Bug 1034265 - 7-bit check plugin not checking MODRDN operation
Summary: 7-bit check plugin not checking MODRDN operation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On:
Blocks: 1048980 1061410
TreeView+ depends on / blocked
 
Reported: 2013-11-25 14:09 UTC by Ján Rusnačko
Modified: 2014-10-14 07:52 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-34.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1048980 (view as bug list)
Environment:
Last Closed: 2014-10-14 07:52:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1385 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2014-10-14 01:27:42 UTC

Description Ján Rusnačko 2013-11-25 14:09:31 UTC 
Description of problem:
7-bit check plugin should deny all operations, that would change tracked attribute to value that is not 7-bit clean. However, MODRDN operation is not checked, which allows us to change the tracked attribute to value, that would normally be refused.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-29.el6.x86_64

How reproducible:
always

Steps to Reproduce:
ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: uid=tuser,ou=people,dc=example,dc=com
objectclass: person
objectclass: inetOrgPerson
objectclass: top
cn: tuser
sn: tuser
uid: tuser
EOF

ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=7-bit check,cn=plugins,cn=config 
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

sudo service dirsrv restart

ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF
dn: uid=tuser,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuseršľčť
deleteoldrdn: true
EOF


ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "uid=tuseršľčť,ou=people,dc=example,dc=com"
dn:: dWlkPXR1c2VyxaHEvsSNxaUsb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29t
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
cn: tuser
sn: tuser
uid:: dHVzZXLFocS+xI3FpQ==

ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "cn=7-bit check,cn=plugins,cn=config "
dn: cn=7-bit check,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: 7-bit check
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NS7bitAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: mail
nsslapd-pluginarg2: userpassword
nsslapd-pluginarg3: ,
nsslapd-pluginarg4: dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NS7bitAttr
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce  7-bit clean attribute values


Actual results:
Uid attribute contains value which is not 7-bit clean. Uid attribute is tracked by 7-bit check plugin.
Comment 2 Nathan Kinder 2013-12-18 17:23:48 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/47641
Comment 3 mreynolds 2014-01-23 20:00:40 UTC 
Fixed upstream
Comment 7 errata-xmlrpc 2014-10-14 07:52:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1385.html
Note You need to log in before you can comment on or make changes to this bug.