From 9a1b6dac55d5195bba594ae7ae7f3c45e16efda9 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Jan 10 2014 20:33:59 +0000 Subject: Revert "Ticket 47653 - Need a way to allow users to create entries assigned to themselves" This reverts commit a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1. Description: It turned out this patch does not satisfy the IPA's needs and has a possibility to introduce a security issue. (cherry picked from commit c25c08f52b2877333b65c1a0d8c94b51797748ba) --- diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 729f2e0..9a52bc5 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -33,7 +33,6 @@ nsslapd-validate-cert: warn nsslapd-allow-unauthenticated-binds: off nsslapd-require-secure-binds: off nsslapd-allow-anonymous-access: on -nsslapd-access-userattr-strict: on nsslapd-localssf: 71 nsslapd-minssf: 0 nsslapd-port: %ds_port% diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 63169f2..3646fcd 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -1170,7 +1170,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, char *attrs[2] = { LDAP_ALL_USER_ATTRS, NULL }; lasInfo lasinfo; int got_undefined = 0; - int userattr_strict; if ( 0 != (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */ attr_pattern,cachable,LAS_cookie, @@ -1266,8 +1265,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName); matched = ACL_FALSE; - userattr_strict = config_get_access_userattr_strict(); - for (i=0; i < numOflevels; i++) { if ( levels[i] == 0 ) { Slapi_Value *sval=NULL; @@ -1279,10 +1276,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, * must never be allowed to grant access-- * This is because access would be granted based on a value * of an attribute in the new entry--security hole. - * - * There are valid cases where we want to allow this, or be less strict. - */ - if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) { + * + */ + + if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "ACL info: userdnAttr does not allow ADD permission at level 0.\n"); got_undefined = 1; diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 4658730..a8ad3cc 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -264,7 +264,6 @@ slapi_onoff_t init_plugin_logging; slapi_int_t init_connection_buffer; slapi_int_t init_listen_backlog_size; slapi_onoff_t init_ignore_time_skew; -slapi_onoff_t init_access_userattr_strict; #ifdef MEMPOOL_EXPERIMENTAL slapi_onoff_t init_mempool_switch; #endif @@ -273,7 +272,6 @@ slapi_onoff_t init_mempool_switch; #define DEFAULT_ALLOW_ANON_ACCESS "on" #define DEFAULT_VALIDATE_CERT "warn" #define DEFAULT_UNHASHED_PW_SWITCH "on" -#define DEFAULT_ACCESS_USERATTR_STRICT "on" static int isInt(ConfigVarType type) @@ -955,12 +953,6 @@ static struct config_get_and_set { CONFIG_SPECIAL_ANON_ACCESS_SWITCH, (ConfigGetFunc)config_get_anon_access_switch, DEFAULT_ALLOW_ANON_ACCESS}, - {CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict, - NULL, 0, - (void**)&global_slapdFrontendConfig.access_userattr_strict, - CONFIG_ON_OFF, - (ConfigGetFunc)config_get_access_userattr_strict, - &init_access_userattr_strict}, {CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf, NULL, 0, (void**)&global_slapdFrontendConfig.localssf, @@ -1526,7 +1518,6 @@ FrontendConfig_init () { init_plugin_logging = cfg->plugin_logging = LDAP_OFF; init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE; init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF; - init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON; #ifdef MEMPOOL_EXPERIMENTAL init_mempool_switch = cfg->mempool_switch = LDAP_ON; cfg->mempool_maxfreelist = 1024; @@ -6681,36 +6672,6 @@ config_set_force_sasl_external( const char *attrname, char *value, } int -config_set_access_userattr_strict( const char *attrname, char *value, - char *errorbuf, int apply ) -{ - int retVal = LDAP_SUCCESS; - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - - retVal = config_set_onoff(attrname, - value, - &(slapdFrontendConfig->access_userattr_strict), - errorbuf, - apply); - - return retVal; -} - -int -config_get_access_userattr_strict(void) -{ - int retVal; - - - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - CFG_ONOFF_LOCK_READ(slapdFrontendConfig); - retVal = (int)slapdFrontendConfig->access_userattr_strict; - CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig); - - return retVal; -} - -int config_get_entryusn_global(void) { int retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index c6b1b8d..af7b553 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -399,7 +399,6 @@ int config_set_return_orig_type_switch(const char *attrname, char *value, char * int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int apply); int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int apply); -int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf, int apply ); #if !defined(_WIN32) && !defined(AIX) int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply ); @@ -576,7 +575,6 @@ int config_get_plugin_logging(); int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int apply); int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int apply); int config_get_listen_backlog_size(void); -int config_get_access_userattr_strict(void); PLHashNumber hashNocaseString(const void *key); PRIntn hashNocaseCompare(const void *v1, const void *v2); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 2763408..5b23c69 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2009,7 +2009,6 @@ typedef struct _slapdEntryPoints { #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds" #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access" -#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict" #define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf" #define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf" #define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse" @@ -2390,7 +2389,6 @@ typedef struct _slapdFrontendConfig { slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */ slapi_onoff_t plugin_logging; /* log all internal plugin operations */ slapi_onoff_t ignore_time_skew; - slapi_onoff_t access_userattr_strict; } slapdFrontendConfig_t; /* possible values for slapdFrontendConfig_t.schemareplace */