Bug 208076 - userattr="parent[1].<attribute>#LDAPURL" does not work
userattr="parent[1].<attribute>#LDAPURL" does not work
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Access Control (ACL) (Show other bugs)
1.0.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 152373 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2006-09-26 05:55 EDT by François Beretti
Modified: 2015-01-04 18:20 EST (History)
4 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 18:59:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diff (22.50 KB, patch)
2009-01-23 13:23 EST, Noriko Hosoi
no flags Details | Diff
test ldif file (userattr_ldapurl.ldif) (2.38 KB, text/plain)
2009-01-23 13:35 EST, Noriko Hosoi
no flags Details
cvs commit message (666 bytes, text/plain)
2009-01-23 15:45 EST, Noriko Hosoi
no flags Details

  None (edit)
Description François Beretti 2006-09-26 05:55:55 EDT
Description of problem:
The aci syntax userattr="parent[1].<attribute>#LDAPURL" does not work.

Version-Release number of selected component (if applicable):
1.0.2

How reproducible:
Always


Steps to Reproduce:

1. Create a root suffix named "o=bug"

2. Add these two ACI to the o=bug object:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)

3. Create a user:
uid=testuser,o=bug

4. Create an organizational unit:
ou=testparentobject,o=bug
with this value in the description attribute:
ldap:///o=bug??sub?(uid=testuser)

5. Check the first ACI to validate the use of an LDAP URL: execute this LDIF
(ldapmodify) as uid=testuser,o=bug:

dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789

This works.

6. Check the second ACI, to see the bug: execute the following LDIF (ldapadd) as
uid=testuser,o=bug:

dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject

  
Actual results:
The second LDIF operation returns:
   ldap_add: Insufficient access (50)

Expected results:
A success of the operation.

Additional info:
This bug is reproduced on SUN One Directory Server 5.1
Comment 2 Noriko Hosoi 2009-01-23 13:23:24 EST
Created attachment 329865 [details]
cvs diff
Comment 3 Noriko Hosoi 2009-01-23 13:25:02 EST
File: ldapserver/ldap/servers/plugins/acl/acllas.c

Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not implemented.  The attached diff attachment (id=329865) implements the functionality.
Comment 4 Noriko Hosoi 2009-01-23 13:35:11 EST
Created attachment 329867 [details]
test ldif file (userattr_ldapurl.ldif)

How to verify the bug:
1) import the attached ldif file (userattr_ldapurl.ldif) and start the server
2) run the following commands.
$ ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=example,dc=com" -w Ancestor -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=exam
 ple,dc=com
(it returns the level 0,1,2,3,4)

$ ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=example,dc=com" -w Grandparent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
$ ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=example,dc=com" -w Parent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com
(both return the level 0 and 3)

$ ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=example,dc=com" -w Child -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com
(it returns the level 1)

$ ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=example,dc=com" -w Grandson -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=example,dc=com
(it returns level 0 -- just the target entry)
Comment 5 Noriko Hosoi 2009-01-23 15:45:23 EST
Created attachment 329879 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.
Comment 6 Jenny Galipeau 2009-02-27 08:22:59 EST
All searches are returning levels 0,1,2,3,4 - please advice.
Comment 7 Noriko Hosoi 2009-02-27 12:44:54 EST
(In reply to comment #6)
> All searches are returning levels 0,1,2,3,4 - please advice.

Hi Jenny, could you attach your test ldif (it's okay if it's the same as the one I attached in the comment #4) and your test command-lines and the results?
Thanks!
--noriko
Comment 8 Jenny Galipeau 2009-02-27 16:19:55 EST
Fix Verified:  RHEL5 DS 8.1

[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Ancestor -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com

dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,
 dc=redhat,dc=com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandparent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Parent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com

dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc
 =com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Child -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com
[root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandson -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn
dn: ou=Inheritance,dc=bos,dc=redhat,dc=com
Comment 9 Chandrasekar Kannan 2009-04-29 18:59:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.