https://bugzilla.redhat.com/show_bug.cgi?id=853931 (Red Hat Enterprise Linux 6)
Description of problem: Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. These placeholders now seem to be checked for syntax incorrectly, allowing to set aci with invalid syntax. Version-Release number of selected component (if applicable): all? (tested with 389-ds-base-1.2.10.2-15.el6.x86_64 and 389-ds-base-1.2.11.7-2.el6.x86_64) How reproducible: always Steps to Reproduce: ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager <<EOF dn: dc=redhat,dc=com changetype: modify add: aci aci: (target="ldap:///dc=redhat,dc=com")(version 3.0; acl "Wrong_ACI"; allow (all) userdn="ldap:///($attribute.description),dc=redhat,dc=com";) EOF modifying entry "dc=redhat,dc=com" [jrusnack@dhcp-31-42 /]$ echo $? 0 Actual results: succeeds Expected results: should fail with RC 21 LDAP_INVALID_SYNTAX Additional info: Already automated in acl/macro-acis
I can not reproduce the issue:
ldapmodify -p 40929 -h localhost -D cn=dm -w superman dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "Wrong_ACI"; allow (all) userdn="ldap:///($attribute.description),dc=redhat,dc=com";)
modifying entry "dc=example,dc=com" ldap_modify: Invalid syntax (21) additional info: ACL Syntax Error(-5):(target=\22ldap:///dc=example,dc=com\22)(version 3.0; acl \22Wrong_ACI\22; allow (all) userdn=\22ldap:///($attribute.description),dc=redhat,dc=com\22;)
Is there another example, or did I miss something?
Mark
Reassigning to Noriko...
Mark, you are right. The test case is passing now. The bug was fixed along with some other bug... Closing this ticket as worksforme.
The case in the initial description does work properly, but there are some other issues related to macro aci evaluation that are outstanding.
This aci will be accepted by DS when it is added, but will not function properly:
(target="ldap:///dc=example,dc=com")(version 3.0; acl "Wrong_ACI"; allow (all) userdn="ldap:///($ATTR.description),dc=example,dc=com";)
The code in DS allows the "attr" macro keyword in any case:
In __aclp__sanity_check_acltxt: } else if ((s = strstr(word, "($")) || (s = strstr(word, "[$"))) { if ((0 != strncasecmp(s, ACL_RULE_MACRO_DN_KEY, sizeof(ACL_RULE_MACRO_DN_KEY) - 1)) && (0 != strncasecmp(s, ACL_RULE_MACRO_DN_LEVELS_KEY, sizeof(ACL_RULE_MACRO_DN_LEVELS_KEY) - 1)) && (0 != strncasecmp(s, ACL_RULE_MACRO_ATTR_KEY, sizeof(ACL_RULE_MACRO_ATTR_KEY) - 1))) { slapi_ch_free ( (void **) &newstr ); return ACL_SYNTAX_ERR; }
In acllas.c, we use strstr() to check for the macro keywords:
if ((strstr (user, ACL_RULE_MACRO_DN_KEY) != NULL) || (strstr (user, ACL_RULE_MACRO_DN_LEVELS_KEY) != NULL) || (strstr (user, ACL_RULE_MACRO_ATTR_KEY) != NULL)) {
We need to make the code in acllas.c more tolerant of case by using strcasestr().
Also, this aci is allowed to be added, but should be rejected with err=21 due to the extra '.' character:
(target="ldap:///dc=example,dc=com")(version 3.0; acl "Wrong_ACI"; allow (all) userdn="ldap:///($ATTR..description),dc=example,dc=com";)
Looks like you need to free newstr here: https://fedorahosted.org/389/attachment/ticket/449/0001-Ticket-449-Allow-macro-aci-keywords-to-be-case-insen.patch#L536 when you return ACL_SYNTAX_ERR - otherwise, ack
Updated patch 0001-Ticket-449-Allow-macro-aci-keywords-to-be-case-insen.patch
Replying to [comment:12 rmeggins]:
Good catch! Please review the updated patch.
Thanks for the review Rich! Pushed to master and 389-ds-base-1.3.1 branches:
master - 9521460 389-ds-base-1.3.1 - a7e9f7b
Pushed to 389-ds-base-1.2.11: 3fd372e..9b959b9 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 9b959b9
Build of 389-ds-base-1.2.11 branch fails with: {{{ libtool: compile: gcc -DHAVE_CONFIG_H -I. -I./include/libaccess -DBUILD_NUM=\"2016.300.945\" "-DVENDOR=\"389 Project\"" -DBRAND=\"389\" -DCAPBRAND=\"389\" -UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT -I./ldap/include -I./ldap/servers/slapd -I./include -I. -DLOCALSTATEDIR=\"/var\" -DSYSCONFDIR=\"/etc\" -DLIBDIR=\"/usr/lib64\" -DBINDIR=\"/usr/bin\" -DDATADIR=\"/usr/share\" -DDOCDIR=\"/usr/share/doc/389-ds-base\" -DSBINDIR=\"/usr/sbin\" -DPLUGINDIR=\"/usr/lib64/dirsrv/plugins\" -DTEMPLATEDIR=\"/usr/share/dirsrv/data\" -I/usr/include -I/usr/include/nss3 -I/usr/include/nspr4 -I/usr/include/nspr4 -g -O2 -MT ldap/servers/plugins/acl/libacl_plugin_la-aclparse.lo -MD -MP -MF ldap/servers/plugins/acl/.deps/libacl_plugin_la-aclparse.Tpo -c ldap/servers/plugins/acl/aclparse.c -fPIC -DPIC -o ldap/servers/plugins/acl/.libs/libacl_plugin_la-aclparse.o ldap/servers/plugins/acl/aclparse.c: In function ‘__aclp__sanity_check_acltxt’: ldap/servers/plugins/acl/aclparse.c:487: error: ‘brkstr’ undeclared (first use in this function) ldap/servers/plugins/acl/aclparse.c:487: error: (Each undeclared identifier is reported only once ldap/servers/plugins/acl/aclparse.c:487: error: for each function it appears in.) ldap/servers/plugins/acl/aclparse.c:490: error: ‘checkversion’ undeclared (first use in this function) make[1]: *** [ldap/servers/plugins/acl/libacl_plugin_la-aclparse.lo] Error 1
}}}
Thanks a lot for finding it out before the official build, Viktor!
The fix is pushed to 389-ds-base-1.2.11: ca0d132..d91bcdf 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit d91bcdf
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/449
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.