Bug 560827 - Admin Server: DistinguishName validation fails
Summary: Admin Server: DistinguishName validation fails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Admin
Version: 1.3.0
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 434914 389_1.2.6
TreeView+ depends on / blocked
 
Reported: 2010-02-01 23:15 UTC by Noriko Hosoi
Modified: 2015-12-07 17:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:03:24 UTC


Attachments (Terms of Use)
git patch file (5.46 KB, patch)
2010-02-02 00:18 UTC, Noriko Hosoi
no flags Details | Diff
git patch file (ldapserver) (1.81 KB, patch)
2010-02-03 21:13 UTC, Noriko Hosoi
no flags Details | Diff
git patch file (adminserver) (64.58 KB, patch)
2010-02-03 21:15 UTC, Noriko Hosoi
nkinder: review+
Details | Diff
git patch file (ldapserver) (1.81 KB, patch)
2010-02-03 22:20 UTC, Noriko Hosoi
nkinder: review+
Details | Diff
git patch file (adminserver) (5.72 KB, patch)
2010-02-12 02:00 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
cvs diff file (idm-console-framework) (2.58 KB, patch)
2010-02-12 02:04 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
screen shot (29.38 KB, image/png)
2010-06-04 16:32 UTC, Jenny Severance
no flags Details

Description Noriko Hosoi 2010-02-01 23:15:24 UTC
Description of problem:
Some template file contains double quotes in the DN string, which
are not escaped.
Sample broken entry in 01nsroot.ldif.tmpl
dn: ou="uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",ou=UserPreferences, ou=%domain%, o=NetscapeRoot
objectClass: top
objectClass: organizationalUnit
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr="creatorsname";)
ou: uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot

Related bug:
https://bugzilla.redhat.com/show_bug.cgi?id=555577
555577 -  Syntax validation fails for "ou=NetscapeRoot" tree

Comment 1 Noriko Hosoi 2010-02-02 00:18:36 UTC
Created attachment 388163 [details]
git patch file

Files:
   admserv/schema/ldif/00nsroot_backend.ldif.tmpl
   admserv/schema/ldif/01nsroot.ldif.tmpl
   admserv/schema/ldif/10dsdata.ldif.tmpl
   admserv/schema/ldif/10rm_dsdata.ldif.tmpl
   admserv/schema/ldif/20asdata.ldif.tmpl

Fix Description: Escaping double quotes '"' appeared in the DN string.

Tests: setup-ds-admin.pl successfully installs the Configuration Directory
Server.  "o=netscaperoot" and its subtree is able to expand in the Console.

Note: The escaped backslash \\ appears on the Console pane.  For instance,
On the Directory panel, choose netscaperoot | <domain> | UserPreferences.  Then UserPreferences are displayed with \\" under UserPreferences.
\\"uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot\
 \" (1 aci)
\\"cn=slapd-kiki, cn=389 Directory Server, cn=Server Group, cn=kiki.use
 rsys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
\\"cn=Directory Manager\\" (1 aci)
\\"cn=admin-serv-kiki, cn=389 Administration Server, cn=Server Group, c
 n=kiki.usersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)
\\"cn=slapd-kiki0, cn=389 Directory Server, cn=Server Group, cn=kiki.us
 ersys.redhat.com, ou=usersys.redhat.com, o=NetscapeRoot\\" (1 aci)

Comment 2 Rich Megginson 2010-02-02 03:23:53 UTC
I think we should be using LDAPv3 escape sequences - double quotes are LDAPv2 and are deprecated.  In addition, any time we use a DN as part of another DN, we must make sure that the DN is normalized, otherwise, matching becomes quite difficult, as we usually do this with attributes that are not DN syntax.

Instead of
cn="o=NetscapeRoot",cn=mapping tree,cn=config
we should use
cn=o\3Dnetscaperoot,cn=mapping tree,cn=config

Instead of
ou="uid=%as_uid%, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",ou=UserPreferences, ou=%domain%, o=NetscapeRoot
we should use
ou=uid\3D%as_uid%\2Cou\3Dadministrators\2Cou\3Dtopologymanagement\2Co\3Dnetscaperoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot

And we must make sure that %as_uid% here is properly escaped and normalized before we use it in the value - we will probably have to add another token like %as_uid_dn_escaped% for use in DN values.

Note that the space after the comma is not really RFC compliant - http://www.ietf.org/rfc/rfc4514.txt - but all LDAPv3 implementations will normalize the space away.  We should avoid using spaces in our DNs.

There are other related bugs - https://bugzilla.redhat.com/show_bug.cgi?id=509201 - and many other places in our code where we use a DN value in the RDN of another DN - the mapping tree/suffix/database code, replication, roles, CoS, password policy, bind resource limits - and there is code in the core server, in the admin server, in the console, and in the various perl scripts that need to be aware of DN escaping and normalization.

Comment 3 Noriko Hosoi 2010-02-03 21:13:40 UTC
Created attachment 388648 [details]
git patch file (ldapserver)

Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.

Comment 4 Noriko Hosoi 2010-02-03 21:15:25 UTC
Created attachment 388650 [details]
git patch file (adminserver)

Description:
admserv/newinst/src/dirserver.map.in
                   /register_param.map.in
 --- added escapedrootdn key, which is an escaped rootdn compliant
     with RFC4514
admserv/schema/ldif/*.tmpl
 --- removed unescaped '"' from dn strings, which violates RFC4514.
     escaped special characters ('=' and ',') which used to be a
     value surrounded in the double quotes '"'.
     removed spaces around ','

Comment 5 Noriko Hosoi 2010-02-03 22:20:26 UTC
Created attachment 388665 [details]
git patch file (ldapserver)

Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.

Fixed a typo pointed by Nathan (Thank you!!!)
<nkinder> It says "surrownding".  Should be "surrounding".

Comment 6 Noriko Hosoi 2010-02-03 22:36:59 UTC
(In reply to comment #5)
> Created an attachment (id=388665) [details]
> git patch file (ldapserver)

Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge work
Updating 0544378..5c859f5
Fast forward
 ldap/admin/src/scripts/DSUtil.pm.in |   31 +++++++++++++++++++++++++++++++
 1 files changed, 31 insertions(+), 0 deletions(-)
$ git push
Counting objects: 13, done.
Delta compression using 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 1.15 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   0544378..5c859f5  master -> master

Comment 7 Noriko Hosoi 2010-02-03 22:38:47 UTC
(In reply to comment #4)
> Created an attachment (id=388650) [details]
> git patch file (adminserver)

Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge work
Updating 46f127a..d7b1055
Fast forward
 admserv/newinst/src/dirserver.map.in              |    1 +
 admserv/newinst/src/register_param.map.in         |    1 +
 admserv/schema/ldif/00nsroot_backend.ldif.tmpl    |    5 +-
 admserv/schema/ldif/01nsroot.ldif.tmpl            |   26 ++++----
 admserv/schema/ldif/02globalpreferences.ldif.tmpl |   46 ++++++------
 admserv/schema/ldif/10dsdata.ldif.tmpl            |   64 +++++++++---------
 admserv/schema/ldif/10rm_dsdata.ldif.tmpl         |   10 ++--
 admserv/schema/ldif/11dstasks.ldif.tmpl           |   68 +++++++++---------
 admserv/schema/ldif/12dsconfig.mod.tmpl           |    6 +-
 admserv/schema/ldif/13dsschema.mod.tmpl           |    6 +-
 admserv/schema/ldif/16dssuffixadmin.mod.tmpl      |    6 +-
 admserv/schema/ldif/20asdata.ldif.tmpl            |   54 +++++++-------
 admserv/schema/ldif/21astasks.ldif.tmpl           |   78 ++++++++++----------
 admserv/schema/ldif/22ascommands.ldif.tmpl        |    8 +-
 admserv/schema/ldif/asmigrate.ldif.tmpl           |   10 ++--
 15 files changed, 195 insertions(+), 194 deletions(-)
$ git push
Counting objects: 41, done.
Delta compression using 4 threads.
Compressing objects: 100% (20/20), done.
Writing objects: 100% (22/22), 5.04 KiB, done.
Total 22 (delta 18), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   46f127a..d7b1055  master -> master

Comment 8 Noriko Hosoi 2010-02-11 01:31:58 UTC
Still invalid DNs are sent to the server.
[..] conn=9 op=10 ADD dn="ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot"
[10/Feb/2010:12:47:32 -0800] conn=9 op=10 RESULT err=34 tag=105 nentries=0 etime=0

[..] conn=9 op=23 ADD dn="ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot"
[10/Feb/2010:12:47:33 -0800] conn=9 op=23 RESULT err=34 tag=105 nentries=0 etime=0

[..] conn=9 op=25 ADD dn="ou=1.1,ou=Console,ou=\22uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\22,ou=UserPreferences,ou=usersys.redhat.com,o=NetscapeRoot"
[10/Feb/2010:12:47:33 -0800] conn=9 op=25 RESULT err=34 tag=105 nentries=0 etime=0

They are from the admin server and console.

Comment 9 Noriko Hosoi 2010-02-12 02:00:11 UTC
Created attachment 390422 [details]
git patch file (adminserver)

Files:
 admserv/cgi-src40/htmladmin.c
 include/libadmin/libadmin.h
 lib/libadmin/util.c

Description: get_all_users_views was generating an invalid DN
which included nested DN surrounded by unescaped double quotes.
Instead of escaping the double quotes, introduced a escape_for_dn
function which escape special characters in the nested DN.

Comment 10 Noriko Hosoi 2010-02-12 02:04:50 UTC
Created attachment 390423 [details]
cvs diff file (idm-console-framework)

Files:
  src/com/netscape/management/client/console/Console.java
  src/com/netscape/management/client/util/LDAPUtil.java

Description: userPreferenceDN included a nested DN surrounded by unescaped
double quotes.  Instead of escaping the double quotes, introduced a method escapeDnString in LDPAUtil which escapes special characters in the nested DN.

Comment 11 Noriko Hosoi 2010-02-12 16:53:41 UTC
Reviewed by Rich (Thank you!!)

Adminserver: Pushed to master.

$ git merge work
Updating 0734638..f637daf
Fast-forward
 admserv/cgi-src40/htmladmin.c |   15 +++++-
 include/libadmin/libadmin.h   |   13 +++++
 lib/libadmin/util.c           |  121 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 147 insertions(+), 2 deletions(-)
$ git push
Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.44 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   0734638..f637daf  master -> master
===============================================================================
idm-console-framework: Checked in into HEAD

Resolves: 560827 -  Admin Server: DistinguishName validation fails

Description: userPreferenceDN included a nested DN surrounded by unescaped
double quotes.  Instead of escaping the double quotes, introduced a method
escapeDnString in LDPAUtil which escapes special characters in the nested DN.
CVS: ----------------------------------------------------------------------
CVS: Enter Log.  Lines beginning with `CVS:' are removed automatically
CVS:
CVS: Committing in .
CVS:
CVS: Modified Files:
CVS:    src/com/netscape/management/client/console/Console.java
CVS:    src/com/netscape/management/client/util/LDAPUtil.java
CVS: ----------------------------------------------------------------------
Checking in src/com/netscape/management/client/console/Console.java;
/cvs/dirsec/console/src/com/netscape/management/client/console/Console.java,v  <--  Console.java
new revision: 1.16; previous revision: 1.15
done
Checking in src/com/netscape/management/client/util/LDAPUtil.java;
/cvs/dirsec/console/src/com/netscape/management/client/util/LDAPUtil.java,v  <--  LDAPUtil.java
new revision: 1.3; previous revision: 1.2
done

Comment 12 Noriko Hosoi 2010-02-12 17:23:48 UTC
Pushed to Directory_Server_8_2_Branch, as well.

$ git push origin admin82-local:Directory_Server_8_2_Branch
Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.45 KiB, done.
Total 11 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   3fe633f..43f94de  admin82-local -> Directory_Server_8_2_Branch

Comment 13 Fedora Update System 2010-02-27 02:30:05 UTC
389-admin-1.1.11-0.2.a2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc13

Comment 14 Fedora Update System 2010-02-27 02:30:19 UTC
389-admin-1.1.11-0.2.a2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.el5

Comment 15 Fedora Update System 2010-02-27 02:30:32 UTC
389-admin-1.1.11-0.2.a2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc12

Comment 16 Fedora Update System 2010-02-27 02:30:46 UTC
389-admin-1.1.11-0.2.a2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/389-admin-1.1.11-0.2.a2.fc11

Comment 17 Jenny Severance 2010-06-04 16:32:51 UTC
Created attachment 421287 [details]
screen shot

Console looks fine - see attached screenshot 

but ...  

# egrep UserPreferences 01nsroot.ldif.tmpl 
dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot
ou: UserPreferences
dn: ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot

Is this okay?

Comment 18 Rich Megginson 2010-06-04 16:48:52 UTC
(In reply to comment #17)
> Created an attachment (id=421287) [details]
> screen shot
> 
> Console looks fine - see attached screenshot 
> 
> but ...  
> 
> # egrep UserPreferences 01nsroot.ldif.tmpl 
> dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot
> ou: UserPreferences
> dn:
> ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot
> 
> Is this okay?    

I think so.  The server should treat \= as \3D.  Noriko/Nathan, can you confirm?

Comment 19 Noriko Hosoi 2010-06-04 16:55:44 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > Created an attachment (id=421287) [details] [details]
> > screen shot
> > 
> > Console looks fine - see attached screenshot 
> > 
> > but ...  
> > 
> > # egrep UserPreferences 01nsroot.ldif.tmpl 
> > dn: ou=UserPreferences,ou=%domain%,o=NetscapeRoot
> > ou: UserPreferences
> > dn:
> > ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot
> > 
> > Is this okay?    
> 
> I think so.  The server should treat \= as \3D.  Noriko/Nathan, can you
> confirm?    

Yes, that's correct.  Now, the server can handle the old style DN
ou="uid=%as_uid%,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot",ou=UserPreferences,ou=%domain%,o=NetscapeRoot
as well as new styles:
ou=uid\=%as_uid%\,ou\=Administrators\,ou\=TopologyManagement\,o\=NetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot
and
ou=uid\3D%as_uid%\2Cou\3DAdministrators\2Cou\3DTopologyManagement\2Co\3DNetscapeRoot,ou=UserPreferences,ou=%domain%,o=NetscapeRoot

Comment 20 Jenny Severance 2010-06-04 16:58:50 UTC
thank for the confirmation - verified - RHEL 4

version:
redhat-ds-base-8.2.0-2010060304.el4dsrv


Note You need to log in before you can comment on or make changes to this bug.