acl_match_macro_in_target returns matched value with a trailing comma, e.g., "o=kaki.com,". It's used to create a group DN, e.g., "cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us".
Due to the duplicated commas, the bind unexpectedly fails with 50 (insufficient access).
Failure case: aci: (target="ldap:///ou=People, ($dn), o=ace industrtargety,c=us") (targetattr!="userPassword")(targetfilter=(objectClass=nsManagedPerson)) (version 3.0; acl "Admin access to all users in this and lower domains"; allow (write,read,search) groupdn="ldap:///cn=Domain Administrators, ou=Groups, [$dn], o=ace industry,c=us";) Bind DN: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us The DN is a uniquemember of: cn=Domain Administrators,ou=Groups,o=Kaki.com,o=ace industry,c=us uniquemember: uid=michael-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us Target DN: uid=bob-kaki.com,ou=People,o=Kaki.com,o=ace industry,c=us Log with LDAP_DEBUG_ACL enabled. [..] NSACLPlugin - aclutil_evaluate_macro for aci ' "Admin access to all users in this and lower domains"' index '2' [..] NSACLPlugin - ACL info: found matched_val ( "Admin access to all users in this and lower domains") for aci index 2in macro ht [..] NSACLPlugin - Evaluating user uid=michael-kaki.com,ou=people,o=kaki.com,o=ace industry,c=us in group cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us? [..] NSACLPlugin - -- Not in cn=Domain Administrators,ou=Groups,o=kaki.com,,o=ace industry,c=us [..] NSACLPlugin - Evaluated ACL_FALSE
This behaviour was introduced by the fix for #48141 - aci with wildcard and macro not correctly evaluated.
git patch file (master) 0001-Ticket-48344-acl-regression-trailing-comma-in-macro-.patch
Reviewed by Mark (Thank you!!)
Pushed to master: 4fb5412..8e421fb master -> master commit 8e421fb
Pushed to 389-ds-base-1.3.4: 6180b91..1a6390d 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 commit 1a6390d
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1280123
Metadata Update from @nhosoi: - Issue set to the milestone: 1.3.4.5
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1675
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.