Bug 651571 - When attrcrypt is on, entrydn is stored in the backend db
Summary: When attrcrypt is on, entrydn is stored in the backend db
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Database - General
Version: 1.2.7
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.7 639035
TreeView+ depends on / blocked
 
Reported: 2010-11-09 20:01 UTC by Noriko Hosoi
Modified: 2015-12-07 17:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:13:23 UTC


Attachments (Terms of Use)
git patch file (master) (3.47 KB, patch)
2010-11-09 20:16 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff

Description Noriko Hosoi 2010-11-09 20:01:58 UTC
Description of problem:
Steps to reproduce:
1. set up attribute encryption
2. add an entry which contains the to-be-encrypted attribute
3. check the entry with dbscan -f id2entry.db#:
    id #
	rdn: uid=tuser0
	objectClass: top
        [...]
	entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here
	telephoneNumber:: FUQqsUefe137W56ksNVwfQ==

Comment 1 Noriko Hosoi 2010-11-09 20:16:19 UTC
Created attachment 459236 [details]
git patch file (master)

Description: If an entry contains a to-be-encrypted attribute,
id2entry_add_ext handles a copy of the entry in which the attribute
is encrypted, then the copy is being stored in the backend db.
On the other hand, an entrydn attribute is supposed to remove from
the entry before storing the entry in the db.  There was a bug
there: the removal was done on the original entry, but not on the
encrypted copy.  This patch correctly removes the entrydn attribute
from the encrypted entry to be stored in the db.

File:
 ldap/servers/slapd/back-ldbm/id2entry.c

Comment 2 Noriko Hosoi 2010-11-11 01:12:23 UTC
Reviewed by Rich (Thank you!!!)

Pushed to master.

$ git merge work
Updating 6b38f80..220bfa6
Fast-forward
 ldap/servers/slapd/back-ldbm/id2entry.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.02 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   6b38f80..220bfa6  master -> master

Comment 3 Noriko Hosoi 2011-07-26 21:41:17 UTC
Please use the first comment/Description of problem for steps to verify.

Comment 4 Amita Sharma 2011-07-29 07:10:15 UTC
Thanks for the steps Noriko, followed comment#0
1. set up attribute encryption

ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=telephoneNumber,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectclass: top
objectclass: nsAttributeEncryption
cn: telephoneNumber
nsEncryptionAlgorithm: AES
EOF

2. add an entry which contains the to-be-encrypted attribute


ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=amstest,dc=pnq,dc=redhat,dc=com
uid: amstest
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: new100
cn: new100
telephoneNumber: 98100
mail: new100@redhat.com
givenName: new100
userPassword: ams

3. check the entry with dbscan -f id2entry.db#:
    id #
 rdn: uid=tuser0
 objectClass: top
        [...]
 entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here
 telephoneNumber:: FUQqsUefe137W56ksNVwfQ==

	rdn: uid=amstest
	uid: amstest
	objectClass: top
	objectClass: person
	objectClass: inetorgperson
	objectClass: organizationalPerson
	sn: new100
	cn: new100
	mail: new100@redhat.com
	givenName: new100
	userPassword:: e1NTSEF9YXNxQXdVZnB4bFRVZUdXZzFFMzNUdUdLRGhOQ3VVRkFoQnZ2Z3c9PQ=
	 =
	creatorsName: cn=directory manager
	modifiersName: cn=directory manager
	createTimestamp: 20110729065126Z
	modifyTimestamp: 20110729065126Z
	nsUniqueId: 273f7381-b9af11e0-b0b0b38a-6ef97ef3
	parentid: 1
	entryid: 111
	telephoneNumber:: fBajD6zB3979IvQOwp79Hg==

entrydn is not stored in backend db. Hence marking VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.