Bug 229824 - aci with bogus uid= dn created by ds_newinst
aci with bogus uid= dn created by ds_newinst
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.0.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2007-02-23 12:43 EST by Rich Megginson
Modified: 2015-12-07 11:40 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:40:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (3.68 KB, application/octet-stream)
2007-02-23 12:43 EST, Rich Megginson
no flags Details
minimum setup inf file (1.61 KB, text/plain)
2007-11-29 19:27 EST, Yi Zhang
no flags Details

  None (edit)
Description Rich Megginson 2007-02-23 12:43:55 EST
If you run ds_newinst.pl with a bare minimum .inf file, you will see the
following aci created in cn=config:
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
 ll) userdn="ldap:///uid=,ou=Administrators, ou=TopologyManagement, o=Netscap
 eRoot";)
We should not create this aci, as we do not have a configuration DS if we are
creating a minimal fedora-ds-base.
Comment 1 Rich Megginson 2007-02-23 12:43:56 EST
Created attachment 148686 [details]
diffs
Comment 2 Rich Megginson 2007-03-15 22:46:08 EDT
Reviewed by: nhosoi (Thanks!)
Fix Description: Unknown to me until just now, PL_strdup(NULL) will return "" -
the empty string.  The code in config_suitespot() expects that empty or unused
fields are NULL.  The solution is to create a create_instance_strdup() wrapper
around PL_strdup() and use that in cases where the argument may be NULL.  I
checked create_instance.c.  Every other place where PL_strdup is used, the
argument is checked for NULL first.  So these are the only places affected. 
Instance creation works fine after this change and does not create the offending
aci.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no

ldapserver/ldap/admin/src/create_instance.c Revision 1.47
Comment 3 Yi Zhang 2007-11-29 19:27:29 EST
Created attachment 273451 [details]
minimum setup inf file

this is setup inf file used to customize the installation of DS
Comment 4 Yi Zhang 2007-11-29 19:28:20 EST
verified. PASS
Test machine: neo.dsdev.sjc.redhat.com (RHEL5 32bit)

Test steps:
1. remove all previously installed DS instance
2. do yum install a fresh copy of DS
3. use setup.ini file (see attachment) to customizer the installation
4. do db2ldap to dump all records under userRoot
5. verify there is no "ldap:///uid=," records anymore

Actual test output:
[root@neo dirsrv]# /usr/sbin/setup-ds-admin.pl -s -f ./setup.ini 
Creating directory server . . .
Your new DS instance 'neo.dsdev.sjc.redhat.com' was successfully created.
Creating the configuration directory server . . .
The server 'ldap://neo.dsdev.sjc.redhat.com:389/o=NetscapeRoot' is not
reachable.  Error: unknown error

Could not register the directory server with the configuration directory server.
Exiting . . .
Log file is '/tmp/setupX7XjoF.log'

[root@neo dirsrv]# ps -elf | grep slapd
1 S nobody    5305     1  1  75   0 - 110793 stext 16:15 ?        00:00:00
./ns-slapd -D /tmp/ds80/server/slapd-neo -i
/tmp/ds80/server/slapd-neo/logs/slapd-neo.dsdev.sjc.redhat.com.pid -w
/tmp/ds80/server/slapd-neo/logs/slapd-neo.dsdev.sjc.redhat.com.startpid

[root@neo slapd-neo]# ./db2ldif -n UserRoot
Exported ldif file:
/tmp/ds80/server/slapd-neo/ldif/neo.dsdev.sjc.redhat.com-UserRoot-2007_11_29_161603.ldif
ldiffile:
/tmp/ds80/server/slapd-neo/ldif/neo.dsdev.sjc.redhat.com-UserRoot-2007_11_29_161603.ldif
[29/Nov/2007:16:16:03 -0800] - export userRoot: Processed 9 entries (100%).
[29/Nov/2007:16:16:03 -0800] - All database threads now stopped
[root@neo slapd-neo]# vi
/tmp/ds80/server/slapd-neo/ldif/neo.dsdev.sjc.redhat.com-UserRoot-2007_11_29_161603.ldif
[root@neo slapd-neo]# grep "uid="
/tmp/ds80/server/slapd-neo/ldif/neo.dsdev.sjc.redhat.com-UserRoot-2007_11_29_161603.ldif
[root@neo slapd-neo]# grep "ldap:///"
/tmp/ds80/server/slapd-neo/ldif/neo.dsdev.sjc.redhat.com-UserRoot-2007_11_29_161603.ldif
 allow (read, search, compare) userdn="ldap:///anyone";)
  common attributes"; allow (write) userdn="ldap:///self";)
 (all) (groupdn = "ldap:///cn=Directory Administrators, o=my.com");)
 rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR 
 sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA M


Note You need to log in before you can comment on or make changes to this bug.