#47953 Should not check aci syntax when deleting an aci
Closed: Fixed None Opened 4 years ago by mreynolds.

Attempting to delete to specific aci will have the aci value's syntax checked. So it makes it impossible to delete an aci if its syntax is invalid. We should not check the syntax of aci if we are deleting it.


To ssh://git.fedorahosted.org/git/389/ds.git
47868d3..6b4ade8 master -> master

commit 6b4ade8
Author: Mark Reynolds mreynolds@redhat.com
Date: Wed Nov 12 11:07:52 2014 -0500

cb4f0cb..6a435f1 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 6a435f1

9678956..eb6a235 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit eb6a235

b721da8..234f118 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 234f118efe7867cbbe36ca5c8b13ea7195114a38

75a6c74..67a084d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 67a084d

Hi,

I am re-opening this bug because there is a condition where it could fail.

In fact, the fix consists on checking the syntax by adding/removing the aci under "cn=ACL Plugin,cn=plugins,cn=config". Most of the cases, this works fine.

But if the aci has a "target" clause, even if the syntax is right, the check could fail since when we add an aci we check that target has to be in the scope of the aci.

For instance, if I add aci under "o=redhat" it will work fine:

aci: (targetattr = "dn")(target = "ldap:///o=redhat") (version 3.0; acl "Escrita do atributo destinationIndicator para o Expresso"; allow (read,compare,search,write) (userdn = "ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))");)

But if I add it under "cn=ACL Plugin,cn=plugins,cn=config" it will fail with this error:

[21/Apr/2015:14:32:50 +0200] NSACLPlugin - ACL Invalid Target Error(-8): Target is beyond the scope of the ACL(SCOPE:cn=ACL Plugin,cn=plugins,cn=config) (targetattr = \22dn\22)(target=\22ldap:///o=redhat\22) (version 3.0; acl \22Escrita do atributo destinationIndicator para o Expresso\22; allow (read,compare,search,write) (userdn = \22ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))\22);)

regards,

German.

A possible fix would be:

if the dn of entry is ACL_PLUGIN_CONFIG_ENTRY_DN and rv == ACL_INVALID_TARGET

where rv = acl_verify_syntax(e_sdn,mod->mod_bvalues[i], errbuf)))

then consider syntax as valid. Since ACL_INVALID_TARGET is checking only that the target clause is a suffix of the dn and not syntax itself:

if (!slapi_dn_issuffix( avaValue->bv_val, dn))
return ACL_INVALID_TARGET;


This problem should be tracked in ticket https://fedorahosted.org/389/ticket/47946

The DS fix is working fine, it's the console that needed to be revised

Metadata Update from @gparente:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.2.11.33

2 years ago

Login to comment on this ticket.

Metadata