Bug 788753 - aci on cn=monitor warning about connection attribute
Summary: aci on cn=monitor warning about connection attribute
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-08 23:07 UTC by Rich Megginson
Modified: 2012-06-20 07:14 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.2.10.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: do an anonymous search on cn=monitor, and request the "connection" attribute, which should be denied by the default aci Consequence: "connection" is returned Fix: Still process the aci even though the attribute is not in the schema Result: do not display "connection" if an aci denies access to it
Clone Of:
Environment:
Last Closed: 2012-06-20 07:14:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0813 normal SHIPPED_LIVE Low: 389-ds-base security, bug fix, and enhancement update 2012-06-19 19:29:15 UTC

Description Rich Megginson 2012-02-08 23:07:37 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/42

https://bugzilla.redhat.com/show_bug.cgi?id=705222

{{{
The aci on cn=monitor references an attribute named "connection" - the aci code
warns because this attribute is not in the schema.  The effect is that the aci
code ignores the aci.
}}}

Comment 1 Jenny Severance 2012-02-14 19:42:29 UTC
see upstream ticket for steps to verify

Comment 3 mreynolds 2012-05-11 20:23:32 UTC
This should be the expected results:

[1]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection
dn: cn=monitor

[2]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci
dn: cn=monitor

[3]  ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.rc1.git0ac8d3a B2012.025.2145

Comment 4 Amita Sharma 2012-05-14 07:26:30 UTC
[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" connection
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" aci
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b "cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.2 B2012.124.1435

[root@dhcp201-194 /]# 
1. -->> Why this one blank line appended in all the results??

Comment 5 Rich Megginson 2012-05-14 13:26:52 UTC
LDIF usually ends with a single blank line - in LDIF an empty line denotes the end of an entry or change record.

Comment 6 Noriko Hosoi 2012-05-16 01:13:55 UTC
Added a test case for trac42 (bug 788753)
--  --
M    acl/search.sh

Cleared the NEEDINFO flag.

Comment 7 Amita Sharma 2012-05-16 05:32:57 UTC
Marking the bug as VERIFIED.
[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" connection
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" aci
dn: cn=monitor

[root@dhcp201-194 /]# ldapsearch -LLLx -h localhost -p 389 -s base -b
"cn=monitor" version
dn: cn=monitor
version: 389-Directory/1.2.10.2 B2012.124.1435

Comment 8 mreynolds 2012-05-25 15:37:57 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: do an anonymous search on cn=monitor, and request the "connection" attribute, which should be denied by the default aci
Consequence: "connection" is returned
Fix: Still process the aci even though the attribute is not in the schema
Result: do not display "connection" if an aci denies access to it

Comment 9 errata-xmlrpc 2012-06-20 07:14:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html


Note You need to log in before you can comment on or make changes to this bug.