The deref plugin tries to check permissions before doing a search on the deref entries. It creates a dummy entry based on the dn of the deref attribute values and does slpi_access_allowed(). But this entry does not have all the attributes of the real entry, so if there are acis using targetfilters or bind rules depending on the entry eg USERATTR# it fails
This issue affects older versions. Bug 1112702 - Broken dereference control with the FreeIPA 4.0 ACIs Thus, set target version to 1.2.11.
attachment 0001-Ticket-47821-deref-plugin-cannot-handle-complex-acis.patch
$ git merge ticket47821 Updating fba1db1..e4b4419 Fast-forward ldap/servers/plugins/deref/deref.c | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- 1 file changed, 58 insertions(+), 55 deletions(-) $ git push origin master Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.29 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git fba1db1..e4b4419 master -> master
$ git push origin 389-ds-base-1.2.11 Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.32 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 4bccd2b..ed48761 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
$ git cherry-pick e4b4419 [389-ds-base-1.3.2 7d19149] Ticket 47821 - deref plugin cannot handle complex acis 1 file changed, 58 insertions(+), 55 deletions(-) $ git push origin 389-ds-base-1.3.2 Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.29 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 111e11a..7d19149 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
Ludwig, is it okay to close this ticket?
Metadata Update from @lkrispen: - Issue assigned to lkrispen - Issue set to the milestone: 1.2.11.30
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1152
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.