Hide Forgot
Description of problem: 7-bit check plugin should deny all operations, that would change tracked attribute to value that is not 7-bit clean. However, MODRDN operation is not checked, which allows us to change the tracked attribute to value, that would normally be refused. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-29.el6.x86_64 How reproducible: always Steps to Reproduce: ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: uid=tuser,ou=people,dc=example,dc=com objectclass: person objectclass: inetOrgPerson objectclass: top cn: tuser sn: tuser uid: tuser EOF ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF dn: cn=7-bit check,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF sudo service dirsrv restart ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w Secret123 <<EOF dn: uid=tuser,ou=people,dc=example,dc=com changetype: modrdn newrdn: uid=tuseršľčť deleteoldrdn: true EOF ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "uid=tuseršľčť,ou=people,dc=example,dc=com" dn:: dWlkPXR1c2VyxaHEvsSNxaUsb3U9UGVvcGxlLGRjPWV4YW1wbGUsZGM9Y29t objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson cn: tuser sn: tuser uid:: dHVzZXLFocS+xI3FpQ== ldapsearch -h $HOST -p $PORT -LLL -D "cn=directory manager" -w Secret123 -b "cn=7-bit check,cn=plugins,cn=config " dn: cn=7-bit check,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: 7-bit check nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NS7bitAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NS7bitAttr nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce 7-bit clean attribute values Actual results: Uid attribute contains value which is not 7-bit clean. Uid attribute is tracked by 7-bit check plugin.
Upstream ticket: https://fedorahosted.org/389/ticket/47641
Fixed upstream
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1385.html