[389-commits] Branch '389-ds-base-1.3.2' - ldap/ldif ldap/servers

Fri Jan 3 20:29:48 UTC 2014

ldap/ldif/template-dse.ldif.in    |    1 
 ldap/servers/plugins/acl/acllas.c |   11 ++++++----
 ldap/servers/slapd/libglobs.c     |   39 ++++++++++++++++++++++++++++++++++++++
 ldap/servers/slapd/proto-slap.h   |    2 +
 ldap/servers/slapd/slap.h         |    2 +
 5 files changed, 51 insertions(+), 4 deletions(-)

New commits:
commit 258bcb5890478c0afe3cf026ff67393cef1c430b
Author: Mark Reynolds <mreynolds at redhat.com>
Date:   Fri Jan 3 14:25:15 2014 -0500

    Ticket 47653 - Need a way to allow users to create entries assigned to themselves
    
    Bug Description:  There are cases where users need to be able to create, edit and delete
                      their own entries.  Using an ACI with the "userattr" keyword does not
                      work with ADD operations(to prevent a security hole).  This prevents IPA's
                      OTP plugin from performing some necessary operations.
    
    Fix Description:  Added a new config attribute "nsslapd-access-userattr-strict".  The default
                      is "on" or strict.  For the IPA case, it would need to be set to "off" in
                      order to allow the desired behavior.
    
    https://fedorahosted.org/389/ticket/47653
    
    Reviewed by: nhosoi(Thanks!)
    (cherry picked from commit a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1)

diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 9a52bc5..729f2e0 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -33,6 +33,7 @@ nsslapd-validate-cert: warn
 nsslapd-allow-unauthenticated-binds: off
 nsslapd-require-secure-binds: off
 nsslapd-allow-anonymous-access: on
+nsslapd-access-userattr-strict: on
 nsslapd-localssf: 71
 nsslapd-minssf: 0
 nsslapd-port: %ds_port%
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 3646fcd..63169f2 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1170,6 +1170,7 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 	char			*attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
 	lasInfo			lasinfo;
 	int				got_undefined = 0;
+	int				userattr_strict;
 
 	if ( 0 !=  (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */
 									attr_pattern,cachable,LAS_cookie,
@@ -1265,6 +1266,8 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 
 	slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName);
 	matched = ACL_FALSE;
+	userattr_strict = config_get_access_userattr_strict();
+
 	for (i=0; i < numOflevels; i++) {
 		if ( levels[i] == 0 ) {
 			Slapi_Value *sval=NULL;
@@ -1276,10 +1279,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			 * must never be allowed to grant access--
 			 * This is because access would be granted based on a value
 		 	 * of an attribute in the new entry--security hole.
-			 * 
-			*/
-
-			if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
+		 	 *
+		 	 * There are valid cases where we want to allow this, or be less strict.
+			 */
+			if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
 				slapi_log_error( SLAPI_LOG_ACL, plugin_name,
 					"ACL info: userdnAttr does not allow ADD permission at level 0.\n");
 				got_undefined = 1;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 283e9a3..955b1d3 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -264,6 +264,7 @@ slapi_onoff_t init_plugin_logging;
 slapi_int_t init_connection_buffer;
 slapi_int_t init_listen_backlog_size;
 slapi_onoff_t init_ignore_time_skew;
+slapi_onoff_t init_access_userattr_strict;
 #ifdef MEMPOOL_EXPERIMENTAL
 slapi_onoff_t init_mempool_switch;
 #endif
@@ -272,6 +273,7 @@ slapi_onoff_t init_mempool_switch;
 #define DEFAULT_ALLOW_ANON_ACCESS "on"
 #define DEFAULT_VALIDATE_CERT "warn"
 #define DEFAULT_UNHASHED_PW_SWITCH "on"
+#define DEFAULT_ACCESS_USERATTR_STRICT "on"
 
 static int
 isInt(ConfigVarType type)
@@ -953,6 +955,12 @@ static struct config_get_and_set {
 		CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
 		(ConfigGetFunc)config_get_anon_access_switch,
 		DEFAULT_ALLOW_ANON_ACCESS},
+	{CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.access_userattr_strict,
+		CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_access_userattr_strict,
+		&init_access_userattr_strict},
 	{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.localssf,
@@ -1518,6 +1526,7 @@ FrontendConfig_init () {
   init_plugin_logging = cfg->plugin_logging = LDAP_OFF;
   init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
   init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF;
+  init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON;
 #ifdef MEMPOOL_EXPERIMENTAL
   init_mempool_switch = cfg->mempool_switch = LDAP_ON;
   cfg->mempool_maxfreelist = 1024;
@@ -6672,6 +6681,36 @@ config_set_force_sasl_external( const char *attrname, char *value,
 }
 
 int
+config_set_access_userattr_strict( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->access_userattr_strict),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
+int
+config_get_access_userattr_strict(void)
+{
+	int retVal;
+
+
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_ONOFF_LOCK_READ(slapdFrontendConfig);
+	retVal = (int)slapdFrontendConfig->access_userattr_strict;
+	CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
+int
 config_get_entryusn_global(void)
 {
     int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index af7b553..c6b1b8d 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -399,6 +399,7 @@ int config_set_return_orig_type_switch(const char *attrname, char *value, char *
 int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -575,6 +576,7 @@ int config_get_plugin_logging();
 int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int apply);
 int config_get_listen_backlog_size(void);
+int config_get_access_userattr_strict(void);
 
 PLHashNumber hashNocaseString(const void *key);
 PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 5b23c69..2763408 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2009,6 +2009,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
 #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
+#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict"
 #define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf"
 #define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf"
 #define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse"
@@ -2389,6 +2390,7 @@ typedef struct _slapdFrontendConfig {
   slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */
   slapi_onoff_t plugin_logging; /* log all internal plugin operations */
   slapi_onoff_t ignore_time_skew;
+  slapi_onoff_t access_userattr_strict;
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */


