Hide Forgot
Description of problem: It is possible to add ACI with a wrong userdn macro in it. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-74.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Install an instance with 'dc=example,dc=com' suffix 2. Add the setup like this: $ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 dn: o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: organization o: MACRO.com description: ou=Groups adding new entry "o=MACRO.com, dc=example,dc=com" dn: ou=Groups, o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: organizationalUnit ou: Groups adding new entry "ou=Groups, o=MACRO.com, dc=example,dc=com" dn: cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: person cn: Macro sn: Macro userPassword: Macro adding new entry "cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com" 3. Try to add ACI with a wrong userdn macro in it: $ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 dn: o=MACRO.com, dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///o=MACRO.com, dc=example,dc=com")(version 3.0; acl "Wrong_ACI_25"; allow (all) userdn="ldap:///cn=Macro, ($attr..description), o=MACRO.com, dc=example,dc=com";) Actual results: No error is occured. modifying entry "o=MACRO.com, dc=example,dc=com" Expected results: Invalid syntax error. Additional info: It will pass the following macros, but it shouldn't: - ($attr..description) - ($attribute.description) - ($att.$attr.description) - ($attr#description)
Build tested: 389-ds-base-1.2.11.15-85.el6.x86_64 Verification steps: 1. Install an instance with 'dc=example,dc=com' suffix 2. Add the setup like this: $ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 dn: o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: organization o: MACRO.com description: ou=Groups adding new entry "o=MACRO.com, dc=example,dc=com" dn: ou=Groups, o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: organizationalUnit ou: Groups adding new entry "ou=Groups, o=MACRO.com, dc=example,dc=com" dn: cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com changetype: add objectClass: top objectClass: person cn: Macro sn: Macro userPassword: Macro adding new entry "cn=Macro, ou=Groups, o=MACRO.com, dc=example,dc=com" 3. Try to add ACI with a wrong userdn macro in it. Check the following macros, they all should be "Invalid syntax": - ($attr..description) - ($attribute.description) - ($att.$attr.description) - ($attr#description) $ ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 dn: o=MACRO.com, dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///o=MACRO.com, dc=example,dc=com")(version 3.0; acl "Wrong_ACI_25"; allow (all) userdn="ldap:///cn=Macro, ($attr..description), o=MACRO.com, dc=example,dc=com";) modifying entry "o=MACRO.com, dc=example,dc=com" ldap_modify: Invalid syntax (21) additional info: ACL Syntax Error(-5):(target=\22ldap:///o=MACRO.com, dc=example,dc=com\22)(version 3.0; acl \22Wrong_ACI_25\22; allow (all) userdn=\22ldap:///cn=Macro, ($attr..description), o=MACRO.com, dc=example,dc=com\22;) Wrong syntax macros fails. Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0667.html