Bug 329751 - "nested" filtered roles searches candidates more than needed
"nested" filtered roles searches candidates more than needed
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Server - Plugins (Show other bugs)
1.1.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 639035
  Show dependency treegraph
 
Reported: 2007-10-12 14:12 EDT by Noriko Hosoi
Modified: 2015-12-07 11:59 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:59:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
nested filtered roles LDIF for testcase (1.40 KB, application/octet-stream)
2007-10-12 14:12 EDT, Noriko Hosoi
no flags Details
git patch file (master) (6.24 KB, patch)
2010-11-02 13:31 EDT, Noriko Hosoi
nkinder: review+
Details | Diff
test ldif 193724.ldif (2.05 KB, text/plain)
2010-11-02 14:12 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2007-10-12 14:12:23 EDT
Description of problem:
This is the second phase of the bug:
193724: "nested" filtered roles result in deadlock
Comment 1 Noriko Hosoi 2007-10-12 14:12:23 EDT
Created attachment 225911 [details]
nested filtered roles LDIF for testcase
Comment 2 Noriko Hosoi 2007-10-12 14:14:12 EDT
To reproduce add the attached LDIF and then perform a subtree search on
dc=example,dc=com for objectclass=*.
Comment 6 Noriko Hosoi 2010-11-02 13:31:14 EDT
Created attachment 457238 [details]
git patch file (master)

Bug Description: If nsRoleFilter in nsRoleDefinition contains
virtual attributes in the filter AND the attribute type is
not indexed, following searches could go in to a loop starting
from slapi_vattr_filter_test.  On the other hand, if the
the attribute type is indexed, the nsRoleDefinition is ignored.
The server does not support virtual attributes for nsRoleFilter,
but it was not checked.  This patch tries to detect such an invalid
role definition and issues an error.  Note: the check cannot detect
the case nsRoleFilter is already in the db, then add CoS defining
an attribute in the nsRoleFilter as an virtual attribute. 

File:
 ldap/servers/plugins/cos/cos_cache.c
 ldap/servers/plugins/roles/roles_cache.c
 ldap/servers/slapd/vattr.c

Doc: We need to add a note to "5.2.12. Creating Role-Based Attributes" that the Directory Server does not support virtual attributes for nsRoleFilter.
Comment 7 Noriko Hosoi 2010-11-02 14:02:50 EDT
Thanks to Rich and Nathan for the discussion.

Reviewed by Nathan (Thanks, again!!)

Pushed to master.

$ git merge work
Updating fe6f8f2..9fa6ff7
Fast-forward
 ldap/servers/plugins/cos/cos_cache.c     |   16 +++++------
 ldap/servers/plugins/roles/roles_cache.c |   43 ++++++++++++++++++++++++++++++
 ldap/servers/slapd/vattr.c               |    9 ++++--
 3 files changed, 56 insertions(+), 12 deletions(-)

$ git push
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 1.99 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   fe6f8f2..9fa6ff7  master -> master
Comment 8 Noriko Hosoi 2010-11-02 14:12:49 EDT
Created attachment 457245 [details]
test ldif 193724.ldif

Steps to verify:
1) set up a DS instance with suffix "dc=example,dc=com"
2) ldapmodify [...] -af /path/to/193724.ldif
3) check error log:
[...] roles-plugin - cn=bar role,ou=people,dc=example,dc=com: not allowed to refer virtual attribute in the value of nsRoleFilter (description=foo). The nsRoleFilter is disabled.
4) ldapsearch [...] -b "dc=example,dc=com" "(cn=*)" description mail
   It does not add role defined attr "mail".
   No loop error such as "Detected virtual attribute loop in get on entry <YOUR DN>, attribute nsRole".
Comment 9 Amita Sharma 2011-06-20 06:40:46 EDT
1. Error Logs at point 3 of verification steps by Noriko :
[root@testvm data]# tail -f /var/log/dirsrv/slapd-testvm/errors

[20/Jun/2011:15:24:45 +051800] - Listening on All Interfaces port 636 for LDAPS requests
[20/Jun/2011:15:57:07 +051800] roles-plugin - cn=bar role,ou=people,dc=example,dc=com: not allowed to refer virtual attribute in the value of nsRoleFilter (description=foo). The nsRoleFilter is disabled.

2. 

[root@testvm data]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" "(cn=*)" description mail
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (cn=*)
# requesting: description mail 
#

# tmorris, people, example.com
dn: uid=tmorris,ou=people,dc=example,dc=com
description: foo
mail: tmorris@example.com

# cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com
dn: cn=cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam
 ple,dc=com
description: foo

# cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com
dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam
 ple,dc=com
mail: abc@example.com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

Not any above error but the mail attribute is added, Is that fine?

Also, please point me to the doc " We need to add a note to "5.2.12. Creating Role-Based Attributes" that the
Directory Server does not support virtual attributes for nsRoleFilter."

Thanks,
Amita
Comment 10 Amita Sharma 2011-06-20 06:56:40 EDT
[root@testvm data]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" "(cn=*)" description mail
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (cn=*)
# requesting: description mail 
#

# tmorris, people, example.com
dn: uid=tmorris,ou=people,dc=example,dc=com
description: foo
mail: tmorris@example.com

# cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com
dn: cn=cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam
 ple,dc=com
description: foo

# cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com
dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam
 ple,dc=com
mail: abc@example.com

# tuser0, people, example.com
dn: uid=tuser0,ou=people,dc=example,dc=com
description: abc

# tuser1, people, example.com
dn: uid=tuser1,ou=people,dc=example,dc=com
description: foo

# tuser2, people, example.com
dn: uid=tuser2,ou=people,dc=example,dc=com
description: foo

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6
Comment 11 Noriko Hosoi 2011-06-29 13:32:40 EDT
(In reply to comment #9)
> Not any above error but the mail attribute is added, Is that fine?

I see these 2 mail attributes in your output.
  mdn: uid=tmorris,ou=people,dc=example,dc=com
  mail: tmorris@example.com

  dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam
 ple,dc=com
  mail: abc@example.com

I believe both of them physically exist in the entry.  For abc@example.com, see 193724.ldif:
  dn: cn="cn=bar role,ou=people,dc=example,dc=com",ou=People,dc=example,dc=com
  cn: cn=bar role,ou=people,dc=example,dc=com
  objectClass: top
  objectClass: costemplate
  objectClass: extensibleobject
  mail: abc@example.com
  ^^^^^^^^^^^^^^^^^^^^^
And your test result looks fine.

> Also, please point me to the doc " We need to add a note to "5.2.12. Creating
> Role-Based Attributes" that the
> Directory Server does not support virtual attributes for nsRoleFilter."

Thank you for finding this out, Amita!  I'll ask Deon to add this sentence to the doc...
Comment 12 Amita Sharma 2011-07-04 01:04:40 EDT
Thanks Noriko, marking the bug as VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.