Should not check aci syntax when deleting an aci

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47953

• Created at 2014-11-12 20:31:22 by mreynolds (@mreynolds389)
• Closed as Fixed
• Assigned to mreynolds (@mreynolds389)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1163461
  • https://bugzilla.redhat.com/show_bug.cgi?id=1161909

---

Attempting to delete to specific aci will have the aci value's syntax checked. So it makes it impossible to delete an aci if its syntax is invalid. We should not check the syntax of aci if we are deleting it.

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2014-11-12 21:18:10

attachment
0001-Ticket-47953-Should-not-check-aci-syntax-when-deleti.patch

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2014-11-12 22:09:48

lib389 tesetcase
0002-Ticket-47953-testcase-for-removing-invalid-aci.patch

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-11-13 00:17:29

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1163461

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2014-11-13 02:19:11

To ssh://git.fedorahosted.org/git/389/ds.git
47868d3..6b4ade8 master -> master

commit 6b4ade8
Author: Mark Reynolds mreynolds389@redhat.com
Date: Wed Nov 12 11:07:52 2014 -0500

cb4f0cb..6a435f1 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 6a435f1

9678956..eb6a235 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit eb6a235

b721da8..234f118 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 234f118efe7867cbbe36ca5c8b13ea7195114a38

75a6c74..67a084d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 67a084d

[389-ds-bot]

Comment from gparente (@germanparente) at 2015-04-21 18:58:03

Hi,

I am re-opening this bug because there is a condition where it could fail.

In fact, the fix consists on checking the syntax by adding/removing the aci under "cn=ACL Plugin,cn=plugins,cn=config". Most of the cases, this works fine.

But if the aci has a "target" clause, even if the syntax is right, the check could fail since when we add an aci we check that target has to be in the scope of the aci.

For instance, if I add aci under "o=redhat" it will work fine:

aci: (targetattr = "dn")(target = "ldap:///o=redhat") (version 3.0; acl "Escrita do atributo destinationIndicator para o Expresso"; allow (read,compare,search,write) (userdn = "ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))");)

But if I add it under "cn=ACL Plugin,cn=plugins,cn=config" it will fail with this error:

[21/Apr/2015:14:32:50 +0200] NSACLPlugin - ACL Invalid Target Error(-8): Target is beyond the scope of the ACL(SCOPE:cn=ACL Plugin,cn=plugins,cn=config) (targetattr = \22dn\22)(target=\22ldap:///o=redhat\22) (version 3.0; acl \22Escrita do atributo destinationIndicator para o Expresso\22; allow (read,compare,search,write) (userdn = \22ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))\22);)

regards,

German.

[389-ds-bot]

Comment from gparente (@germanparente) at 2015-04-21 19:19:21

A possible fix would be:

if the dn of entry is ACL_PLUGIN_CONFIG_ENTRY_DN and rv == ACL_INVALID_TARGET

where rv = acl_verify_syntax(e_sdn,mod->mod_bvalues[i], errbuf)))

then consider syntax as valid. Since ACL_INVALID_TARGET is checking only that the target clause is a suffix of the dn and not syntax itself:

if (!slapi_dn_issuffix( avaValue->bv_val, dn))
return ACL_INVALID_TARGET;

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2015-04-28 20:39:05

This problem should be tracked in ticket https://fedorahosted.org/389/ticket/47946

The DS fix is working fine, it's the console that needed to be revised

[389-ds-bot]

Comment from gparente (@germanparente) at 2017-02-11 23:09:03

Metadata Update from @germanparente:

• Issue assigned to mreynolds389
• Issue set to the milestone: 1.2.11.33