Closed 389-ds-bot closed 4 years ago
Comment from lkrispen (@elkris) at 2015-12-04 20:46:55
I think this is a misunderstanding, ds does support this control:
ldapsearch -LLL -x -h localhost -p 389 -b "" -s base | grep 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.18
but it improperly handles it for operations where the original bin dn is directory manager. So, this is a bug in handling the control and should be fixed. This is handled in ticket 48366.
is it ok to close this one ?
Comment from pspacek at 2015-12-04 21:12:40
I think that this is a separate issue. DS does not return an error if the user is not authorized to use the control but the control is marked as critical. In that case I would expect LDAP_UNAVAILABLE_CRITICAL_EXTENSION error but currently DS just continues.
This applies to non-DM cases, too.
Comment from lkrispen (@elkris) at 2015-12-04 21:45:01
yes and no.
you are right that there is no entry in cn=features,cn=config defining access to the control and adding such an entry has no effect. But on the other hand, aci code does a fine grained handling who is allowed to use the proxy contols on which attributes or entries. This is done by defining acis with "proxy" rights. So in the same search some netries could be returned, some not - it is not an all or nothing mechanism.
Comment from lkrispen (@elkris) at 2015-12-04 22:22:50
From RFC4511:
If the server does not recognize the control type, determines that
it is not appropriate for the operation, or is otherwise unwilling
to perform the operation with the control, and if the criticality
field is TRUE, the server MUST NOT perform the operation, and for
operations that have a response message, it MUST return with the
resultCode set to unavailableCriticalExtension.
so, we do recognize the control, it is seen appropriate for the operation, the condition to send the unavailableCriticalExtension response would be:
is otherwise unwilling to perform the operation with the control
But we do perform the operation, only the result is determined by the aci - so I don't see that we MUST return the unavailable response
Comment from pspacek at 2015-12-08 14:10:03
Okay, I can see your point. In that case it would be good to somehow log information that proxy control was not used for particular operation because current log seems misleading to me.
Comment from firstyear (@Firstyear) at 2016-01-13 10:46:44
Looking at the implementation [0]
The criticality MUST be present and MUST be TRUE. This requirement
protects clients from submitting a request that is executed with an
unintended authorization identity.
Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE with
a protocolError error. These requirements protect clients from
submitting a request that is executed with an unintended
authorization identity.
and
If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity; otherwise, the result code 123 is returned.
So I think the real issue here is that the result code is being set to LDAP_SUCCESS rather than 123 as per the RFC when the access is denied. This is defined as LDAP_X_PROXY_AUTHZ_FAILURE in openldap/ldap.h, and does not appear to be used in the 389-ds code.
Comment from pspacek at 2016-01-13 15:28:35
Ah, good, I missed that one in the RFC. Feel free to rename this ticket :-)
Comment from firstyear (@Firstyear) at 2016-02-08 10:55:09
To keep you updated, we have been discussing this issue, and will come back with a plan of action soon. Hope that helps.
Comment from firstyear (@Firstyear) at 2016-02-15 04:19:20
We have decided that given the current structure of the proxy aci rules, and their interactions with the code that we cannot easily make ds compliant with the RFC given the current structure.
We will develop a new aci type (authz) that is able to be RFC conformant within the DS code base. There are a number of reasons for this.
First, proxy rules don't control who you can proxy to: They allow you to proxy to anyone, but only if the target of the operation is to a specific target. These rules are not very secure or good.
Second, because of this design, the aci code cannot evaluate the proxy aci in isolation from the search operation. As a result, the search needs to already by complete by the time we need to return the error. We also may only have a partial search denial with the proxy rule structure, so it would not be "easy" to determine the correct result to send.
Given this, we have decided it's better to create a new right type that:
This change has a huge number of benefits to ds, and would allow us to use authz rules as an rfc compliant proxy mechanism.
Comment from firstyear (@Firstyear) at 2016-05-20 06:40:34
48847
We can't fix this (discovered issue) easily, and this ticket has taken a tangent from the original issue.
This new ticket will track the addition of the new right type.
Comment from firstyear (@Firstyear) at 2017-02-11 23:06:35
Metadata Update from @Firstyear:
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/48367
$ ldapsearch -w testtest -D 'uid=test,cn=users,cn=accounts,dc=dom-058-103,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' -e !authzid=dn:uid=admin,cn=users,cn=accounts,dc=dom-058-103,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -b uid=admin,cn=users,cn=accounts,dc=dom-058-103,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com userPassword
does not fail with LDAP_UNAVAILABLE_CRITICAL_EXTENSION even though OID
2.16.840.1.113730.3.4.18
is not listed incn=features,cn=config
at all.Access log looks like if authzid was used: