RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 860772 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Summary: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
Depends On:
Blocks: CVE-2012-4450
TreeView+ depends on / blocked
Reported: 2012-09-26 16:45 UTC by Noriko Hosoi
Modified: 2020-09-13 20:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When modrdn operation was executed, only newrdn change was passed to the acl plugin. Also, the change was used only for the acl search, but not for the acl target in the items in the acl cache. Consequence: Once modrdn is operated, acl assigned to the entry was temporarily disabled until the server is restarted. Fix: The newsuperior update is also passed to the acl plugin. And the modrdn updates are applied to the acl target in the acl cache. Result: Acl is not affected by the modrdn operation.
Clone Of:
Last Closed: 2013-02-21 08:20:58 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 340 0 None None None 2020-09-13 20:08:55 UTC
Red Hat Product Errata RHSA-2013:0503 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Noriko Hosoi 2012-09-26 16:45:54 UTC
This bug is created as a clone of upstream ticket:


/* This function is now fully executed for internal and replicated ops. */
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )

    /* newrdn: "change" is normalized but not case-ignored */
    /* The acl plugin expects normalized newrdn, but no need to be case-
     * ignored. */
    (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );

Bug description:
The change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl.

There may be other places in the code where there is an implicit assumption that modrdn with new superior is not supported.

Comment 1 Noriko Hosoi 2012-09-26 17:09:19 UTC
Cherry picked 5beb93d42efb807838c09c5fab898876876f8d09.

Pushed to external 389-ds-base-1.2.11.
$ git push origin 389-ds-base-1.2.11-ext:389-ds-base-1.2.11
Counting objects: 25, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.55 KiB, done.
Total 13 (delta 11), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   cf42a2f..7399cbd  389-ds-base-1.2.11-ext -> 389-ds-base-1.2.11

Comment 3 Sankar Ramalingam 2012-09-27 16:22:29 UTC
QA acked.

Comment 5 Milan Kubík 2013-01-29 13:06:37 UTC
acl modrdn suite:

modrdn Test trac340: test for renaming target entry
Create a test user entry
adding new entry uid=trac340,o=ace industry,c=us

Create a new ou entry with an aci
adding new entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 has the access
dn: ou=OU0,o=ace industry,c=us
OK: uid=trac340 has the access.
Rename ou=OU0 to ou=OU1
modifying RDN of entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 still has the access
dn: ou=OU1,o=ace industry,c=us
OK: uid=trac340 has the access.
Create another ou=OU2
adding new entry ou=OU2,o=ace industry,c=us

Move ou=OU1 under ou=OU2
modifying RDN of entry ou=OU1,o=ace industry,c=us and/or moving it beneath a new parent

Make sure uid=trac340 still has the access
dn: ou=OU1,ou=OU2,o=ace industry,c=us
OK: uid=trac340 has the access.
Clean up the test entries
ldap_delete: No such object
TestCase [trac340] result-> [PASS]

$ rpm -qa 389-ds-base


Comment 6 errata-xmlrpc 2013-02-21 08:20:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 7 Milan Kubík 2013-06-24 10:49:36 UTC
Covered in acl modrdn suite

Note You need to log in before you can comment on or make changes to this bug.