Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self
Summary: Incorrect sub scope search result with ACL containing ldap:///self
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Database - Indexes/Searches
Version: 1.2.6
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.7 639035
TreeView+ depends on / blocked
 
Reported: 2010-09-21 09:06 UTC by Andrey Ivanov
Modified: 2015-12-07 16:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:36:27 UTC
Embargoed:

Attachments (Terms of Use)
LDIF test case for the bug (18.63 KB, application/octet-stream)
2010-09-21 09:08 UTC, Andrey Ivanov 		no flags Details
git patch file (master) (1.60 KB, patch)
2010-09-21 22:33 UTC, Noriko Hosoi 		rmeggins: review+
Details | Diff
revised git patch file (master) (2.18 KB, patch)
2010-09-24 18:46 UTC, Noriko Hosoi 		nhosoi: review?
nhosoi: review?
rmeggins: review+
Details | Diff
Show Obsolete (1) View All

Description Andrey Ivanov 2010-09-21 09:06:38 UTC 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

When a search on an attribute contained in ACL with ldap://self is performed with sub scope the entry is not returned. The same search with base scope correctly returns the entry.

Reproducible: Always

Steps to Reproduce:
1. Import the bug-acl.ldif (attachment)
2. With openldap utilities :
[root@ldap-model /]# ldapsearch -x  -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s sub -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=*
# extended LDIF
#
# LDAPv3
# base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope subtree
# filter: carLicense=*
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root@ldap-model /]# ldapsearch -x  -D "uid=TVradmin0,ou=Accounting,dc=example,dc=com" -w 'toto' -h ldap-model.polytechnique.fr -s base -b 'uid=TVradmin0,ou=Accounting,dc=example,dc=com' carLicense=* 
# extended LDIF
#
# LDAPv3
# base <uid=TVradmin0,ou=Accounting,dc=example,dc=com> with scope baseObject
# filter: carLicense=*
# requesting: ALL
#

# TVradmin0, Accounting, example.com
dn: uid=TVradmin0,ou=Accounting,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Teena Vradmin
sn: Vradmin
uid: TVradmin0
givenName: Teena
telephoneNumber: +1 303 703-2147
carLicense: ZSN6DM3

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

3.
Actual Results:  
The base search correctly returns the entry and the sub search with the same filter and base does not return the entry.

Expected Results:  
The sub scope search should return the entry.

The ACL is clearly calculated differently for base and sub scope searches. The bug may be caused by the new entryrdn model, though i have not tested it on previous versions.
Comment 1 Andrey Ivanov 2010-09-21 09:08:10 UTC 
Created attachment 448655 [details]
LDIF test case for the bug
Comment 2 Noriko Hosoi 2010-09-21 22:33:38 UTC 
Created attachment 448824 [details]
git patch file (master)

Thank you so much, Andrey.  This bug is pretty bad for the search when the basedn is a leaf in DIT as you discovered.  Not just for the ACL, but there should have been a performance impact in such cases.  As you guessed, it was introduced with the entryrdn.  So, 389 v1.2.6 contains this bug (not 1.2.5 and older).

Description: When a basedn has no descendants, the code to take an
intersection of idl (which was returned from the filter search --
filter_candidates) and the basedn was skipped in subtree_candidates
(ldbm_search.c).  Regardless of descendants, the intersection should
be taken for the idl and a tree starting with the basedn.
Note: This bug was introduced with entryrdn.
Comment 3 Noriko Hosoi 2010-09-22 16:24:12 UTC 
Reviewed by Rich (Thanks!!!)

Pushed to master.

$ git merge 635987
Updating 62cc84c..8ac525e
Fast-forward
 ldap/servers/slapd/back-ldbm/ldbm_search.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 896 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   62cc84c..8ac525e  master -> master
Comment 5 Noriko Hosoi 2010-09-24 18:46:48 UTC 
Created attachment 449487 [details]
revised git patch file (master)

Thanks to Rich for analysing the bug introduced by the previous commit.  The attached patch should fix it.

Description:
This commit made for the bug 635987 introduced a bug to replication.
commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5
Author: Noriko Hosoi <nhosoi>
Date:   Tue Sep 21 15:12:07 2010 -0700

subtree_candidates (ldbm_search.c)
If you do have a tombstone filter, descendants will be NULL,
and idl_intersection of candidates and descendents will wipe
out all of the candidates, leaving just the one entry, e->ep_id.

Changed to call idl_intersection only when the filter is not
for tombstone or entryrdn_get_noancestorid (false, by default).
Comment 7 Noriko Hosoi 2010-09-24 19:07:33 UTC 
Reviewed by Rich (Thank you!!!)

Pushed to master.

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.04 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   dcfd94b..a7de5f2  master -> master
Comment 8 Noriko Hosoi 2011-07-26 22:29:58 UTC 
Since nightly GER acceptance test passes 100%, mark verified.
Ger run(o=ace industry,c=us) Tests PASS      : 100% (360/360)
Note You need to log in before you can comment on or make changes to this bug.