deref plugin cannot handle complex acis

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47821

• Created at 2014-06-20 19:50:30 by lkrispen (@elkris)
• Closed as Fixed
• Assigned to lkrispen (@elkris)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1112702
  • https://bugzilla.redhat.com/show_bug.cgi?id=1112824

---

The deref plugin tries to check permissions before doing a search on the deref entries. It creates a dummy entry based on the dn of the deref attribute values and does slpi_access_allowed(). But this entry does not have all the attributes of the real entry, so if there are acis using targetfilters or bind rules depending on the entry eg USERATTR# it fails

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-06-25 00:18:58

This issue affects older versions. Bug 1112702 - Broken dereference control with the FreeIPA 4.0 ACIs Thus, set target version to 1.2.11.

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-06-27 18:47:44

attachment 0001-Ticket-47821-deref-plugin-cannot-handle-complex-acis.patch

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-06-27 21:51:25

$ git merge ticket47821 Updating fba1db1..e4b4419 Fast-forward ldap/servers/plugins/deref/deref.c | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------- 1 file changed, 58 insertions(+), 55 deletions(-) $ git push origin master Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.29 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git fba1db1..e4b4419 master -> master

$ git push origin 389-ds-base-1.2.11 Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.32 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 4bccd2b..ed48761 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

$ git cherry-pick e4b441962abc10eafd7c4eec52274f84b13feb9c [389-ds-base-1.3.2 7d19149] Ticket 47821 - deref plugin cannot handle complex acis 1 file changed, 58 insertions(+), 55 deletions(-) $ git push origin 389-ds-base-1.3.2 Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.29 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 111e11a..7d19149 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-06-30 22:33:10

Ludwig, is it okay to close this ticket?

[389-ds-bot]

Comment from lkrispen (@elkris) at 2017-02-11 23:07:54

Metadata Update from @elkris:

• Issue assigned to elkris
• Issue set to the milestone: 1.2.11.30