Bug 457260 - dnaFilter configuration attribute is not used properly
dnaFilter configuration attribute is not used properly
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Server - DNA Plug-in (Show other bugs)
1.1.1
All Linux
low Severity low
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS112
  Show dependency treegraph
 
Reported: 2008-07-30 11:40 EDT by Nathan Kinder
Modified: 2015-01-04 18:33 EST (History)
3 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:05:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
DNA config entries (589 bytes, text/plain)
2008-07-30 11:40 EDT, Nathan Kinder
no flags Details
CVS Diffs (1.12 KB, patch)
2008-07-30 12:24 EDT, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2008-07-30 11:40:26 EDT
The dnaFilter configuration setting is supposed to be applied against an entry
to determine if a particular managed range applies to the entry.  I have found
that it is not used properly.  Here's what I have observed:

  - Configure two managed ranges.  One is for the uidNumber for 
    "objectclass=posixAccount" entries.  The second is for the gidNumber for 
    "objectclass=posixGroup" entries.

  - Add a new "posixAccount" entry without specifying a "uidNumber" or 
    "gidNumber" attribute value.

The user will be successfully added, and both "uidNumber" and "gidNumber" values
will be generated for the new entry, even though the configuration states that
only the "uidNumber" should be generated.
Comment 1 Nathan Kinder 2008-07-30 11:40:27 EDT
Created attachment 313008 [details]
DNA config entries
Comment 2 Nathan Kinder 2008-07-30 12:07:53 EDT
This compiler warning seems to point to the root cause of this problem:

  ../ldapserver/ldap/servers/plugins/dna/dna.c: In function 'parseConfigEntry':
  ../ldapserver/ldap/servers/plugins/dna/dna.c:542: warning: assignment from 
  incompatible pointer type

The problem is related to the way we load the dnaFilter value from the
configuration entries.  Our cached configuration entries in the DNA plug-in
contain a string representation of the filter in addition to a Slapi_Filter
based off of that string.  The problem is that we call slapi_str2filter() to
create the Slapi_Filter, but we store the pointer to it in our char * pointer
that is supposed to be the filter string.
Comment 3 Nathan Kinder 2008-07-30 12:24:15 EDT
Created attachment 313010 [details]
CVS Diffs

This fix simply stores the Slapi_Filter in the proper member of the configEntry
struct.  With this fix, the test in comment#1 properly rejects adding a new
"posixAccount" with no "gidNumber" attribute specified.  If one explicitly
specifies a "gidNumber" when adding the entry, the entry is added successfully,
and the "uidNumber" value is generated by the DNA plug-in.
Comment 4 Nathan Kinder 2008-07-30 13:44:23 EDT
Checked into ldapserver (HEAD).  Thanks to Noriko for her review!

Checking in ldap/servers/plugins/dna/dna.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/dna/dna.c,v  <--  dna.c
new revision: 1.5; previous revision: 1.4
done
Comment 5 Jenny Galipeau 2009-04-07 12:23:01 EDT
fix verified DS 8.1 - All supported OSes- scenarios where DNA is configured for both uidNumber and gidNumber being tested by DNA automated acceptance tests.

*  dnaScope - non overlapping - both managed values with the same range
   o Add and modify both users and groups from both servers 
* dnaScope - overlapping - managed values with different ranges
   o Add and modify both users and groups from both servers
Comment 6 Chandrasekar Kannan 2009-04-29 19:05:22 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.