RHEL6 specific cloned bug I made for this issue (bug 1008021). Thanks Nathan. Self entry ACI is working fine. Every user is able to see their own information. I followed these steps to verify bugzilla. Added a suffix with self entry search aci. aci: (targetattr="*")(version 3.0; acl "Allow self entry access"; allow (read,search,compare) userdn = "ldap:///self";) Added 4 users: dn: uid=newaciusr1,ou=People,dc=testaci,dc=com dn: uid=testaciusr1,ou=Groups,dc=testaci,dc=com dn: uid=testaciusr1,ou=People,dc=testaci,dc=com dn: uid=testaciusr1,ou=Public,dc=testaci,dc=com [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "uid=testaciusr1,ou=public,dc=testaci,dc=com" -w Secret123 -b "dc=testaci,dc=com" dn: uid=testaciusr1,ou=Public,dc=testaci,dc=com telephoneNumber: 989898191 mail: testaciusr1 uid: testaciusr1 givenName: testaciusr1 objectClass: top [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "uid=newaciusr1,ou=people,dc=testaci,dc=com" -w Secret123 -b "ou=people,dc=testaci,dc=com" dn: uid=newaciusr1,ou=People,dc=testaci,dc=com telephoneNumber: 989898191 mail: newaciusr1 uid: newaciusr1 givenName: newaciusr1 [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "uid=testaciusr1,ou=groups,dc=testaci,dc=com" -w Secret123 -b "dc=testaci,dc=com" dn: uid=testaciusr1,ou=Groups,dc=testaci,dc=com telephoneNumber: 989898191 mail: testaciusr1 uid: testaciusr1 givenName: testaciusr1 objectClass: top objectClass: person marking the bug as verified based on the search results. Thierry and Noriko both worked on this bug. Thanks for your answer. Its perfect. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |