Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1448074
[+] Description of problem: - When searching for non-existent objects, 389-ds is returning 'err=0' instead of 'err=32' [+] Version-Release number of selected component (if applicable): - 389-ds-base-1.2.11.15-85.el6_8.x86_64 [+] How reproducible: - Always [+] Steps to Reproduce: 1. Install and configure 389-ds. 2. Search for a non-existent object. [+] Actual results: [01/May/2017:20:59:36 +0000] conn=76754 op=2 SRCH base="uid=bp0029350,ou=buspartner,ou=test,o=ray" scope=0 filter="(objectClass=*)" attrs="1.1" authzid="uid=active46978,o=active" [01/May/2017:20:59:36 +0000] conn=76754 op=2 RESULT err=0 tag=101 nentries=0 etime=0.096000 [+] Expected results: - "err=0" should be "err=32"
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448074
Metadata Update from @mreynolds: - Issue assigned to mreynolds
With the proper aci's in place it appears to work correctly
[12/May/2017:15:20:43.408000918 -0400] conn=20 op=0 BIND dn="uid=mark,dc=example,dc=com" method=128 version=3 [12/May/2017:15:20:43.408458352 -0400] conn=20 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mark,dc=example,dc=com" [12/May/2017:15:20:43.408753024 -0400] conn=20 op=1 SRCH base="ou=not,dc=example,dc=com" scope=2 filter="(uid=*)" attrs="userPassword" authzid="uid=dave,dc=example,dc=com" [12/May/2017:15:20:43.414888208 -0400] conn=20 op=1 RESULT err=32 tag=101 nentries=0 etime=0
If I remove the proxy auth ACI, or I change it to not apply to "uid=mark,dc=example,dc=com" then I don't see the error 32:
[12/May/2017:15:21:50.201092411 -0400] conn=21 op=0 BIND dn="uid=mark,dc=example,dc=com" method=128 version=3 [12/May/2017:15:21:50.201436303 -0400] conn=21 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mark,dc=example,dc=com" [12/May/2017:15:21:50.201626032 -0400] conn=21 op=1 SRCH base="ou=not,dc=example,dc=com" scope=2 filter="(uid=*)" attrs="userPassword" authzid="uid=dave,dc=example,dc=com" [12/May/2017:15:21:50.201848204 -0400] conn=21 op=1 RESULT err=0 tag=101 nentries=0 etime=0
Access control logging
[12/May/2017:15:24:22.905982049 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=22 op=1 (main): Deny proxy on entry(dc=example,dc=com).attr(NULL) to uid=mark,dc=example,dc=com: no aci matched the subject by aci(103): aciname= "dave", acidn="dc=example,dc=com" [12/May/2017:15:24:22.907935828 -0400] - DEBUG - NSACLPlugin - print_access_control_summary - conn=22 op=1 (main): Deny read on entry(dc=example,dc=com).attr(NULL) to proxy (uid=dave,dc=example,dc=com): error occurred
Metadata Update from @mreynolds: - Custom field type adjusted to defect
Not a bug
Metadata Update from @mreynolds: - Custom field version adjusted to 1.3.6 - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2311
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: invalid)
Login to comment on this ticket.