Bug 208076 - userattr="parent[1].<attribute>#LDAPURL" does not work
Summary: userattr="parent[1].<attribute>#LDAPURL" does not work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Security - Access Control (ACL)
Version: 1.0.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 152373 249650 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2006-09-26 09:55 UTC by François Beretti
Modified: 2015-01-04 23:20 UTC (History)
4 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 22:59:24 UTC


Attachments (Terms of Use)
cvs diff (22.50 KB, patch)
2009-01-23 18:23 UTC, Noriko Hosoi
no flags Details | Diff
test ldif file (userattr_ldapurl.ldif) (2.38 KB, text/plain)
2009-01-23 18:35 UTC, Noriko Hosoi
no flags Details
cvs commit message (666 bytes, text/plain)
2009-01-23 20:45 UTC, Noriko Hosoi
no flags Details

Description François Beretti 2006-09-26 09:55:55 UTC
Description of problem:
The aci syntax userattr="parent[1].<attribute>#LDAPURL" does not work.

Version-Release number of selected component (if applicable):
1.0.2

How reproducible:
Always


Steps to Reproduce:

1. Create a root suffix named "o=bug"

2. Add these two ACI to the o=bug object:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)

3. Create a user:
uid=testuser,o=bug

4. Create an organizational unit:
ou=testparentobject,o=bug
with this value in the description attribute:
ldap:///o=bug??sub?(uid=testuser)

5. Check the first ACI to validate the use of an LDAP URL: execute this LDIF
(ldapmodify) as uid=testuser,o=bug:

dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789

This works.

6. Check the second ACI, to see the bug: execute the following LDIF (ldapadd) as
uid=testuser,o=bug:

dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject

  
Actual results:
The second LDIF operation returns:
   ldap_add: Insufficient access (50)

Expected results:
A success of the operation.

Additional info:
This bug is reproduced on SUN One Directory Server 5.1

Comment 2 Noriko Hosoi 2009-01-23 18:23:24 UTC
Created attachment 329865 [details]
cvs diff

Comment 3 Noriko Hosoi 2009-01-23 18:25:02 UTC
File: ldapserver/ldap/servers/plugins/acl/acllas.c

Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not implemented.  The attached diff attachment (id=329865) implements the functionality.

Comment 4 Noriko Hosoi 2009-01-23 18:35:11 UTC
Created attachment 329867 [details]
test ldif file (userattr_ldapurl.ldif)

How to verify the bug:
1) import the attached ldif file (userattr_ldapurl.ldif) and start the server
2) run the following commands.
$ ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=example,dc=com" -w Ancestor -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=exam
 ple,dc=com
(it returns the level 0,1,2,3,4)

$ ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=example,dc=com" -w Grandparent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
$ ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=example,dc=com" -w Parent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
(both return the level 0 and 3)

$ ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=example,dc=com" -w Child -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
(it returns the level 1)

$ ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=example,dc=com" -w Grandson -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
(it returns level 0 -- just the target entry)

Comment 5 Noriko Hosoi 2009-01-23 20:45:23 UTC
Created attachment 329879 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.

Comment 6 Jenny Severance 2009-02-27 13:22:59 UTC
All searches are returning levels 0,1,2,3,4 - please advice.

Comment 7 Noriko Hosoi 2009-02-27 17:44:54 UTC
(In reply to comment #6)
> All searches are returning levels 0,1,2,3,4 - please advice.

Hi Jenny, could you attach your test ldif (it's okay if it's the same as the one I attached in the comment #4) and your test command-lines and the results?
Thanks!
--noriko

Comment 8 Jenny Severance 2009-02-27 21:19:55 UTC
Fix Verified:  RHEL5 DS 8.1

[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Ancestor -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com

dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,
 dc=redhat,dc=com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandparent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Parent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Child -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandson -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

Comment 9 Chandrasekar Kannan 2009-04-29 22:59:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.