DNS based ACIs are not working correctly. It turns out that switching most of our string functions to safer NSPR string functions that ensure null termination caused this regresstion. The first time the server evaluates a DNS based ACI, we generate a hashtable from any domain/hostname that is specified in all ACIs. The problem is that we aren't using PL_strncpyz properly, so the last character in the list doesn't get copied. The fix is to add one to the "max" argument so the entire string gets copied. To reproduce this issue, add an ACI similar to the following: (target ="ldap:///dc=dstest,dc=com")(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) userdn = "ldap:///uid=foo,dc=dstest,dc=com"and dns = "*" ;) If you then attempt to modify the "dc=dstest,dc=com" entry, the operation will be rejected. With the fix, the operation will complete successfully.
Created attachment 140714 [details] CVS Diffs
Looks good! This is a snippet of the comments of PL_strncpyz. So, this is what was happening... * PL_strncpyz * NOTE: If you call this with a source "abcdefg" and a max of 5, the * destination will end up with "abcd\0" (i.e., its strlen length will be 4)! *
Thanks for the review Noriko! The fix is now checked into ldapserver (HEAD). Checking in lasdns.cpp; /cvs/dirsec/ldapserver/lib/libaccess/lasdns.cpp,v <-- lasdns.cpp new revision: 1.7; previous revision: 1.6 done
I was able to modify a db with the following aci: (targetattr = "*") (version 3.0;acl "<Unnamed ACI>";allow (all)(userdn = "ldap:///anyone" and dns = "*");) Verified aginst: 1197673782 redhat-ds-base-8.0.0-11.el5dsrv Fri Dec 14 2007 1197673784 redhat-ds-admin-8.0.0-1.15.el5dsrv Fri Dec 14 2007 1197673785 redhat-ds-console-8.0.0-8.el5dsrv Fri Dec 14 2007 1197673786 redhat-admin-console-8.0.0-9.el5dsrv Fri Dec 14 2007