Bug 1034265 - 7-bit check plugin not checking MODRDN operation
Summary: 7-bit check plugin not checking MODRDN operation
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
Depends On:
Blocks: 1048980 1061410
TreeView+ depends on / blocked
Reported: 2013-11-25 14:09 UTC by Ján Rusnačko
Modified: 2020-09-13 20:53 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1048980 (view as bug list)
Last Closed: 2014-10-14 07:52:30 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 978 0 None None None 2020-09-13 20:53:25 UTC
Red Hat Product Errata RHBA-2014:1385 0 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2014-10-14 01:27:42 UTC

Description Ján Rusnačko 2013-11-25 14:09:31 UTC
Description of problem:
7-bit check plugin should deny all operations, that would change tracked attribute to value that is not 7-bit clean. However, MODRDN operation is not checked, which allows us to change the tracked attribute to value, that would normally be refused.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: uid=tuser,ou=people,dc=example,dc=com
objectclass: person
objectclass: inetOrgPerson
objectclass: top
cn: tuser
sn: tuser
uid: tuser

ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=7-bit check,cn=plugins,cn=config 
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

sudo service dirsrv restart

ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF
dn: uid=tuser,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuseršľčť
deleteoldrdn: true

ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "uid=tuseršľčť,ou=people,dc=example,dc=com"
dn:: dWlkPXR1c2VyxaHEvsSNxaUsb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29t
objectClass: person
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
cn: tuser
sn: tuser
uid:: dHVzZXLFocS+xI3FpQ==

ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "cn=7-bit check,cn=plugins,cn=config "
dn: cn=7-bit check,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: 7-bit check
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NS7bitAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: mail
nsslapd-pluginarg2: userpassword
nsslapd-pluginarg3: ,
nsslapd-pluginarg4: dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NS7bitAttr
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce  7-bit clean attribute values

Actual results:
Uid attribute contains value which is not 7-bit clean. Uid attribute is tracked by 7-bit check plugin.

Comment 2 Nathan Kinder 2013-12-18 17:23:48 UTC
Upstream ticket:

Comment 3 mreynolds 2014-01-23 20:00:40 UTC
Fixed upstream

Comment 7 errata-xmlrpc 2014-10-14 07:52:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.