New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should not check aci syntax when deleting an aci #1284
Comments
Comment from mreynolds (@mreynolds389) at 2014-11-12 21:18:10 attachment |
Comment from mreynolds (@mreynolds389) at 2014-11-12 22:09:48 lib389 tesetcase |
Comment from nhosoi (@nhosoi) at 2014-11-13 00:17:29 Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1163461 |
Comment from mreynolds (@mreynolds389) at 2014-11-13 02:19:11 To ssh://git.fedorahosted.org/git/389/ds.git commit 6b4ade8 cb4f0cb..6a435f1 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 9678956..eb6a235 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 b721da8..234f118 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 75a6c74..67a084d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 |
Comment from gparente (@germanparente) at 2015-04-21 18:58:03 Hi, I am re-opening this bug because there is a condition where it could fail. In fact, the fix consists on checking the syntax by adding/removing the aci under "cn=ACL Plugin,cn=plugins,cn=config". Most of the cases, this works fine. But if the aci has a "target" clause, even if the syntax is right, the check could fail since when we add an aci we check that target has to be in the scope of the aci. For instance, if I add aci under "o=redhat" it will work fine: aci: (targetattr = "dn")(target = "ldap:///o=redhat") (version 3.0; acl "Escrita do atributo destinationIndicator para o Expresso"; allow (read,compare,search,write) (userdn = "ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))");) But if I add it under "cn=ACL Plugin,cn=plugins,cn=config" it will fail with this error: [21/Apr/2015:14:32:50 +0200] NSACLPlugin - ACL Invalid Target Error(-8): Target is beyond the scope of the ACL(SCOPE:cn=ACL Plugin,cn=plugins,cn=config) (targetattr = \22dn\22)(target=\22ldap:///o=redhat\22) (version 3.0; acl \22Escrita do atributo destinationIndicator para o Expresso\22; allow (read,compare,search,write) (userdn = \22ldap:///o=redhat??sub?(&(cn=admin)(ou:dn:=expressolivre))\22);) regards, German. |
Comment from gparente (@germanparente) at 2015-04-21 19:19:21 A possible fix would be: if the dn of entry is ACL_PLUGIN_CONFIG_ENTRY_DN and rv == ACL_INVALID_TARGET where rv = acl_verify_syntax(e_sdn,mod->mod_bvalues[i], errbuf))) then consider syntax as valid. Since ACL_INVALID_TARGET is checking only that the target clause is a suffix of the dn and not syntax itself:if (!slapi_dn_issuffix( avaValue->bv_val, dn))
|
Comment from mreynolds (@mreynolds389) at 2015-04-28 20:39:05 This problem should be tracked in ticket https://fedorahosted.org/389/ticket/47946 The DS fix is working fine, it's the console that needed to be revised |
Comment from gparente (@germanparente) at 2017-02-11 23:09:03 Metadata Update from @germanparente:
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47953
Attempting to delete to specific aci will have the aci value's syntax checked. So it makes it impossible to delete an aci if its syntax is invalid. We should not check the syntax of aci if we are deleting it.
The text was updated successfully, but these errors were encountered: