Description of problem: Steps to reproduce: 1. set up attribute encryption 2. add an entry which contains the to-be-encrypted attribute 3. check the entry with dbscan -f id2entry.db#: id # rdn: uid=tuser0 objectClass: top [...] entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here telephoneNumber:: FUQqsUefe137W56ksNVwfQ==
Created attachment 459236 [details] git patch file (master) Description: If an entry contains a to-be-encrypted attribute, id2entry_add_ext handles a copy of the entry in which the attribute is encrypted, then the copy is being stored in the backend db. On the other hand, an entrydn attribute is supposed to remove from the entry before storing the entry in the db. There was a bug there: the removal was done on the original entry, but not on the encrypted copy. This patch correctly removes the entrydn attribute from the encrypted entry to be stored in the db. File: ldap/servers/slapd/back-ldbm/id2entry.c
Reviewed by Rich (Thank you!!!) Pushed to master. $ git merge work Updating 6b38f80..220bfa6 Fast-forward ldap/servers/slapd/back-ldbm/id2entry.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) $ git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.02 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 6b38f80..220bfa6 master -> master
Please use the first comment/Description of problem for steps to verify.
Thanks for the steps Noriko, followed comment#0 1. set up attribute encryption ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=telephoneNumber,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectclass: top objectclass: nsAttributeEncryption cn: telephoneNumber nsEncryptionAlgorithm: AES EOF 2. add an entry which contains the to-be-encrypted attribute ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=amstest,dc=pnq,dc=redhat,dc=com uid: amstest objectClass: top objectClass: person objectClass: inetorgperson objectClass: organizationalPerson sn: new100 cn: new100 telephoneNumber: 98100 mail: new100 givenName: new100 userPassword: ams 3. check the entry with dbscan -f id2entry.db#: id # rdn: uid=tuser0 objectClass: top [...] entrydn: uid=tuser0,ou=testpeople,o=attrcrypt.com <== should not be here telephoneNumber:: FUQqsUefe137W56ksNVwfQ== rdn: uid=amstest uid: amstest objectClass: top objectClass: person objectClass: inetorgperson objectClass: organizationalPerson sn: new100 cn: new100 mail: new100 givenName: new100 userPassword:: e1NTSEF9YXNxQXdVZnB4bFRVZUdXZzFFMzNUdUdLRGhOQ3VVRkFoQnZ2Z3c9PQ= = creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20110729065126Z modifyTimestamp: 20110729065126Z nsUniqueId: 273f7381-b9af11e0-b0b0b38a-6ef97ef3 parentid: 1 entryid: 111 telephoneNumber:: fBajD6zB3979IvQOwp79Hg== entrydn is not stored in backend db. Hence marking VERIFIED.