Attempting to delete to specific aci will have the aci value's syntax checked. So it makes it impossible to delete an aci if its syntax is invalid. We should not check the syntax of aci if we are deleting it.
attachment 0001-Ticket-47953-Should-not-check-aci-syntax-when-deleti.patch
lib389 tesetcase 0002-Ticket-47953-testcase-for-removing-invalid-aci.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1163461
To ssh://git.fedorahosted.org/git/389/ds.git 47868d3..6b4ade8 master -> master
commit 6b4ade8 Author: Mark Reynolds mreynolds@redhat.com Date: Wed Nov 12 11:07:52 2014 -0500
cb4f0cb..6a435f1 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 6a435f1
9678956..eb6a235 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit eb6a235
b721da8..234f118 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 234f118efe7867cbbe36ca5c8b13ea7195114a38
75a6c74..67a084d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 67a084d
Hi,
I am re-opening this bug because there is a condition where it could fail.
In fact, the fix consists on checking the syntax by adding/removing the aci under "cn=ACL Plugin,cn=plugins,cn=config". Most of the cases, this works fine.
But if the aci has a "target" clause, even if the syntax is right, the check could fail since when we add an aci we check that target has to be in the scope of the aci.
For instance, if I add aci under "o=redhat" it will work fine:
aci: (targetattr = "dn")(target = "ldap:///o=redhat") (version 3.0; acl "Escrita do atributo destinationIndicator para o Expresso"; allow (read,compare,search,write) (userdn = "ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))");)
But if I add it under "cn=ACL Plugin,cn=plugins,cn=config" it will fail with this error:
[21/Apr/2015:14:32:50 +0200] NSACLPlugin - ACL Invalid Target Error(-8): Target is beyond the scope of the ACL(SCOPE:cn=ACL Plugin,cn=plugins,cn=config) (targetattr = \22dn\22)(target=\22ldap:///o=redhat\22) (version 3.0; acl \22Escrita do atributo destinationIndicator para o Expresso\22; allow (read,compare,search,write) (userdn = \22ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))\22);)
regards,
German.
A possible fix would be:
if the dn of entry is ACL_PLUGIN_CONFIG_ENTRY_DN and rv == ACL_INVALID_TARGET
where rv = acl_verify_syntax(e_sdn,mod->mod_bvalues[i], errbuf)))
if (!slapi_dn_issuffix( avaValue->bv_val, dn)) return ACL_INVALID_TARGET;
This problem should be tracked in ticket https://fedorahosted.org/389/ticket/47946
The DS fix is working fine, it's the console that needed to be revised
Metadata Update from @gparente: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1284
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.