From 07c1bc25508a9c1e71dd8e717fd4ce455ddfeff0 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Oct 10 2014 21:01:22 +0000
Subject: Ticket #47922 - dynamically added macro aci is not evaluated on the fly


Bug Description: When macro aci is dynamically added and if the aci's
macro target dn is not normalized, the following operation that requires
the aci could fail with Insufficient access since matching the target dn
and the macro target dn fails since the code expects normalized macro
target dn.

Fix Description: Before setting the macro target dn, process the dn by
slapi_create_dn_string_case.

https://fedorahosted.org/389/ticket/47922

Reviewed by lkrispen@redhat.com and rmeggins@redhat.com (Thank you, Ludwig and Rich!!)

---

diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index ea64fa7..be86c8b 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -1849,9 +1849,9 @@ static int
 acl_check_for_target_macro( aci_t *aci_item, char *value)
 {
 
-	char			*str = NULL;
+	char *str = NULL;
 
-	str = strstr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);	
+	str = PL_strcasestr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);
 	
 	if (str != NULL) {
 		char *p0 = NULL, *p1 = NULL;
@@ -1871,10 +1871,17 @@ acl_check_for_target_macro( aci_t *aci_item, char *value)
 		aci_item->aci_type &= ~ACI_TARGET_DN;
 		aci_item->aci_type |= ACI_TARGET_MACRO_DN;
 		aci_item->aci_macro = (aciMacro *)slapi_ch_malloc(sizeof(aciMacro));
-		aci_item->aci_macro->match_this = slapi_ch_strdup(value);
-		aci_item->aci_macro->macro_ptr = strstr( aci_item->aci_macro->match_this,
-												 ACL_TARGET_MACRO_DN_KEY);
-		return(1);											
+		/* Macro dn needs to normalize. E.g., "ou=Groups, ($dN), dn=example,dn=com" */
+		aci_item->aci_macro->match_this = slapi_create_dn_string_case("%s", value);
+		if (NULL == aci_item->aci_macro->match_this) {
+			slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
+			                "acl_check_for_target_macro: Error: Invalid macro target dn: \"%s\"\n", value);
+			aci_item->aci_type &= ~ACI_TARGET_MACRO_DN;
+			slapi_ch_free((void **)&aci_item->aci_macro);
+			return -1;
+		}
+		aci_item->aci_macro->macro_ptr = PL_strcasestr(aci_item->aci_macro->match_this, ACL_TARGET_MACRO_DN_KEY);
+		return(1);
 	}
 
 	return(0);
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
index e865a95..0720dae 100644
--- a/ldap/servers/plugins/acl/aclutil.c
+++ b/ldap/servers/plugins/acl/aclutil.c
@@ -785,7 +785,7 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 	macro_prefix = slapi_ch_strdup(match_this);
 	
 	/* we know it's got a $(dn) */
-	tmp_ptr = strstr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
+	tmp_ptr = PL_strcasestr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
 	if (!tmp_ptr) {
 		LDAPDebug(LDAP_DEBUG_ACL,"acl_match_macro_in_target: "
 				"Target macro DN key \"%s\" not found in \"%s\".\n",