From a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Jan 03 2014 20:26:52 +0000 Subject: Ticket 47653 - Need a way to allow users to create entries assigned to themselves Bug Description: There are cases where users need to be able to create, edit and delete their own entries. Using an ACI with the "userattr" keyword does not work with ADD operations(to prevent a security hole). This prevents IPA's OTP plugin from performing some necessary operations. Fix Description: Added a new config attribute "nsslapd-access-userattr-strict". The default is "on" or strict. For the IPA case, it would need to be set to "off" in order to allow the desired behavior. https://fedorahosted.org/389/ticket/47653 Reviewed by: nhosoi(Thanks!) --- diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index af176e9..bca7076 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -33,6 +33,7 @@ nsslapd-validate-cert: warn nsslapd-allow-unauthenticated-binds: off nsslapd-require-secure-binds: off nsslapd-allow-anonymous-access: on +nsslapd-access-userattr-strict: on nsslapd-localssf: 71 nsslapd-minssf: 0 nsslapd-port: %ds_port% diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 3646fcd..63169f2 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -1170,6 +1170,7 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, char *attrs[2] = { LDAP_ALL_USER_ATTRS, NULL }; lasInfo lasinfo; int got_undefined = 0; + int userattr_strict; if ( 0 != (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */ attr_pattern,cachable,LAS_cookie, @@ -1265,6 +1266,8 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName); matched = ACL_FALSE; + userattr_strict = config_get_access_userattr_strict(); + for (i=0; i < numOflevels; i++) { if ( levels[i] == 0 ) { Slapi_Value *sval=NULL; @@ -1276,10 +1279,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, * must never be allowed to grant access-- * This is because access would be granted based on a value * of an attribute in the new entry--security hole. - * - */ - - if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) { + * + * There are valid cases where we want to allow this, or be less strict. + */ + if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "ACL info: userdnAttr does not allow ADD permission at level 0.\n"); got_undefined = 1; diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 9165e08..d0bcbb9 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -265,6 +265,7 @@ slapi_onoff_t init_plugin_logging; slapi_int_t init_connection_buffer; slapi_int_t init_listen_backlog_size; slapi_onoff_t init_ignore_time_skew; +slapi_onoff_t init_access_userattr_strict; #ifdef MEMPOOL_EXPERIMENTAL slapi_onoff_t init_mempool_switch; #endif @@ -273,6 +274,7 @@ slapi_onoff_t init_mempool_switch; #define DEFAULT_ALLOW_ANON_ACCESS "on" #define DEFAULT_VALIDATE_CERT "warn" #define DEFAULT_UNHASHED_PW_SWITCH "on" +#define DEFAULT_ACCESS_USERATTR_STRICT "on" static int isInt(ConfigVarType type) @@ -954,6 +956,12 @@ static struct config_get_and_set { CONFIG_SPECIAL_ANON_ACCESS_SWITCH, (ConfigGetFunc)config_get_anon_access_switch, DEFAULT_ALLOW_ANON_ACCESS}, + {CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict, + NULL, 0, + (void**)&global_slapdFrontendConfig.access_userattr_strict, + CONFIG_ON_OFF, + (ConfigGetFunc)config_get_access_userattr_strict, + &init_access_userattr_strict}, {CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf, NULL, 0, (void**)&global_slapdFrontendConfig.localssf, @@ -1519,6 +1527,7 @@ FrontendConfig_init () { init_plugin_logging = cfg->plugin_logging = LDAP_OFF; init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE; init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF; + init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON; #ifdef MEMPOOL_EXPERIMENTAL init_mempool_switch = cfg->mempool_switch = LDAP_ON; cfg->mempool_maxfreelist = 1024; @@ -6673,6 +6682,36 @@ config_set_force_sasl_external( const char *attrname, char *value, } int +config_set_access_userattr_strict( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->access_userattr_strict), + errorbuf, + apply); + + return retVal; +} + +int +config_get_access_userattr_strict(void) +{ + int retVal; + + + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_ONOFF_LOCK_READ(slapdFrontendConfig); + retVal = (int)slapdFrontendConfig->access_userattr_strict; + CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int config_get_entryusn_global(void) { int retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 358e103..120f20d 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -401,6 +401,7 @@ int config_set_return_orig_type_switch(const char *attrname, char *value, char * int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int apply); int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int apply); +int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf, int apply ); #if !defined(_WIN32) && !defined(AIX) int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply ); @@ -577,6 +578,7 @@ int config_get_plugin_logging(); int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int apply); int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int apply); int config_get_listen_backlog_size(void); +int config_get_access_userattr_strict(void); PLHashNumber hashNocaseString(const void *key); PRIntn hashNocaseCompare(const void *v1, const void *v2); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 710da22..c5b5242 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2012,6 +2012,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds" #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access" +#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict" #define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf" #define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf" #define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse" @@ -2392,6 +2393,7 @@ typedef struct _slapdFrontendConfig { slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */ slapi_onoff_t plugin_logging; /* log all internal plugin operations */ slapi_onoff_t ignore_time_skew; + slapi_onoff_t access_userattr_strict; } slapdFrontendConfig_t; /* possible values for slapdFrontendConfig_t.schemareplace */