#5037 ipa aci plugin is not parsing aci's correctly.
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1222999

Description of problem:

in some cases, some aci's with quite right syntax are being parsed wrong by ipa
aci plugin.

Version-Release number of selected component (if applicable):

I am testing this in RHEL6: ipa-server-3.0.0-42.el6.x86_64


Steps to Reproduce:
1.

Add these custom aci's:

aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)

2. Try changing self service permission:

ipa selfservice-mod "Self can write own password" --permission=read
ipa: ERROR: an internal error has occurred
[root@ipa ~]#

tail -f /var/log/httpd/error_log
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Tue May 19 15:50:11 2015] [error]     return self.execute(*args, **options)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 582, in execute
[Tue May 19 15:50:11 2015] [error]     candidate = ACI(a)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 56, in __init__
[Tue May 19 15:50:11 2015] [error]     self._parse_acistr(acistr)
[Tue May 19 15:50:11 2015] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/aci.py", line 144, in _parse_acistr
[Tue May 19 15:50:11 2015] [error]     raise SyntaxError, "malformed ACI,
permissions match failed %s" % acistr
[Tue May 19 15:50:11 2015] [error] SyntaxError: malformed ACI, permissions
match failed (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)
[Tue May 19 15:50:11 2015] [error] ipa: INFO: admin@EXAMPLE.ORG:
selfservice_mod(u'Self can write own password', permissions=(u'read',),
all=False, raw=False, version=u'2.49'): SyntaxError


Additional info:


Workaround is to replace the aci's by ones not using parenthesis on the bind
rule:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search)(userdn = "ldap:///anyone");)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy)(userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com");)


And re-add them with a slightly different syntax:

ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "memberOf") (version 3.0;acl "memberOf3";allow
(read,compare,search) userdn = "ldap:///anyone";)
aci: (targetattr = "*") (version 3.0;acl "proxyagent";allow
(read,compare,search,proxy) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)


Then, the sefservice mod command will work fine.

Thanks to Petr Viktorin for suggesting the workaround.

This issue was seen on RHEL 6.6(IPA 3.?) and also master(IPA 4.2).

master:

  • a2ba937 ACI plugin: correctly parse bind rules enclosed in parentheses

ipa-4-2:

  • d85f92c ACI plugin: correctly parse bind rules enclosed in parentheses

Metadata Update from @pvoborni:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata