Bug 1280123 - acl - regression - trailing ', (comma)' in macro matched value is not removed.
acl - regression - trailing ', (comma)' in macro matched value is not removed.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
: Regression, ZStream
Depends On:
Blocks: 1281522
  Show dependency treegraph
 
Reported: 2015-11-10 19:28 EST by Noriko Hosoi
Modified: 2016-11-03 16:37 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.5.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1281522 (view as bug list)
Environment:
Last Closed: 2016-11-03 16:37:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Noriko Hosoi 2015-11-10 19:28:33 EST
acl_match_macro_in_target returns matched value with a trailing comma, e.g., "o=kaki.com,".  It's used to create a group DN, e.g.,
"cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us".

Due to the duplicated commas, the bind unexpectedly fails with 50 (insufficient access).

Failure case:
aci: (target="ldap:///ou=People, ($dn), o=ace industrtargety,c=us") (targetattr!="userPassword")(targetfilter=(objectClass=nsManagedPerson)) (version 3.0; acl "Admin access to all users in this and lower domains"; allow (write,read,search) groupdn="ldap:///cn=Domain Administrators, ou=Groups, [$dn], o=ace industry,c=us";)

Bind DN: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us

The DN is a uniquemember of:
cn=Domain Administrators,ou=Groups,o=Kaki.com,o=ace industry,c=us
uniquemember: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us

Target DN: uid=bob-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us

Log with LDAP_DEBUG_ACL enabled.
[..] NSACLPlugin - aclutil_evaluate_macro for aci ' "Admin access to all users in this and lower domains"' index '2'
[..] NSACLPlugin - ACL info: found matched_val ( "Admin access to all users in this and lower domains") for aci index 2in macro ht
[..] NSACLPlugin - Evaluating user uid=michael-kaki.com,ou=people,o=kaki.com,o=ace industry,c=us in group cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us?
[..] NSACLPlugin - -- Not in cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us
[..] NSACLPlugin - Evaluated ACL_FALSE

This behaviour was introduced by the fix for #48141 - aci with wildcard and macro not correctly evaluated.
Comment 3 Mike McCune 2016-03-28 19:13:32 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 5 Punit Kundal 2016-07-14 07:05:55 EDT
RHEL:
RHEL 7.3 x86_64 Server
 
DS builds:
[root@localhost ~]# rpm -qa | grep 389-ds-base
389-ds-base-snmp-1.3.5.10-3.el7.x86_64
389-ds-base-1.3.5.10-3.el7.x86_64
389-ds-base-libs-1.3.5.10-3.el7.x86_64
 
Steps Performed:
1. Added required entries for creating hierarchy
[root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389
dn: o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: organization
o: kaki.com
description: kaki.com organization top entry
 
adding new entry "o=kaki.com,dc=example,dc=com"
 
dn: ou=People,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
description: People subtree under kaki.com
 
adding new entry "ou=People,o=kaki.com,dc=example,dc=com"
 
dn: ou=Groups,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: Groups subtree under kaki.com
adding new entry "ou=Groups,o=kaki.com,dc=example,dc=com"
 
2. Added some user entries
[root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389
dn: uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: michael-kaki.com
cn: michael
sn: michael
userPassword: secret123
 
adding new entry "uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"
 
dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: bob-kaki.com
cn: bob
sn: bob
userPassword: secret123
 
adding new entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"
 
dn: uid=james-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
uid: james-kaki.com
cn: james
sn: james
userPassword: secret123
 
adding new entry "uid=james-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"
 
dn: cn=barry-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: person
cn: barry-kaki.com
sn: barry    
userPassword: secret123
adding new entry "cn=barry-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"
 
3. Added a static group cn=Domain Administrators with uid=michael-kaki.com as a unique member
[root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389
dn: cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Domain Administrators
description: Group of Domain Administrators in kaki.com
uniquemember: uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
adding new entry "cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com"
 
4. Added a macro aci as below:
[root@localhost ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389
dn: o=kaki.com,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///ou=People,($dn),dc=example,dc=com")
 (targetattr!="userPassword")(targetfilter=(objectClass=inetOrgPerson))
 (version 3.0;acl "Admin access to all users in this and lower domains";
 allow(write,read,search) groupdn="ldap:///cn=Domain Administrators,ou=Groups,[$dn],dc=example,dc=com";)
modifying entry "o=kaki.com,dc=example,dc=com"
 
5. Modified an entry uid=bob-kaki.com by binding as uid=michael-kaki.com
[root@localhost ~]# ldapmodify -x -D 'uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com' -w secret123 -h localhost -p 3389
dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
changetype: modify
add: mail
mail: bob@kaki.com
modifying entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"
 
As can be seen above, ldapmodify operation completed successfully

6. Modified 'uid=bob-kaki.com' again by binding as 'uid=michael-kaki.com'
[root@localhost ~]# ldapmodify -x -D 'uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com' -w secret123 -h localhost -p 3389dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com
changetype: modify
delete: mail
modifying entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com"

Once again the modify operation completed successfully 

7. Checked the logs to verify that macro aci was evaluated properly
[14/Jul/2016:15:06:03.294735128 +051800] NSACLPlugin - Processed attr:mail for entry:uid=bob-kaki.com,ou=people,o=kaki.com,dc=example,dc=com
[14/Jul/2016:15:06:03.311399838 +051800] NSACLPlugin - 1. Evaluating ALLOW aci(15) " "Admin access to all users in this and lower domains""
[14/Jul/2016:15:06:03.327941092 +051800] NSACLPlugin - aclutil_evaluate_macro for aci ' "Admin access to all users in this and lower domains"' index '15'
[14/Jul/2016:15:06:03.344838418 +051800] NSACLPlugin - ACL info: found matched_val ( "Admin access to all users in this and lower domains") for aci index 15in macro ht
[14/Jul/2016:15:06:03.369895060 +051800] NSACLPlugin - Evaluating user uid=michael-kaki.com,ou=people,o=kaki.com,dc=example,dc=com in group cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com?
[14/Jul/2016:15:06:03.386402716 +051800] NSACLPlugin - -- In cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com
[14/Jul/2016:15:06:03.403066271 +051800] NSACLPlugin - Evaluated ACL_TRUE
[14/Jul/2016:15:06:03.419704977 +051800] NSACLPlugin - DS_LASGroupDnEval: Param group name:cn=Domain Administrators,ou=Groups,[$dn],dc=example,dc=com
[14/Jul/2016:15:06:03.436513287 +051800] NSACLPlugin - conn=18 op=1 (main): Allow write on entry(uid=bob-kaki.com,ou=people,o=kaki.com,dc=example,dc=com).attr(mail) to uid=michael-kaki.com,ou=people,o=kaki.com,dc=example,dc=com: allowed by aci(15): aciname= "Admin access to all users in this and lower domains", acidn="o=kaki.com,dc=example,dc=com"
Comment 7 errata-xmlrpc 2016-11-03 16:37:39 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html

Note You need to log in before you can comment on or make changes to this bug.