Bug 490997 - Obsolete ACI in o=netscaperoot
Summary: Obsolete ACI in o=netscaperoot
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Admin
Version: 9.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Depends On:
Blocks: 434915 389_1.2.1
TreeView+ depends on / blocked
Reported: 2009-03-18 20:31 UTC by Noriko Hosoi
Modified: 2016-05-06 14:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-06 14:50:29 UTC

Attachments (Terms of Use)
git patch file (10dsdata.ldif.tmpl) (1.24 KB, patch)
2009-08-06 22:57 UTC, Noriko Hosoi
no flags Details | Diff

Description Noriko Hosoi 2009-03-18 20:31:11 UTC
Description of problem:
This is the ACIs set to cn=Server Group:
>     dn: cn=Server Group, cn=kiki.usersys.redhat.com,
>     ou=usersys.redhat.com, o=NetscapeRoot
>     aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0;
>      acl "Enable delegated access"; allow (read, search, compare)
>      groupdn="ldap:///cn=Server Group, cn=kiki.usersys.redhat.com, 
>      ou=usersys.redhat.com,o=NetscapeRoot";)
>     aci: (targetattr=*)(version 3.0; acl "Enable delegated access";
>      allow (read, search, compare) userdn="ldap:///cn=admin-serv-kiki, 
>      cn=Fedora Administration Server, cn=Server Group, 
>      cn=kiki.usersys.redhat.com,
>      ou=usersys.redhat.com, o=NetscapeRoot";)

The first ACI's targetfilter is (nsconfigRoot=*). The attribute nsconfigRoot used to store the serverroot such as /opt/redhat-ds.  We don't have it any more.  The attribute used to belong to the Server Group itself.  To point to the same entry, we could replace (nsconfigRoot=*) with (nsAdminGroupName=*) or (nsAdminGroupName=Server Group).  

Since the Admin Server tests are not failing, this ACI may not be used at all for now.  (Or some bugs might be hidden, not found yet...)  We have 3 choices.  1) fix it, 2) remove the obsolete ACI, 3) file a bug for 9.0.

> The ACI is defined in this template file:
>     ./admserv/schema/ldif/10dsdata.ldif.tmpl
>     aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0;
>     acl "Enable delegated access"; allow (read, search, compare)
>     groupdn="ldap:///cn=Server Group, cn=%fqdn%, ou=%domain%,
>     o=NetscapeRoot";) 

Comments from Nathan>
I'd vote for filing a bug for 9.0 at this point since nothing is failing.  We could remove the ACI, but we would need to respin adminserver again on all platforms.  I don't think that this issue is important enough to warrant that work at this stage.

If we find that the new ACI is needed for some more advanced feature that our tests are not covering, we have an easy workaround for customers of just adding the required ACI.

Comment 1 Noriko Hosoi 2009-08-06 22:57:42 UTC
Created attachment 356595 [details]
git patch file (10dsdata.ldif.tmpl)


[Fix Description]
Removing an obsolete ACI which targetfilter includes an old attribute
nsconfigFoot which does not exist any more.

Tested with setup-ds-admin.pl, register-ds-admin.pl and Console.  No unusual behaviour was observed.

Comment 2 Noriko Hosoi 2009-08-06 23:21:32 UTC
Thanks to Nathan for reviewing the change and pointing out the typo!

I fixed it in the git comment and pushed to master.

$ git merge work
Updating ae4b332..c65ea3a
Fast forward
 admserv/schema/ldif/10dsdata.ldif.tmpl |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)
$ git push
Counting objects: 11, done.
Delta compression using 4 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 560 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   ae4b332..c65ea3a  master -> master

Comment 3 Amita Sharma 2011-07-06 09:47:13 UTC
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, search, compare) groupdn="ldap:///cn=slapd-%dsid%,cn=%brand% Directory Server,cn=Server Group,cn=%fqdn%,ou=%domain%,o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword || description")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable access delegation"; allow (write) groupdn="ldap:///cn=slapd-%dsid%,cn=%brand% Directory Server,cn=Server Group,cn=%fqdn%,ou=%domain%,o=NetscapeRoot";)

Checked, hence VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.