This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 208076 - userattr="parent[1].<attribute>#LDAPURL" does not work
userattr="parent[1].<attribute>#LDAPURL" does not work
Product: 389
Classification: Community
Component: Security - Access Control (ACL) (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 152373 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2006-09-26 05:55 EDT by François Beretti
Modified: 2015-01-04 18:20 EST (History)
4 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 18:59:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
cvs diff (22.50 KB, patch)
2009-01-23 13:23 EST, Noriko Hosoi
no flags Details | Diff
test ldif file (userattr_ldapurl.ldif) (2.38 KB, text/plain)
2009-01-23 13:35 EST, Noriko Hosoi
no flags Details
cvs commit message (666 bytes, text/plain)
2009-01-23 15:45 EST, Noriko Hosoi
no flags Details

  None (edit)
Description François Beretti 2006-09-26 05:55:55 EDT
Description of problem:
The aci syntax userattr="parent[1].<attribute>#LDAPURL" does not work.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Create a root suffix named "o=bug"

2. Add these two ACI to the o=bug object:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr

3. Create a user:

4. Create an organizational unit:
with this value in the description attribute:

5. Check the first ACI to validate the use of an LDAP URL: execute this LDIF
(ldapmodify) as uid=testuser,o=bug:

dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789

This works.

6. Check the second ACI, to see the bug: execute the following LDIF (ldapadd) as

dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject

Actual results:
The second LDIF operation returns:
   ldap_add: Insufficient access (50)

Expected results:
A success of the operation.

Additional info:
This bug is reproduced on SUN One Directory Server 5.1
Comment 2 Noriko Hosoi 2009-01-23 13:23:24 EST
Created attachment 329865 [details]
cvs diff
Comment 3 Noriko Hosoi 2009-01-23 13:25:02 EST
File: ldapserver/ldap/servers/plugins/acl/acllas.c

Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not implemented.  The attached diff attachment (id=329865) implements the functionality.
Comment 4 Noriko Hosoi 2009-01-23 13:35:11 EST
Created attachment 329867 [details]
test ldif file (userattr_ldapurl.ldif)

How to verify the bug:
1) import the attached ldif file (userattr_ldapurl.ldif) and start the server
2) run the following commands.
$ ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=example,dc=com" -w Ancestor -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=exam
(it returns the level 0,1,2,3,4)

$ ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=example,dc=com" -w Grandparent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
$ ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=example,dc=com" -w Parent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
(both return the level 0 and 3)

$ ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=example,dc=com" -w Child -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
(it returns the level 1)

$ ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=example,dc=com" -w Grandson -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
(it returns level 0 -- just the target entry)
Comment 5 Noriko Hosoi 2009-01-23 15:45:23 EST
Created attachment 329879 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.
Comment 6 Jenny Galipeau 2009-02-27 08:22:59 EST
All searches are returning levels 0,1,2,3,4 - please advice.
Comment 7 Noriko Hosoi 2009-02-27 12:44:54 EST
(In reply to comment #6)
> All searches are returning levels 0,1,2,3,4 - please advice.

Hi Jenny, could you attach your test ldif (it's okay if it's the same as the one I attached in the comment #4) and your test command-lines and the results?
Comment 8 Jenny Galipeau 2009-02-27 16:19:55 EST
Fix Verified:  RHEL5 DS 8.1

[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Ancestor -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc

dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandparent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Parent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Child -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandson -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com
Comment 9 Chandrasekar Kannan 2009-04-29 18:59:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.