Bug 1387022 - specific search with sizelimit=1 sometimes returns no entry incorrectly
Summary: specific search with sizelimit=1 sometimes returns no entry incorrectly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.9
Hardware: All
OS: All
urgent
high
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-20 01:14 UTC by Hiroko Miura
Modified: 2020-09-13 20:56 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-84.el6
Doc Type: Bug Fix
Doc Text:
Group ACIs are now correctly evaluated Previously, if the number of members in a group in an access control instruction (ACI) exceeded the size limit of the result of the query, Directory Server incorrectly denied access. To fix the problem, the server size limit is no longer applied to the ACI group evaluation, and queries now operate correctly.
Clone Of:
Environment:
Last Closed: 2017-03-21 10:23:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
sample ldif to reproduce the issue (3.91 KB, text/plain)
2016-10-20 01:14 UTC, Hiroko Miura 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1038 0 None None None 2020-09-13 20:56:53 UTC
Red Hat Product Errata RHBA-2017:0667 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2017-03-21 12:35:05 UTC

Description Hiroko Miura 2016-10-20 01:14:17 UTC 
Created attachment 1212288 [details]
sample ldif to reproduce the issue

Description of problem:

Customer reported that some specific search operation sometimes return no entry which should return the entry.

According to aci debug log, evaluation of aci with groupdn fails as ACL_DONT_KNOW.

[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluating DENY aci(7) " "disable Access""
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - ALLOCATING GROUP FOR:uid=ro_user,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluating user uid=ro_user,ou=profile,dc=example,dc=com in group cn=disableAccess,ou=Groups,dc=example,dc=com?
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in cn=disableAccess,ou=Groups,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in uid=guest1,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - -- Not in uid=guest2,ou=profile,dc=example,dc=com
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - GroupEval:Looked at too many entries:(2, 3)
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Evaluated ACL_DONT_KNOW
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Returning UNDEFINED for groupdn evaluation.
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - Processed:7 DENY handles Result:2
[13/Oct/2016:16:56:27 +0900] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(uid=user1,ou=people,dc=example,dc=com).attr(sn) to uid=ro_user,ou=profile,dc=example,dc=com: error occurred by aci(7): aciname= "disable Access", acidn="ou=people,dc=example,dc=com"

This happens if client perform search by specifying sizelimit=1.


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 6.8 (Santiago)
389-ds-base-1.2.11.15-75.el6_8.x86_64


How reproducible:

attached reprodusable sample LDIF (example.ldif)

Steps to Reproduce:
1. create suffix with dc=example,dc=com and import sample ldif

2. perform the following ldapsearch 

 ldapsearch -D uid=ro_user,ou=profile,dc=example,dc=com -w password -b "ou=people,dc=example,dc=com" -z 1 "sn=user1"

   => Please note that option '-z 1' (i.e. sizelimit=1) is specified


3.perform the same search without '-z 1'

 ldapsearch -p 30389 -h ldapj -D uid=ro_user,ou=profile,dc=example,dc=com -w password -b "ou=people,dc=example,dc=com" "sn=user1"



Actual results:
no entry is returned in step2

Expected results:
entry is returned

Additional info:
Once problematic search performed without sizelimit like step3 and got succeeded, subsequent search would return the entry correctly even if client side sizelimit is specified as result of group evaluation is cached. 

This issue is fixed in the upstream ticket #47703.

https://fedorahosted.org/389/ticket/47703
Comment 1 Hiroko Miura 2016-10-20 01:52:12 UTC 
The problematic aci in attached example.ldif is:

aci: (targetattr = "*") (version 3.0;acl "disable Access";deny (all)(groupdn =
  "ldap:///cn=disableAccess,ou=Groups,dc=example,dc=com");)
Comment 3 mreynolds 2016-10-20 08:14:54 UTC 
Fixed upstream
Comment 6 Simon Pichugin 2016-11-25 13:10:26 UTC 
============================= test session starts =============================
platform linux2 -- Python 2.7.8, pytest-3.0.4, py-1.4.31, pluggy-0.4.0 -- /opt/rh/python27/root/usr/bin/python
cachedir: .cache
DS build: 1.2.11.15 B2016.312.1950
389-ds-base: 1.2.11.15-85.el6
nss: 3.27.1-7.el6
nspr: 4.13.1-1.el6
openldap: 2.4.40-14.el6
svrcore: 4.0.4-5.1.el6

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: html-1.11.1, cov-2.4.0, beakerlib-0.6
collected 2 items

ticket47703_test.py::test_ticket47703 PASSED
ticket47703_test.py::test_ticket47703_final PASSED

========================== 2 passed in 44.59 seconds ==========================

Marking as verified.
Comment 10 errata-xmlrpc 2017-03-21 10:23:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html
Note You need to log in before you can comment on or make changes to this bug.