Description of problem: Some template file contains double quotes in the DN string, which are not escaped. Sample broken entry in 01nsroot.ldif.tmpl dn: ou="uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",ou=UserPreferences, ou=%domain%, o=NetscapeRoot objectClass: top objectClass: organizationalUnit aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr="creatorsname";) ou: uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=555577 555577 - Syntax validation fails for "ou=NetscapeRoot" tree
Created attachment 388163 [details] git patch file Files: admserv/schema/ldif/00nsroot_backend.ldif.tmpl admserv/schema/ldif/01nsroot.ldif.tmpl admserv/schema/ldif/10dsdata.ldif.tmpl admserv/schema/ldif/10rm_dsdata.ldif.tmpl admserv/schema/ldif/20asdata.ldif.tmpl Fix Description: Escaping double quotes '"' appeared in the DN string. Tests: setup-ds-admin.pl successfully installs the Configuration Directory Server. "o=netscaperoot" and its subtree is able to expand in the Console. Note: The escaped backslash \\ appears on the Console pane. For instance, On the Directory panel, choose netscaperoot | <domain> | UserPreferences. Then UserPreferences are displayed with \\" under UserPreferences. \\"uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot\ \" (1 aci) \\"cn=slapd-kiki, cn=389 Directory Server, cn=Server Group, cn=kiki.use rsys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci) \\"cn=Directory Manager\\" (1 aci) \\"cn=admin-serv-kiki, cn=389 Administration Server, cn=Server Group, c n=kiki.usersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci) \\"cn=slapd-kiki0, cn=389 Directory Server, cn=Server Group, cn=kiki.us ersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
I think we should be using LDAPv3 escape sequences - double quotes are LDAPv2 and are deprecated. In addition, any time we use a DN as part of another DN, we must make sure that the DN is normalized, otherwise, matching becomes quite difficult, as we usually do this with attributes that are not DN syntax. Instead of cn="o=NetscapeRoot",cn=mapping tree,cn=config we should use cn=o\3Dnetscaperoot,cn=mapping tree,cn=config Instead of ou="uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",ou=UserPreferences, ou=%domain%, o=NetscapeRoot we should use ou=uid\3D%as_uid%\2Cou\3Dadministrators\2Cou\3Dtopologymanagement\2Co\3Dnetscaperoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot And we must make sure that %as_uid% here is properly escaped and normalized before we use it in the value - we will probably have to add another token like %as_uid_dn_escaped% for use in DN values. Note that the space after the comma is not really RFC compliant - http://www.ietf.org/rfc/rfc4514.txt - but all LDAPv3 implementations will normalize the space away. We should avoid using spaces in our DNs. There are other related bugs - https://bugzilla.redhat.com/show_bug.cgi?id=509201 - and many other places in our code where we use a DN value in the RDN of another DN - the mapping tree/suffix/database code, replication, roles, CoS, password policy, bind resource limits - and there is code in the core server, in the admin server, in the console, and in the various perl scripts that need to be aware of DN escaping and normalization.
Created attachment 388648 [details] git patch file (ldapserver) Description: adding a perl subroutine dnEscape to escape special characters and eliminate spaces around ',', which is to make the given dn compliant with RFC4514.
Created attachment 388650 [details] git patch file (adminserver) Description: admserv/newinst/src/dirserver.map.in /register_param.map.in --- added escapedrootdn key, which is an escaped rootdn compliant with RFC4514 admserv/schema/ldif/*.tmpl --- removed unescaped '"' from dn strings, which violates RFC4514. escaped special characters ('=' and ',') which used to be a value surrounded in the double quotes '"'. removed spaces around ','
Created attachment 388665 [details] git patch file (ldapserver) Description: adding a perl subroutine dnEscape to escape special characters and eliminate spaces around ',', which is to make the given dn compliant with RFC4514. Fixed a typo pointed by Nathan (Thank you!!!) <nkinder> It says "surrownding". Should be "surrounding".
(In reply to comment #5) > Created an attachment (id=388665) [details] > git patch file (ldapserver) Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge work Updating 0544378..5c859f5 Fast forward ldap/admin/src/scripts/DSUtil.pm.in | 31 +++++++++++++++++++++++++++++++ 1 files changed, 31 insertions(+), 0 deletions(-) $ git push Counting objects: 13, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 1.15 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 0544378..5c859f5 master -> master
(In reply to comment #4) > Created an attachment (id=388650) [details] > git patch file (adminserver) Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge work Updating 46f127a..d7b1055 Fast forward admserv/newinst/src/dirserver.map.in | 1 + admserv/newinst/src/register_param.map.in | 1 + admserv/schema/ldif/00nsroot_backend.ldif.tmpl | 5 +- admserv/schema/ldif/01nsroot.ldif.tmpl | 26 ++++---- admserv/schema/ldif/02globalpreferences.ldif.tmpl | 46 ++++++------ admserv/schema/ldif/10dsdata.ldif.tmpl | 64 +++++++++--------- admserv/schema/ldif/10rm_dsdata.ldif.tmpl | 10 ++-- admserv/schema/ldif/11dstasks.ldif.tmpl | 68 +++++++++--------- admserv/schema/ldif/12dsconfig.mod.tmpl | 6 +- admserv/schema/ldif/13dsschema.mod.tmpl | 6 +- admserv/schema/ldif/16dssuffixadmin.mod.tmpl | 6 +- admserv/schema/ldif/20asdata.ldif.tmpl | 54 +++++++------- admserv/schema/ldif/21astasks.ldif.tmpl | 78 ++++++++++---------- admserv/schema/ldif/22ascommands.ldif.tmpl | 8 +- admserv/schema/ldif/asmigrate.ldif.tmpl | 10 ++-- 15 files changed, 195 insertions(+), 194 deletions(-) $ git push Counting objects: 41, done. Delta compression using 4 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (22/22), 5.04 KiB, done. Total 22 (delta 18), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 46f127a..d7b1055 master -> master
Still invalid DNs are sent to the server. [..] conn=9 op=10 ADD dn="ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:32 -0800] conn=9 op=10 RESULT err=34 tag=105 nentries=0 etime=0 [..] conn=9 op=23 ADD dn="ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:33 -0800] conn=9 op=23 RESULT err=34 tag=105 nentries=0 etime=0 [..] conn=9 op=25 ADD dn="ou=1.1,ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot" [10/Feb/2010:12:47:33 -0800] conn=9 op=25 RESULT err=34 tag=105 nentries=0 etime=0 They are from the admin server and console.
Created attachment 390422 [details] git patch file (adminserver) Files: admserv/cgi-src40/htmladmin.c include/libadmin/libadmin.h lib/libadmin/util.c Description: get_all_users_views was generating an invalid DN which included nested DN surrounded by unescaped double quotes. Instead of escaping the double quotes, introduced a escape_for_dn function which escape special characters in the nested DN.
Created attachment 390423 [details] cvs diff file (idm-console-framework) Files: src/com/netscape/management/client/console/Console.java src/com/netscape/management/client/util/LDAPUtil.java Description: userPreferenceDN included a nested DN surrounded by unescaped double quotes. Instead of escaping the double quotes, introduced a method escapeDnString in LDPAUtil which escapes special characters in the nested DN.
Reviewed by Rich (Thank you!!) Adminserver: Pushed to master. $ git merge work Updating 0734638..f637daf Fast-forward admserv/cgi-src40/htmladmin.c | 15 +++++- include/libadmin/libadmin.h | 13 +++++ lib/libadmin/util.c | 121 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+), 2 deletions(-) $ git push Counting objects: 21, done. Delta compression using up to 2 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 2.44 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 0734638..f637daf master -> master =============================================================================== idm-console-framework: Checked in into HEAD Resolves: 560827 - Admin Server: DistinguishName validation fails Description: userPreferenceDN included a nested DN surrounded by unescaped double quotes. Instead of escaping the double quotes, introduced a method escapeDnString in LDPAUtil which escapes special characters in the nested DN. CVS: ---------------------------------------------------------------------- CVS: Enter Log. Lines beginning with `CVS:' are removed automatically CVS: CVS: Committing in . CVS: CVS: Modified Files: CVS: src/com/netscape/management/client/console/Console.java CVS: src/com/netscape/management/client/util/LDAPUtil.java CVS: ---------------------------------------------------------------------- Checking in src/com/netscape/management/client/console/Console.java; /cvs/dirsec/console/src/com/netscape/management/client/console/Console.java,v <-- Console.java new revision: 1.16; previous revision: 1.15 done Checking in src/com/netscape/management/client/util/LDAPUtil.java; /cvs/dirsec/console/src/com/netscape/management/client/util/LDAPUtil.java,v <-- LDAPUtil.java new revision: 1.3; previous revision: 1.2 done
Pushed to Directory_Server_8_2_Branch, as well. $ git push origin admin82-local:Directory_Server_8_2_Branch Counting objects: 21, done. Delta compression using up to 2 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (11/11), 2.45 KiB, done. Total 11 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 3fe633f..43f94de admin82-local -> Directory_Server_8_2_Branch
389-admin-1.1.11-0.2.a2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc13
389-admin-1.1.11-0.2.a2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.el5
389-admin-1.1.11-0.2.a2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc12
389-admin-1.1.11-0.2.a2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc11
Created attachment 421287 [details] screen shot Console looks fine - see attached screenshot but ... # egrep UserPreferences 01nsroot.ldif.tmpl dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot ou: UserPreferences dn: ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot Is this okay?
(In reply to comment #17) > Created an attachment (id=421287) [details] > screen shot > > Console looks fine - see attached screenshot > > but ... > > # egrep UserPreferences 01nsroot.ldif.tmpl > dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot > ou: UserPreferences > dn: > ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > Is this okay? I think so. The server should treat \= as \3D. Noriko/Nathan, can you confirm?
(In reply to comment #18) > (In reply to comment #17) > > Created an attachment (id=421287) [details] [details] > > screen shot > > > > Console looks fine - see attached screenshot > > > > but ... > > > > # egrep UserPreferences 01nsroot.ldif.tmpl > > dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > ou: UserPreferences > > dn: > > ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot > > > > Is this okay? > > I think so. The server should treat \= as \3D. Noriko/Nathan, can you > confirm? Yes, that's correct. Now, the server can handle the old style DN ou="uid=%as_uid%,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot",ou=UserPreferences,ou=%domain%,o=NetscapeRoot as well as new styles: ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot and ou=uid\3D%as_uid%\2Cou\3DAdministrators\2Cou\3DTopologyManagement\2Co\3DNetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot
thank for the confirmation - verified - RHEL 4 version: redhat-ds-base-8.2.0-2010060304.el4dsrv