Bug 1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions
Summary: Bind DN tracking unable to write to internalModifiersName without special per...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-06 00:03 UTC by Noriko Hosoi
Modified: 2020-09-13 21:16 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-10.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:40:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1281 0 None None None 2020-09-13 21:16:00 UTC
Red Hat Product Errata RHSA-2015:0416 0 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-12-06 00:03:47 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47950


I've activated bind dn tracking (nsslapd-plugin-binddn-tracking: on). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
{{{
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
aci: (targetattr = "objectClass || uniqueMember || owner || cn || description || businessCategory" ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att
ributs";allow (add, delete, read,compare,search,write)(userdn="ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
}}}

Any attempt to modify an authorized attribute from the list above (for ex., description) results in

{{{
ldap_modify: Insufficient access (50)
        additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.

}}}
{{{
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000
}}}

The workaround is to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute (if i add it, everything is fine and the attribute internalModifiersName becomes "cn=ldbm database,cn=plugins,cn=config").

Expected behavior : internalModifiersName should be written like modifiersname without  any explicit permission.

Comment 1 mreynolds 2014-12-08 19:10:00 UTC
Fixed upstream

Comment 3 Amita Sharma 2014-12-26 12:24:25 UTC
Please suggest  verification steps, executed below which did not work::
 ldapmodify -D "cn=directory manager" -w Secret123 -p 389 -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-plugin-binddn-tracking
> nsslapd-plugin-binddn-tracking: on
> EOF
modifying entry "cn=config"

ldapmodify -D "cn=directory manager" -w Secret123 -p 389 -h localhost << EOF
> dn: uid=ami,dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (targetattr = "objectClass || uniqueMember || owner || cn || description || businessCategory" ) (version 3.0;acl "bug"; allow (add, delete, read, compare, search, write)(userdn="ldap:///uid=ami1,dc=example,dc=com");)
> EOF
modifying entry "uid=ami,dc=example,dc=com"

ldapadd -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=ami1,dc=example,dc=com
cn: ams
sn: ams
givenname:ams                                                                   objectclass: top                                                         
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ami1
mail: ams@example.com
userpassword: Secret123
EOF

adding new entry "uid=ami1,dc=example,dc=com"


ldapmodify -D "uid=ami,dc=example,dc=com" -w Secret123 -p 389 -h localhost << EOF
dn: uid=ami1,dc=example,dc=com
changetype: modify
replace: internalModifiersName
internalModifiersName: Amita
EOF

Comment 4 Noriko Hosoi 2015-01-01 02:51:19 UTC
Hi Ami,

The steps to verify is found in this patch:
https://fedorahosted.org/389/attachment/ticket/47950/0001-Ticket-47950-Bind-DN-tracking-unable-to-write-to-int.patch

Please see this python script written by Mark.
dirsrvtests/tickets/ticket47950_test.py

The issue is an ordinary user who is given the right to behave as a special user (e.g., directory manager) used to fail because the permission to write the user to internalModifiersName was missing.  Now the issue was fixed.  So, the goal to verify this bug is not updating internalModifiersName directly, but the special user "uid=ami1,dc=example,dc=com" can do something higher level such as creating a replication agreement and modifying it without any problems.

Thanks,
--noriko

Comment 5 mreynolds 2015-01-02 15:23:19 UTC
There are two problems here: one is when you enable plugin bind dn tracking, and you perform an operation as a normal user(not Directory Manager!), that operation will unexpectedly fail because the access control plugin is incorrectly checking the rights for the "internalModifiersname" update.  Access control should be ignoring internal updates for this attribute.

The other issue is around the Directory Manager not being able to update replication settings when plugin bind dn tracking is enabled:

Verification steps:

[1]  Enable plugin bind dn tracking:  "nsslapd-plugin-binddn-tracking: on"
[2]  Add two users: userA & userB
[3]  Add an aci that allows userA "all" rights to "dc=example,dc=com"
[4]  Bind as userA, and modify the "sn" attribute of userB

   --> if this succeeds we have successsfully tested the first part

[5]  Setup replication(enable replication and create a replication agreement).  The repl agreement does not need to point to a valid server - we just need the config entry created so we can test that we can modify it:

[6]  As "Directory Manager" modify the replication config

ldapmodify -D "cn=directory manger" ....
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype; modify
replace: nsDS5ReplicaId 
nsDS5ReplicaId: 8888

[7]  Modify the repl agreement

ldapmodify -D "cn=directory manger" ....
dn: cn=testPluginTracking,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsDS5ReplicaPort
nsDS5ReplicaPort: 9999

[8]  If we get here we have successfully tested the second part.

Comment 6 Amita Sharma 2015-01-28 12:41:06 UTC
[root@dhcp201-126 ~]# ps -aef | grep slapd
svrbld    7181     1  0 17:34 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-126 -i /var/run/dirsrv/slapd-dhcp201-126.pid -w /var/run/dirsrv/slapd-dhcp201-126.startpid
svrbld   10356     1  0 17:37 ?        00:00:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M1 -i /var/run/dirsrv/slapd-M1.pid -w /var/run/dirsrv/slapd-M1.startpid
svrbld   10793     1  0 17:37 ?        00:00:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M2 -i /var/run/dirsrv/slapd-M2.pid -w /var/run/dirsrv/slapd-M2.startpid
svrbld   11254     1  0 17:38 ?        00:00:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M3 -i /var/run/dirsrv/slapd-M3.pid -w /var/run/dirsrv/slapd-M3.startpid
svrbld   11739     1  0 17:38 ?        00:00:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M4 -i /var/run/dirsrv/slapd-M4.pid -w /var/run/dirsrv/slapd-M4.startpid
root     13128  3645  0 17:53 pts/0    00:00:00 grep --color=auto slapd
[root@dhcp201-126 ~]# netstat -nlp | grep slapd
tcp6       0      0 :::30104                :::*                    LISTEN      11254/ns-slapd      
tcp6       0      0 :::30105                :::*                    LISTEN      11254/ns-slapd      
tcp6       0      0 :::30106                :::*                    LISTEN      11739/ns-slapd      
tcp6       0      0 :::32730                :::*                    LISTEN      7181/ns-slapd       
tcp6       0      0 :::30107                :::*                    LISTEN      11739/ns-slapd      
tcp6       0      0 :::30100                :::*                    LISTEN      10356/ns-slapd      
tcp6       0      0 :::30101                :::*                    LISTEN      10356/ns-slapd      
tcp6       0      0 :::30102                :::*                    LISTEN      10793/ns-slapd      
tcp6       0      0 :::30103                :::*                    LISTEN      10793/ns-slapd   

PART 1
=======
[root@dhcp201-126 ~]# ldapmodify -D "cn=directory manager" -w Secret123 -p 30100 -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-plugin-binddn-tracking
> nsslapd-plugin-binddn-tracking: on
> EOF
modifying entry "cn=config"

[root@dhcp201-126 ~]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: uid=ami,dc=example,dc=com
> cn: ams
> sn: ams
> givenname: ams
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: ami
> mail: ams@example.com
> userpassword: Secret123
> EOF
adding new entry "uid=ami,dc=example,dc=com"

[root@dhcp201-126 ~]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: uid=B,dc=example,dc=com
> cn: B
> sn: B
> givenname: B
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: B
> mail: B@example.com
> userpassword: Secret123
> EOF
adding new entry "uid=B,dc=example,dc=com"

[root@dhcp201-126 ~]# ldapmodify -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (targetattr="*")(version 3.0; acl "Managerami"; allow (all) (userdn="ldap:///uid=ami,dc=example,dc=com");)
> EOF
modifying entry "dc=example,dc=com"

[root@dhcp201-126 ~]# ldapmodify -h localhost -p 30100 -D "uid=ami,dc=example,dc=com" -w Secret123 << EOF
> dn: uid=B,dc=example,dc=com
> changetype: modify
> replace: sn
> sn: new
> EOF
modifying entry "uid=B,dc=example,dc=com"

[root@dhcp201-126 ~]# ldapsearch -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 -b "uid=B,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=B,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# B, example.com
dn: uid=B,dc=example,dc=com
sn: new
cn: B
givenName: B
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: B
mail: B@example.com
userPassword:: e1NTSEF9Y2lWTUp6RzhKVWVyT1ZvTkN5TTIrOCtTaWhKUmRKMVB3NFNyZHc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

=========================

Part 2
------
[root@dhcp201-126 ~]# ldapmodify -h localhost -p 30100 -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsDS5ReplicaType
> nsDS5ReplicaType: 2
> EOF
modifying entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@dhcp201-126 ~]# ldapmodify -h localhost -p 30100 -D "cn=directory manager" -w Secret123 << EOF
> dn: cn=M1_to_M2,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsDS5ReplicaPort
> nsDS5ReplicaPort: 9999
> EOF
modifying entry "cn=M1_to_M2,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

Both parts are verified successfully.

Hence VERIFIED.

Comment 8 errata-xmlrpc 2015-03-05 09:40:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.