RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1112824 - Broken dereference control with the FreeIPA 4.0 ACIs
Summary: Broken dereference control with the FreeIPA 4.0 ACIs
Keywords:
Status: CLOSED DUPLICATE of bug 1140888
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On: 1112698 1112702
Blocks: 1113520
TreeView+ depends on / blocked
 
Reported: 2014-06-24 18:25 UTC by Noriko Hosoi
Modified: 2020-09-13 21:07 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1112702
Environment:
Last Closed: 2014-10-16 23:44:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1152 0 None None None 2020-09-13 21:07:10 UTC
Red Hat Product Errata RHSA-2015:0416 0 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-06-24 18:25:51 UTC
+++ This bug was initially created as a clone of Bug #1112702 +++

+++ This bug was initially created as a clone of Bug #1112698 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4389

I've been triaging a login error issue mkosek had today and I believe the problem is actually on the server side. I'm not sure if it's in IPA (due to the new ACIs maybe) or 389DS.

With the latest F20 IPA + 389DS combination I've been unable to use the OpenLDAP dereference control:
{{{
ldapsearch -Y GSSAPI -h vm-236.idm.lab.eng.brq.redhat.com -b fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -E 'deref=managedBy:objectClass'
}}}

Normally, what the result should be is a tuple of dereferenced DN and the requested attribute (objectClass in this case). I'm only seeing the DN, though.

What I expect to see in the result is:
{{{
# vm-067.idm.lab.bos.redhat.com, computers, accounts, idm.lab.bos.redhat.com
dn: fqdn=vm-067.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,
 dc=bos,dc=redhat,dc=com
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAEeMIQAAAEYBAltYW5hZ2VkQnkEYWZxZ
 G49dm0tMDY3LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20sY249Y29tcHV0ZXJzLGNuPWFjY291bnRzLG
 RjPWlkbSxkYz1sYWIsZGM9Ym9zLGRjPXJlZGhhdCxkYz1jb22ghAAAAKQwhAAAAJ4EC29iamVjdEN
 sYXNzMYQAAACLBAN0b3AECWlwYW9iamVjdAQGbnNob3N0BAdpcGFob3N0BAppcGFzZXJ2aWNlBAdw
 a2l1c2VyBA9rcmJwcmluY2lwYWxhdXgEDGtyYnByaW5jaXBhbAQSa3JidGlja2V0cG9saWN5YXV4B
 AppcGFzc2hob3N0BBRpcGFTc2hHcm91cE9mUHViS2V5cw==
# managedBy: <objectClass=top>;<objectClass=ipaobject>;<objectClass=nshost>;<
 objectClass=ipahost>;<objectClass=ipaservice>;<objectClass=pkiuser>;<objectC
 lass=krbprincipalaux>;<objectClass=krbprincipal>;<objectClass=krbticketpolic
 yaux>;<objectClass=ipasshhost>;<objectClass=ipaSshGroupOfPubKeys>;fqdn=vm-06
 7.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=re
 dhat,dc=com
}}}

That works with ipa-server-3.3.3-28.el7.x86_64 and 389-ds-base-1.3.1.6-25.el7.x86_64.

What I'm seeing with freeipa-server-3.3.90GITfaf8f1e-0.fc20.x86_64 and 389-ds-base-1.3.2.16-1.fc20.x86_64 is
{{{
# vm-086.idm.lab.bos.redhat.com, computers, accounts, idm.lab.eng.brq.redhat.
 com
dn: fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAB7MIQAAAB1BAltYW5hZ2VkQnkEaGZxZ
 G49dm0tMDg2LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20sY249Y29tcHV0ZXJzLGNuPWFjY291bnRzLG
 RjPWlkbSxkYz1sYWIsZGM9ZW5nLGRjPWJycSxkYz1yZWRoYXQsZGM9Y29t
# managedBy: fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=i
 dm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
}}}

--- Additional comment from Martin Kosek on 2014-06-24 09:59:57 EDT ---

This bug is a high priority for IPA as without it, users would have an outage  when migrating from RHEL-6 to RHEL-7.1 and still having clients connected to RHEL-6.6 IPA master.

--- Additional comment from Noriko Hosoi on 2014-06-24 12:27:52 EDT ---

Upstream ticket:
https://fedorahosted.org/389/ticket/47825

--- Additional comment from Noriko Hosoi on 2014-06-24 12:32:06 EDT ---

Hi Martin,

The problem is in RHEL-6.x (389-ds-base-1.2.11.X) or RHEL-7.0 (389-ds-base-1.3.1.X)?

It'd affect the target flag of this bug...
Flags: 	
mkosek: 	rhel-6.6.0 		

Thanks,
--noriko

--- Additional comment from Noriko Hosoi on 2014-06-24 14:22:56 EDT ---

(In reply to Noriko Hosoi from comment #3)
> Hi Martin,
> 
> The problem is in RHEL-6.x (389-ds-base-1.2.11.X) or RHEL-7.0
> (389-ds-base-1.3.1.X)?
> 
> It'd affect the target flag of this bug...
> Flags: 	
> mkosek: 	rhel-6.6.0 		
> 
> Thanks,
> --noriko

Never mind.  Nathan gave me a clear explanation.  We need to have this fix on all the supported version (1.2.11 and up)  And Ludwig is already working on this issue.

Comment 2 Sankar Ramalingam 2014-10-16 12:07:25 UTC
This looks like a duplicate of Bug #1140888. Can we go ahead and close this bugzilla?

Comment 3 Noriko Hosoi 2014-10-16 23:44:59 UTC
Sure.  Thanks, Sankar.

*** This bug has been marked as a duplicate of bug 1140888 ***


Note You need to log in before you can comment on or make changes to this bug.