Bug 245369 - mod_admserv: Task cache refresh uses wrong credentials
mod_admserv: Task cache refresh uses wrong credentials
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Admin (Show other bugs)
1.1.0beta
All Linux
low Severity low
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On: 245396
Blocks: 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2007-06-22 13:34 EDT by Rich Megginson
Modified: 2015-12-07 11:36 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:36:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (20.56 KB, patch)
2007-06-22 13:34 EDT, Rich Megginson
no flags Details | Diff
cvs commit log (294 bytes, text/plain)
2007-06-22 18:38 EDT, Rich Megginson
no flags Details

  None (edit)
Description Rich Megginson 2007-06-22 13:34:44 EDT
When refreshing the task cache, the admin server should use the credentials of
the currently authenticated user.
Comment 1 Rich Megginson 2007-06-22 13:34:44 EDT
Created attachment 157632 [details]
diffs
Comment 2 Rich Megginson 2007-06-22 18:38:35 EDT
Created attachment 157665 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: When the user requests a Task url, the admin server first
figures out which server instance (or product) the request is for, then checks
to see if it has seen that server or product before.  If not, it uses the
function sync_task_sie_data() to read the task data from the SIEs and ISIEs.
However, it needs to use the credentials of the currently authenticated user
to do so, because the tasks are protected by ACIs, and the user should only be
allowed to read those tasks the user has access to.  The interface to read
these tasks is not great.  It expects the SIE is a user with a password, and
it attempts to bind as that user, instead of the currently authenticated user.
I had to hack it to force it to use the current userdn and password instead
of the SIE DN and SIE password.
The SIE DN and password are now deprecated for binding.  There were a couple
of places where the SIE was used for both the bind DN and the SIE DN.  I've
created another structure member for the admservSieDN for use as the SIE (the
configuration base DN) instead of as a bind DN, and deprecated the use of the
SIE as the bind DN elsewhere in the code.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Comment 3 Anh Nguyen 2008-01-02 18:34:38 EST
Verified using the following steps:
- open Directory server instance.
- goto Directory tab
- create a new user under cn=config with uid=repl. provide password redhat
- click on menu console -> Login as new user. Enter id , uid=repl,cn=config.
- login works ok.
-  goto configuration tab
Should observe: 
"Insufficient permissions"
"user uid=repl, cn=config does not have performission to perform this operation"

Note You need to log in before you can comment on or make changes to this bug.