Red Hat Bugzilla – Bug 214463
Add permission not handled correctly with userPassword attribute
Last modified: 2015-12-07 12:00:51 EST
The "add" access right is not dealt with properly for the userPassword
attribute. If you add the following ACI, anyone should be able to add a new entry:
(targetattr ="*")(version 3.0; acl "foo"; allow (add) (userdn = "ldap:///anyone");)
You will find that you get an error 50 when you attempt to add an entry
containing a userPassword attribute with the above ACI. This is due to a
permissions check that occurs during an add operation to see if access to
userPassword is allowed before doing any password syntax checking. The problem
is that it checks for the SLAPI_ACL_WRITE privilege instead of the SLAPI_ACL_ADD
privilege. The SLAPI_ACL_WRITE privilege checks if the user is allowed to
perform a modify operation, not an add.
The attached diff fixes this issue.
Created attachment 140582 [details]
Checked into ldapserver (HEAD). Thanks for the review Rich!
Checking in add.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v <-- add.c
new revision: 1.9; previous revision: 1.8