Hide Forgot
acl_match_macro_in_target returns matched value with a trailing comma, e.g., "o=kaki.com,". It's used to create a group DN, e.g., "cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us". Due to the duplicated commas, the bind unexpectedly fails with 50 (insufficient access). Failure case: aci: (target="ldap:///ou=People, ($dn), o=ace industrtargety,c=us") (targetattr!="userPassword")(targetfilter=(objectClass=nsManagedPerson)) (version 3.0; acl "Admin access to all users in this and lower domains"; allow (write,read,search) groupdn="ldap:///cn=Domain Administrators, ou=Groups, [$dn], o=ace industry,c=us";) Bind DN: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us The DN is a uniquemember of: cn=Domain Administrators,ou=Groups,o=Kaki.com,o=ace industry,c=us uniquemember: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us Target DN: uid=bob-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us Log with LDAP_DEBUG_ACL enabled. [..] NSACLPlugin - aclutil_evaluate_macro for aci ' "Admin access to all users in this and lower domains"' index '2' [..] NSACLPlugin - ACL info: found matched_val ( "Admin access to all users in this and lower domains") for aci index 2in macro ht [..] NSACLPlugin - Evaluating user uid=michael-kaki.com,ou=people,o=kaki.com,o=ace industry,c=us in group cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us? [..] NSACLPlugin - -- Not in cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us [..] NSACLPlugin - Evaluated ACL_FALSE This behaviour was introduced by the fix for #48141 - aci with wildcard and macro not correctly evaluated.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
RHEL: RHEL 7.3 x86_64 Server DS builds: [root@localhost ~]# rpm -qa | grep 389-ds-base 389-ds-base-snmp-1.3.5.10-3.el7.x86_64 389-ds-base-1.3.5.10-3.el7.x86_64 389-ds-base-libs-1.3.5.10-3.el7.x86_64 Steps Performed: 1. Added required entries for creating hierarchy [root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389 dn: o=kaki.com,dc=example,dc=com objectClass: top objectClass: organization o: kaki.com description: kaki.com organization top entry adding new entry "o=kaki.com,dc=example,dc=com" dn: ou=People,o=kaki.com,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description: People subtree under kaki.com adding new entry "ou=People,o=kaki.com,dc=example,dc=com" dn: ou=Groups,o=kaki.com,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Groups description: Groups subtree under kaki.com adding new entry "ou=Groups,o=kaki.com,dc=example,dc=com" 2. Added some user entries [root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389 dn: uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson uid: michael-kaki.com cn: michael sn: michael userPassword: secret123 adding new entry "uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson uid: bob-kaki.com cn: bob sn: bob userPassword: secret123 adding new entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" dn: uid=james-kaki.com,ou=People,o=kaki.com,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson uid: james-kaki.com cn: james sn: james userPassword: secret123 adding new entry "uid=james-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" dn: cn=barry-kaki.com,ou=People,o=kaki.com,dc=example,dc=com objectClass: top objectClass: person cn: barry-kaki.com sn: barry userPassword: secret123 adding new entry "cn=barry-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" 3. Added a static group cn=Domain Administrators with uid=michael-kaki.com as a unique member [root@localhost ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389 dn: cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: Domain Administrators description: Group of Domain Administrators in kaki.com uniquemember: uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com adding new entry "cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com" 4. Added a macro aci as below: [root@localhost ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 3389 dn: o=kaki.com,dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///ou=People,($dn),dc=example,dc=com") (targetattr!="userPassword")(targetfilter=(objectClass=inetOrgPerson)) (version 3.0;acl "Admin access to all users in this and lower domains"; allow(write,read,search) groupdn="ldap:///cn=Domain Administrators,ou=Groups,[$dn],dc=example,dc=com";) modifying entry "o=kaki.com,dc=example,dc=com" 5. Modified an entry uid=bob-kaki.com by binding as uid=michael-kaki.com [root@localhost ~]# ldapmodify -x -D 'uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com' -w secret123 -h localhost -p 3389 dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com changetype: modify add: mail mail: bob modifying entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" As can be seen above, ldapmodify operation completed successfully 6. Modified 'uid=bob-kaki.com' again by binding as 'uid=michael-kaki.com' [root@localhost ~]# ldapmodify -x -D 'uid=michael-kaki.com,ou=People,o=kaki.com,dc=example,dc=com' -w secret123 -h localhost -p 3389dn: uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com changetype: modify delete: mail modifying entry "uid=bob-kaki.com,ou=People,o=kaki.com,dc=example,dc=com" Once again the modify operation completed successfully 7. Checked the logs to verify that macro aci was evaluated properly [14/Jul/2016:15:06:03.294735128 +051800] NSACLPlugin - Processed attr:mail for entry:uid=bob-kaki.com,ou=people,o=kaki.com,dc=example,dc=com [14/Jul/2016:15:06:03.311399838 +051800] NSACLPlugin - 1. Evaluating ALLOW aci(15) " "Admin access to all users in this and lower domains"" [14/Jul/2016:15:06:03.327941092 +051800] NSACLPlugin - aclutil_evaluate_macro for aci ' "Admin access to all users in this and lower domains"' index '15' [14/Jul/2016:15:06:03.344838418 +051800] NSACLPlugin - ACL info: found matched_val ( "Admin access to all users in this and lower domains") for aci index 15in macro ht [14/Jul/2016:15:06:03.369895060 +051800] NSACLPlugin - Evaluating user uid=michael-kaki.com,ou=people,o=kaki.com,dc=example,dc=com in group cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com? [14/Jul/2016:15:06:03.386402716 +051800] NSACLPlugin - -- In cn=Domain Administrators,ou=Groups,o=kaki.com,dc=example,dc=com [14/Jul/2016:15:06:03.403066271 +051800] NSACLPlugin - Evaluated ACL_TRUE [14/Jul/2016:15:06:03.419704977 +051800] NSACLPlugin - DS_LASGroupDnEval: Param group name:cn=Domain Administrators,ou=Groups,[$dn],dc=example,dc=com [14/Jul/2016:15:06:03.436513287 +051800] NSACLPlugin - conn=18 op=1 (main): Allow write on entry(uid=bob-kaki.com,ou=people,o=kaki.com,dc=example,dc=com).attr(mail) to uid=michael-kaki.com,ou=people,o=kaki.com,dc=example,dc=com: allowed by aci(15): aciname= "Admin access to all users in this and lower domains", acidn="o=kaki.com,dc=example,dc=com"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html