https://bugzilla.redhat.com/show_bug.cgi?id=457156
Summary: GER: allow GER for non-existing entries (phase 2)
Product: Fedora Directory Server
Version: 1.1.1
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: low
Component: Security - Access Control (GER)
AssignedTo: nhosoi(a)redhat.com
ReportedBy: nhosoi(a)redhat.com
QAContact: ckannan(a)redhat.com
Estimated Hours: 0.0
The change is too small for "(phase 2)", though... :)
Description of problem:
"437525: GER: allow GER for non-existing entries" introduced a new type of list
(e.g., "*@inetorgperson" "*@posixaccount") to the ldapsearch when the
Get
Effective Rights Control OID is given. If such list is given, a template entry
is internally created and the effective rights are evaluated. Currently, the
entry is not associated with any suffix. Therefore, no meaning ACIs are applied
to the template entry.
Since the search specifies the search base, we could use the dn as the template
entry is located.
------- Additional Comments From nhosoi(a)redhat.com 2008-07-29 19:05 EST -------
Created an attachment (id=312947)
--> (
https://bugzilla.redhat.com/attachment.cgi?id=312947&action=view)
cvs diff ldap/servers/plugins/acl/acleffectiverights.c
Fix Description: get the target dn from the pblock and add it to the template entry
dn if available. Plus a memory leak was found and fixed at the same time.
------- Additional Comments From nhosoi(a)redhat.com 2008-07-30 11:29 EST -------
Created an attachment (id=313006)
--> (
https://bugzilla.redhat.com/attachment.cgi?id=313006&action=view)
test ldif file
This test sets ACI:
aci: (target=ldap:///ou=Accounting,dc=example,dc=com)(targetattr="*")(version
3.
0; acl "tp25"; allow (read,search,compare) (userdn = "ldap:///anyone")
;)
That is, no ACI in dc=example,dc=com, nor entries under ou other than
ou=Accounting; entries under ou=Accounting,dc=example,dc=com have the
permission rsc.
Test cases:
1) search from dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b
"dc=example,dc=com" -s base
-J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"
dn: cn=template_posixaccount_objectclass,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
one, description:none, aci:none
2) search from ou=accounting,dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b
"ou=accounting,dc=example,dc=com" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"
dn: cn=template_posixaccount_objectclass,ou=accounting,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: v
attributeLevelRights: cn:rsc, uid:rsc, uidNumber:rsc, gidNumber:rsc, homeDirec
tory:rsc, objectClass:rsc, userPassword:rsc, loginShell:rsc, gecos:rsc, desc
ription:rsc, aci:rsc
3) search from ou=payroll,dc=example,dc=com:
$ ldapsearch -D "cn=Directory Manager" -w <pw> -b
"ou=payroll,dc=example,dc=com" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn:
cn=Jacques SMITH, dc=example,dc=com" "(uidnumber=*)"
"*@posixaccount"
dn: cn=template_posixaccount_objectclass,ou=payroll,dc=example,dc=com
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
one, description:none, aci:none
4) search from "" (no acis are set):
ldapsearch D "cn=Directory Manager" -w <pw> -b "" -s base -J
"1.3.6.1.4.1.42.2.27.9.5.2:false:dn: cn=Jacques SMITH, dc=example,dc=com"
"(uidnumber=*)" "*@posixaccount"version: 1
dn: cn=template_posixaccount_objectclass,
objectClass: posixaccount
objectClass: top
homeDirectory: dummy
gidNumber: dummy
uidNumber: dummy
uid: dummy
cn: dummy
entryLevelRights: none
attributeLevelRights: cn:none, uid:none, uidNumber:none, gidNumber:none, homeD
irectory:none, objectClass:none, userPassword:none, loginShell:none, gecos:n
one, description:none, aci:none