Bug 329751
| Summary: | "nested" filtered roles searches candidates more than needed | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> | ||||||||
| Component: | Server - Plugins | Assignee: | Noriko Hosoi <nhosoi> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 1.1.0 | CC: | amsharma, jgalipea | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-12-07 16:59:08 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 639035 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Noriko Hosoi
2007-10-12 18:12:23 UTC
Created attachment 225911 [details]
nested filtered roles LDIF for testcase
To reproduce add the attached LDIF and then perform a subtree search on dc=example,dc=com for objectclass=*. Created attachment 457238 [details]
git patch file (master)
Bug Description: If nsRoleFilter in nsRoleDefinition contains
virtual attributes in the filter AND the attribute type is
not indexed, following searches could go in to a loop starting
from slapi_vattr_filter_test. On the other hand, if the
the attribute type is indexed, the nsRoleDefinition is ignored.
The server does not support virtual attributes for nsRoleFilter,
but it was not checked. This patch tries to detect such an invalid
role definition and issues an error. Note: the check cannot detect
the case nsRoleFilter is already in the db, then add CoS defining
an attribute in the nsRoleFilter as an virtual attribute.
File:
ldap/servers/plugins/cos/cos_cache.c
ldap/servers/plugins/roles/roles_cache.c
ldap/servers/slapd/vattr.c
Doc: We need to add a note to "5.2.12. Creating Role-Based Attributes" that the Directory Server does not support virtual attributes for nsRoleFilter.
Thanks to Rich and Nathan for the discussion. Reviewed by Nathan (Thanks, again!!) Pushed to master. $ git merge work Updating fe6f8f2..9fa6ff7 Fast-forward ldap/servers/plugins/cos/cos_cache.c | 16 +++++------ ldap/servers/plugins/roles/roles_cache.c | 43 ++++++++++++++++++++++++++++++ ldap/servers/slapd/vattr.c | 9 ++++-- 3 files changed, 56 insertions(+), 12 deletions(-) $ git push Counting objects: 21, done. Delta compression using up to 4 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 1.99 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git fe6f8f2..9fa6ff7 master -> master Created attachment 457245 [details]
test ldif 193724.ldif
Steps to verify:
1) set up a DS instance with suffix "dc=example,dc=com"
2) ldapmodify [...] -af /path/to/193724.ldif
3) check error log:
[...] roles-plugin - cn=bar role,ou=people,dc=example,dc=com: not allowed to refer virtual attribute in the value of nsRoleFilter (description=foo). The nsRoleFilter is disabled.
4) ldapsearch [...] -b "dc=example,dc=com" "(cn=*)" description mail
It does not add role defined attr "mail".
No loop error such as "Detected virtual attribute loop in get on entry <YOUR DN>, attribute nsRole".
1. Error Logs at point 3 of verification steps by Noriko : [root@testvm data]# tail -f /var/log/dirsrv/slapd-testvm/errors [20/Jun/2011:15:24:45 +051800] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2011:15:57:07 +051800] roles-plugin - cn=bar role,ou=people,dc=example,dc=com: not allowed to refer virtual attribute in the value of nsRoleFilter (description=foo). The nsRoleFilter is disabled. 2. [root@testvm data]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" "(cn=*)" description mail # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (cn=*) # requesting: description mail # # tmorris, people, example.com dn: uid=tmorris,ou=people,dc=example,dc=com description: foo mail: tmorris # cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com dn: cn=cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam ple,dc=com description: foo # cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam ple,dc=com mail: abc # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 Not any above error but the mail attribute is added, Is that fine? Also, please point me to the doc " We need to add a note to "5.2.12. Creating Role-Based Attributes" that the Directory Server does not support virtual attributes for nsRoleFilter." Thanks, Amita [root@testvm data]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" "(cn=*)" description mail # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (cn=*) # requesting: description mail # # tmorris, people, example.com dn: uid=tmorris,ou=people,dc=example,dc=com description: foo mail: tmorris # cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com dn: cn=cn\3Dfoo role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam ple,dc=com description: foo # cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom, people, example.com dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam ple,dc=com mail: abc # tuser0, people, example.com dn: uid=tuser0,ou=people,dc=example,dc=com description: abc # tuser1, people, example.com dn: uid=tuser1,ou=people,dc=example,dc=com description: foo # tuser2, people, example.com dn: uid=tuser2,ou=people,dc=example,dc=com description: foo # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 (In reply to comment #9) > Not any above error but the mail attribute is added, Is that fine? I see these 2 mail attributes in your output. mdn: uid=tmorris,ou=people,dc=example,dc=com mail: tmorris dn: cn=cn\3Dbar role\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,ou=people,dc=exam ple,dc=com mail: abc I believe both of them physically exist in the entry. For abc, see 193724.ldif: dn: cn="cn=bar role,ou=people,dc=example,dc=com",ou=People,dc=example,dc=com cn: cn=bar role,ou=people,dc=example,dc=com objectClass: top objectClass: costemplate objectClass: extensibleobject mail: abc ^^^^^^^^^^^^^^^^^^^^^ And your test result looks fine. > Also, please point me to the doc " We need to add a note to "5.2.12. Creating > Role-Based Attributes" that the > Directory Server does not support virtual attributes for nsRoleFilter." Thank you for finding this out, Amita! I'll ask Deon to add this sentence to the doc... Thanks Noriko, marking the bug as VERIFIED. |