Description of problem: The aci syntax userattr="parent[1].<attribute>#LDAPURL" does not work. Version-Release number of selected component (if applicable): 1.0.2 How reproducible: Always Steps to Reproduce: 1. Create a root suffix named "o=bug" 2. Add these two ACI to the o=bug object: aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";) aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";) 3. Create a user: uid=testuser,o=bug 4. Create an organizational unit: ou=testparentobject,o=bug with this value in the description attribute: ldap:///o=bug??sub?(uid=testuser) 5. Check the first ACI to validate the use of an LDAP URL: execute this LDIF (ldapmodify) as uid=testuser,o=bug: dn: ou=testparentobject,o=bug changetype: modify replace: telephoneNumber telephoneNumber: 0123456789 This works. 6. Check the second ACI, to see the bug: execute the following LDIF (ldapadd) as uid=testuser,o=bug: dn: ou=testchildobject,ou=testparentobject,o=bug objectClass: top objectClass: organizationalUnit ou: testchildobject Actual results: The second LDIF operation returns: ldap_add: Insufficient access (50) Expected results: A success of the operation. Additional info: This bug is reproduced on SUN One Directory Server 5.1
Created attachment 329865 [details] cvs diff
File: ldapserver/ldap/servers/plugins/acl/acllas.c Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not implemented. The attached diff attachment (id=329865) implements the functionality.
Created attachment 329867 [details] test ldif file (userattr_ldapurl.ldif) How to verify the bug: 1) import the attached ldif file (userattr_ldapurl.ldif) and start the server 2) run the following commands. $ ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=example,dc=com" -w Ancestor -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=example,dc=com dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=exam ple,dc=com (it returns the level 0,1,2,3,4) $ ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=example,dc=com" -w Grandparent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn $ ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=example,dc=com" -w Parent -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=example,dc=com dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=example,dc=com (both return the level 0 and 3) $ ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=example,dc=com" -w Child -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Ancestors,ou=Inheritance,dc=example,dc=com (it returns the level 1) $ ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=example,dc=com" -w Grandson -b "ou=Inheritance,dc=example,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=example,dc=com (it returns level 0 -- just the target entry)
Created attachment 329879 [details] cvs commit message Reviewed by Rich (Thank you!!) Checked in into CVS HEAD.
All searches are returning levels 0,1,2,3,4 - please advice.
(In reply to comment #6) > All searches are returning levels 0,1,2,3,4 - please advice. Hi Jenny, could you attach your test ldif (it's okay if it's the same as the one I attached in the comment #4) and your test command-lines and the results? Thanks! --noriko
Fix Verified: RHEL5 DS 8.1 [root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Ancestor,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Ancestor -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=bos,dc=redhat,dc=com dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com dn: ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc =com dn: ou=Children,ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos, dc=redhat,dc=com [root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandparent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandparent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=bos,dc=redhat,dc=com dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc =com [root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Parent,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Parent -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=bos,dc=redhat,dc=com dn: ou=Parents,ou=Grandparents,ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc =com [root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Child,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Child -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Ancestors,ou=Inheritance,dc=bos,dc=redhat,dc=com [root@dhcp-100-2-17 jenny]# ldapsearch -1 -D "cn=Grandson,ou=Inheritance,dc=bos,dc=redhat,dc=com" -w Grandson -b "ou=Inheritance,dc=bos,dc=redhat,dc=com" "(objectclass=organizationalunit)" dn dn: ou=Inheritance,dc=bos,dc=redhat,dc=com
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html