Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lib389 password policy DN handling is incorrect #5585

Closed
droideck opened this issue Jan 3, 2023 · 6 comments · Fixed by #5587
Closed

lib389 password policy DN handling is incorrect #5585

droideck opened this issue Jan 3, 2023 · 6 comments · Fixed by #5587
Labels
needs triage The issue will be triaged during scrum

Comments

@droideck
Copy link
Member

droideck commented Jan 3, 2023

Issue Description
After a migration between major DS versions, it can happen that already existing password policies will have 'cn' that contains a valid DN in double quote "". We need to strip the quotes before processing the DN with python-ldap.
@droideck droideck added the needs triage The issue will be triaged during scrum label Jan 3, 2023
@droideck
Copy link
Member Author

droideck commented Jan 3, 2023

https://bugzilla.redhat.com/show_bug.cgi?id=2150813

@droideck droideck mentioned this issue Jan 4, 2023
Merged
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
bafacd2 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
ddc566d 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
dcda92f 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
d9df6a9 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
17ac5d2 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
droideck added a commit that referenced this issue Jan 5, 2023
@droideck
Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
51b0e50 
Description: After a migration between major DS versions, it can happen
that already existing password policies will have 'cn' that contains
a valid DN in double quotes "". We need to strip the quotes before
processing the DN with python-ldap.

Fixes: #5585

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
@droideck
Copy link
Member Author

droideck commented Jan 5, 2023

08d57a3..ddc566d 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
a294c1d..dcda92f 389-ds-base-1.4.4 -> 389-ds-base-1.4.4
fae2bf3..d9df6a9 389-ds-base-2.0 -> 389-ds-base-2.0
e278e74..17ac5d2 389-ds-base-2.1 -> 389-ds-base-2.1
3358fd5..51b0e50 389-ds-base-2.2 -> 389-ds-base-2.2

@tbordaz
Copy link
Contributor

tbordaz commented Feb 14, 2023

@droideck , rereading the patch I have doubt.
The following dn 'cn=nsPwPolicyEntry,ou="my policies",dc=com' could be the value of 'cn'. The patch strips all quotes and double quotes, not only the heading/ending ones. The result is

  • cn=nsPwPolicyEntry
  • ou=my policies
  • dc=com

Where it was

  • cn=nsPwPolicyEntry
  • ou="my policies"
  • dc=com

Do you think it could be a problem for password policy handling. (I think it is not as 'cn' is just informational attribute)

@droideck
Copy link
Member Author

The following dn 'cn=nsPwPolicyEntry,ou="my policies",dc=com' could be the value of 'cn'. The patch strips all quotes and double quotes, not only the heading/ending ones.

Odd... Was you able to reproduce the issue?
I've tried this in python3 (3.10.9) and all works as expected:

>>> dn = '\'cn=nsPwPolicyEntry,ou="my policies",dc=com\''
>>> print(dn)
'cn=nsPwPolicyEntry,ou="my policies",dc=com'
>>> print(dn.strip("\'").strip("\""))
cn=nsPwPolicyEntry,ou="my policies",dc=com

>>> dn = '\"cn=nsPwPolicyEntry,ou="my policies",dc=com\"'
>>> print(dn)
"cn=nsPwPolicyEntry,ou="my policies",dc=com"
>>> print(dn.strip("\'").strip("\""))
cn=nsPwPolicyEntry,ou="my policies",dc=com

>>> dn = 'cn=nsPwPolicyEntry,ou="my policies",dc=com'
>>> print(dn)
cn=nsPwPolicyEntry,ou="my policies",dc=com
>>> print(dn.strip("\'").strip("\""))
cn=nsPwPolicyEntry,ou="my policies",dc=com

But maybe I miss something...

@tbordaz
Copy link
Contributor

tbordaz commented Feb 14, 2023

@droideck , no you did not miss anything. I was guess something about python strip("'")... and I was wrong. Thanks for your answer and sorry for the noise.

@droideck
Copy link
Member Author

@droideck , no you did not miss anything. I was guess something about python strip("'")... and I was wrong. Thanks for your answer and sorry for the noise.

No worries! Thanks for checking anyway!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage The issue will be triaged during scrum
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 5585 - lib389 password policy DN handling is incorrect
2 participants
@tbordaz @droideck