Description of problem: Entry cn=entitlements,cn=etc,dc=example,dc=com exists. Requirement: get the info if a user "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com" is able to create a new entry "ipaEntitlementId=<valu>,cn=entitlements,cn=etc,dc=example,dc=com" under "cn=entitlements,cn=etc,dc=example,dc=com". Mozldap command line $ ldapsearch ... -D 'uid=tuser1,cn=users,cn=accounts,dc=example,dc=com' -w <password> -b 'cn=entitlements,cn=etc,dc=example,dc=com' -J '1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tuser1,cn=users,cn=accounts,dc=example,dc=com' "(objectclass=*)" @ipaentitlement is supposed to return the access right for the user "uid=tuser1". But the current code blindly sets "cn=" in the leaf RDN: dn: cn=template_ipaentitlement_objectclass,cn=entitlements,cn=etc,dc=example,dc=com entryLevelRights: v attributeLevelRights:: Om5vbmU= It makes the GER evaluation fail against the expected ACI: (e.g.,) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun ts,dc=example,dc=com")(version 3.0;acl "Add user to default group";allow (wr ite) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accou nts,dc=example,dc=com";)
Created attachment 470351 [details] git patch file (master) Description: To get the effective rights of non-present entry, GER code takes @<objectclass> as a part of an attribute list in the search. The code was generating the temporary, non- present entry with the leaf RDN "cn=<value>". Instead of "cn", an attribute type belonging to the objectclass whould be used. This patch changes to allow either @<objectclass> or @<objectclass>:<dntype>. If @<objectclass> is given, the first MUST attribute type (or the first MAY attribute type if MUST does not exist) is used for the attribyte type in the leaf RDN. If @<objectclass>:<dntype> is given, <dntype> is used. Plus, acl_check_for_target_macro in aclparse.c now checks an invalid macro syntax [($dn)] and returns a syntax error.
Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge 664563 Updating 196f1ef..90f26ec Fast-forward ldap/servers/plugins/acl/acleffectiverights.c | 57 +++++++++++++++++++++---- ldap/servers/plugins/acl/aclparse.c | 16 +++++++- 2 files changed, 63 insertions(+), 10 deletions(-) $ git push Counting objects: 15, done. Delta compression using up to 4 threads. Compressing objects: 100% (8/8), done. Writing objects: 100% (8/8), 1.97 KiB, done. Total 8 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 196f1ef..90f26ec master -> master
[root@testvm ~]# cd /home/amsharma/ [root@testvm amsharma]# ls -l total 80 drwxr-xr-x. 2 root root 4096 Jun 1 13:47 data drwxr-xr-x. 3 root root 4096 May 30 14:16 DS9.0 -rw-r--r--. 1 root root 59185 Jun 6 15:17 ipa_testdata.tar.gz -rw-r--r--. 1 root root 450 May 17 18:25 namepipeconfig.ldif drwxrwx---. 3 amsharma amsharma 4096 May 30 12:44 Samba drwxr-xr-x. 3 root root 4096 Jun 3 15:02 scripts [root@testvm amsharma]# tar -xvf ipa_testdata.tar.gz ipa.ldif ipa_schema/ ipa_schema/10rfc2307.ldif ipa_schema/60autofs.ldif ipa_schema/28pilot.ldif ipa_schema/25java-object.ldif ipa_schema/60basev2.ldif ipa_schema/50ns-admin.ldif ipa_schema/01core389.ldif ipa_schema/60pureftpd.ldif ipa_schema/00core.ldif ipa_schema/50ns-mail.ldif ipa_schema/02common.ldif ipa_schema/60sudo.ldif ipa_schema/05rfc4524.ldif ipa_schema/10mep-plugin.ldif ipa_schema/05rfc2927.ldif ipa_schema/05rfc4523.ldif ipa_schema/50ns-directory.ldif ipa_schema/60acctpolicy.ldif ipa_schema/50ns-value.ldif ipa_schema/50ns-web.ldif ipa_schema/60eduperson.ldif ipa_schema/60rfc3712.ldif ipa_schema/99user.ldif ipa_schema/60ipaconfig.ldif ipa_schema/50ns-certificate.ldif ipa_schema/30ns-common.ldif ipa_schema/60ipasudo.ldif ipa_schema/60mozilla.ldif ipa_schema/20subscriber.ldif ipa_schema/60nss-ldap.ldif ipa_schema/06inetorgperson.ldif ipa_schema/60trust.ldif ipa_schema/60sabayon.ldif ipa_schema/60samba.ldif ipa_schema/60rfc2739.ldif ipa_schema/60kerberos.ldif ipa_schema/60pam-plugin.ldif ipa_schema/60radius.ldif [root@testvm amsharma]# ls -l total 184 drwxr-xr-x. 2 root root 4096 Jun 1 13:47 data drwxr-xr-x. 3 root root 4096 May 30 14:16 DS9.0 -rw-rw-r--. 1 501 501 101653 Dec 23 05:57 ipa.ldif drwxrwxr-x. 2 501 501 4096 Dec 21 04:35 ipa_schema -rw-r--r--. 1 root root 59185 Jun 6 15:17 ipa_testdata.tar.gz -rw-r--r--. 1 root root 450 May 17 18:25 namepipeconfig.ldif drwxrwx---. 3 amsharma amsharma 4096 May 30 12:44 Samba drwxr-xr-x. 3 root root 4096 Jun 3 15:02 scripts [root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm slapd-testvm/ slapd-testvm1/ [root@testvm amsharma]# /usr/lib64/dirsrv/slapd-testvm1/stop-slapd [root@testvm amsharma]# cd /etc/dirsrv/slapd-testvm1/schema/ [root@testvm schema]# cp /home/amsharma/ipa_schema/*.ldif . cp: overwrite `./00core.ldif'? yes cp: overwrite `./01core389.ldif'? yes cp: overwrite `./02common.ldif'? cp: overwrite `./05rfc2927.ldif'? cp: overwrite `./05rfc4523.ldif'? cp: overwrite `./05rfc4524.ldif'? cp: overwrite `./06inetorgperson.ldif'? cp: overwrite `./10mep-plugin.ldif'? cp: overwrite `./10rfc2307.ldif'? cp: overwrite `./20subscriber.ldif'? cp: overwrite `./25java-object.ldif'? cp: overwrite `./28pilot.ldif'? cp: overwrite `./30ns-common.ldif'? cp: overwrite `./50ns-admin.ldif'? cp: overwrite `./50ns-certificate.ldif'? cp: overwrite `./50ns-directory.ldif'? cp: overwrite `./50ns-mail.ldif'? cp: overwrite `./50ns-value.ldif'? cp: overwrite `./50ns-web.ldif'? cp: overwrite `./60acctpolicy.ldif'? cp: overwrite `./60autofs.ldif'? cp: overwrite `./60eduperson.ldif'? cp: overwrite `./60mozilla.ldif'? cp: overwrite `./60nss-ldap.ldif'? cp: overwrite `./60pam-plugin.ldif'? cp: overwrite `./60pureftpd.ldif'? cp: overwrite `./60rfc2739.ldif'? cp: overwrite `./60rfc3712.ldif'? cp: overwrite `./60sabayon.ldif'? cp: overwrite `./60sudo.ldif'? cp: overwrite `./60trust.ldif'? cp: overwrite `./99user.ldif'? while importing ipa.ldif [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 140 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 141 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 142 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 143 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 144 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 145 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 146 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 147 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 148 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 149 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 150 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 151 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 152 [06/Jun/2011:15:28:38 +051800] - import userRoot: WARNING: bad entry: ID 153 [06/Jun/2011:15:28:38 +051800] - import userRoot: Workers finished; cleaning up... [06/Jun/2011:15:28:39 +051800] - import userRoot: Workers cleaned up. [06/Jun/2011:15:28:39 +051800] - import userRoot: Cleaning up producer thread... [06/Jun/2011:15:28:39 +051800] - import userRoot: Indexing complete. Post-processing... [06/Jun/2011:15:28:39 +051800] - Nothing to do to build ancestorid index [06/Jun/2011:15:28:39 +051800] - import userRoot: Flushing caches... [06/Jun/2011:15:28:39 +051800] - import userRoot: Closing files... [06/Jun/2011:15:28:39 +051800] - All database threads now stopped [06/Jun/2011:15:28:39 +051800] - import userRoot: Import complete. Processed 153 entries (155 were skipped) in 107 seconds. (1.43 entries/sec)
There could be some configuration mismatch. Can I login your system? Or attach your dse.ldif and errors log to this bug. Thanks, --noriko
Hey thanks Noriko, I have verified it successfully now : [root@testvm slapd-testvm]# /usr/lib64/mozldap/ldapsearch -x -h localhost -p 1389 -D "uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" -w tuser1 -b "cn=entitlements,cn=etc,dc=greyoak,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tuser1,cn=users,cn=accounts,dc=greyoak,dc=com" "(objectclass=*)" @ipaentitlement:userCertificate version: 1 dn: cn=entitlements,cn=etc,dc=greyoak,dc=com entryLevelRights: v attributeLevelRights: objectClass:rsc, cn:rsc dn: userCertificate=template_ipaentitlement_objectclass,cn=entitlements,cn=etc ,dc=greyoak,dc=com entryLevelRights: v attributeLevelRights: userCertificate:rsc, userPKCS12:none, ipaEntitlementId:r sc, objectClass:rsc