Bug 1251854 - ipa aci plugin is not parsing aci's correctly.
ipa aci plugin is not parsing aci's correctly.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.1
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-10 03:09 EDT by Jan Cholasta
Modified: 2015-11-19 07:05 EST (History)
2 users (show)

See Also:
Fixed In Version: ipa-4.2.0-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Cholasta 2015-08-10 03:09:41 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5037

Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 6''): [https://bugzilla.redhat.com/show_bug.cgi?id=1222999 Bug 1222999]

{{{
Description of problem:

in some cases, some aci's with quite right syntax are being parsed wrong by ipa
aci plugin.

Version-Release number of selected component (if applicable):

I am testing this in RHEL6: ipa-server-3.0.0-42.el6.x86_64


Steps to Reproduce:
1.

Add these custom aci's:

aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)

2. Try changing self service permission:

ipa selfservice-mod "Self can write own password" --permission=read
ipa: ERROR: an internal error has occurred
[root@ipa ~]#

tail -f /var/log/httpd/error_log
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Tue May 19 15:50:11 2015] [error]     return self.execute(*args, **options)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 582, in execute
[Tue May 19 15:50:11 2015] [error]     candidate = ACI(a)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 56, in __init__
[Tue May 19 15:50:11 2015] [error]     self._parse_acistr(acistr)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 144, in _parse_acistr
[Tue May 19 15:50:11 2015] [error]     raise SyntaxError, "malformed ACI,
permissions match failed %s" % acistr
[Tue May 19 15:50:11 2015] [error] SyntaxError: malformed ACI, permissions
match failed (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)
[Tue May 19 15:50:11 2015] [error] ipa: INFO: admin@EXAMPLE.ORG:
selfservice_mod(u'Self can write own password', permissions=(u'read',),
all=False, raw=False, version=u'2.49'): SyntaxError


Additional info:


Workaround is to replace the aci's by ones not using parenthesis on the bind
rule:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)


And re-add them with a slightly different syntax:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search) userdn = "ldap:///anyone";)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)


Then, the sefservice mod command will work fine.

Thanks to Petr Viktorin for suggesting the workaround.
}}}
Comment 3 Abhijeet Kasurde 2015-10-06 04:22:13 EDT
Verified.

IPA Server version ::

ipa-server-4.2.0-12.el7.x86_64
Comment 4 errata-xmlrpc 2015-11-19 07:05:13 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.