Red Hat Bugzilla – Bug 214682
DNS based ACIs not working correctly
Last modified: 2015-12-07 12:07:59 EST
DNS based ACIs are not working correctly. It turns out that switching most of
our string functions to safer NSPR string functions that ensure null termination
caused this regresstion.
The first time the server evaluates a DNS based ACI, we generate a hashtable
from any domain/hostname that is specified in all ACIs. The problem is that we
aren't using PL_strncpyz properly, so the last character in the list doesn't get
copied. The fix is to add one to the "max" argument so the entire string gets
To reproduce this issue, add an ACI similar to the following:
(target ="ldap:///dc=dstest,dc=com")(targetattr=*)(version 3.0; aci "DNS
aci"; allow(all) userdn = "ldap:///uid=foo,dc=dstest,dc=com"and dns
= "*" ;)
If you then attempt to modify the "dc=dstest,dc=com" entry, the operation will
be rejected. With the fix, the operation will complete successfully.
Created attachment 140714 [details]
This is a snippet of the comments of PL_strncpyz. So, this is what was
* NOTE: If you call this with a source "abcdefg" and a max of 5, the
* destination will end up with "abcd\0" (i.e., its strlen length will be 4)!
Thanks for the review Noriko! The fix is now checked into ldapserver (HEAD).
Checking in lasdns.cpp;
/cvs/dirsec/ldapserver/lib/libaccess/lasdns.cpp,v <-- lasdns.cpp
new revision: 1.7; previous revision: 1.6
I was able to modify a db with the following aci:
(targetattr = "*") (version 3.0;acl "<Unnamed ACI>";allow (all)(userdn =
"ldap:///anyone" and dns = "*");)
1197673782 redhat-ds-base-8.0.0-11.el5dsrv Fri Dec 14 2007
1197673784 redhat-ds-admin-8.0.0-1.15.el5dsrv Fri Dec 14 2007
1197673785 redhat-ds-console-8.0.0-8.el5dsrv Fri Dec 14 2007
1197673786 redhat-admin-console-8.0.0-9.el5dsrv Fri Dec 14 2007