[389-commits] ldap/ldif ldap/servers

Noriko Hosoi nhosoi at fedoraproject.org
Fri Jan 10 20:32:44 UTC 2014 

 ldap/ldif/template-dse.ldif.in    |    1 
 ldap/servers/plugins/acl/acllas.c |   11 +++-------
 ldap/servers/slapd/libglobs.c     |   39 --------------------------------------
 ldap/servers/slapd/proto-slap.h   |    2 -
 ldap/servers/slapd/slap.h         |    2 -
 5 files changed, 4 insertions(+), 51 deletions(-)

New commits:
commit c25c08f52b2877333b65c1a0d8c94b51797748ba
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Fri Jan 10 12:29:54 2014 -0800

    Revert "Ticket 47653 - Need a way to allow users to create entries assigned to themselves"
    
    This reverts commit a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1.
    
    Description: It turned out this patch does not satisfy the IPA's needs
    and has a possibility to introduce a security issue.

diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index bca7076..af176e9 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -33,7 +33,6 @@ nsslapd-validate-cert: warn
 nsslapd-allow-unauthenticated-binds: off
 nsslapd-require-secure-binds: off
 nsslapd-allow-anonymous-access: on
-nsslapd-access-userattr-strict: on
 nsslapd-localssf: 71
 nsslapd-minssf: 0
 nsslapd-port: %ds_port%
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 63169f2..3646fcd 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1170,7 +1170,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 	char			*attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
 	lasInfo			lasinfo;
 	int				got_undefined = 0;
-	int				userattr_strict;
 
 	if ( 0 !=  (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */
 									attr_pattern,cachable,LAS_cookie,
@@ -1266,8 +1265,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 
 	slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName);
 	matched = ACL_FALSE;
-	userattr_strict = config_get_access_userattr_strict();
-
 	for (i=0; i < numOflevels; i++) {
 		if ( levels[i] == 0 ) {
 			Slapi_Value *sval=NULL;
@@ -1279,10 +1276,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			 * must never be allowed to grant access--
 			 * This is because access would be granted based on a value
 		 	 * of an attribute in the new entry--security hole.
-		 	 *
-		 	 * There are valid cases where we want to allow this, or be less strict.
-			 */
-			if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
+			 * 
+			*/
+
+			if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
 				slapi_log_error( SLAPI_LOG_ACL, plugin_name,
 					"ACL info: userdnAttr does not allow ADD permission at level 0.\n");
 				got_undefined = 1;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 603c7ce..5f65a17 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -265,7 +265,6 @@ slapi_onoff_t init_plugin_logging;
 slapi_int_t init_connection_buffer;
 slapi_int_t init_listen_backlog_size;
 slapi_onoff_t init_ignore_time_skew;
-slapi_onoff_t init_access_userattr_strict;
 #ifdef MEMPOOL_EXPERIMENTAL
 slapi_onoff_t init_mempool_switch;
 #endif
@@ -274,7 +273,6 @@ slapi_onoff_t init_mempool_switch;
 #define DEFAULT_ALLOW_ANON_ACCESS "on"
 #define DEFAULT_VALIDATE_CERT "warn"
 #define DEFAULT_UNHASHED_PW_SWITCH "on"
-#define DEFAULT_ACCESS_USERATTR_STRICT "on"
 
 static int
 isInt(ConfigVarType type)
@@ -956,12 +954,6 @@ static struct config_get_and_set {
 		CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
 		(ConfigGetFunc)config_get_anon_access_switch,
 		DEFAULT_ALLOW_ANON_ACCESS},
-	{CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict,
-		NULL, 0,
-		(void**)&global_slapdFrontendConfig.access_userattr_strict,
-		CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_access_userattr_strict,
-		&init_access_userattr_strict},
 	{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.localssf,
@@ -1527,7 +1519,6 @@ FrontendConfig_init () {
   init_plugin_logging = cfg->plugin_logging = LDAP_OFF;
   init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
   init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF;
-  init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON;
 #ifdef MEMPOOL_EXPERIMENTAL
   init_mempool_switch = cfg->mempool_switch = LDAP_ON;
   cfg->mempool_maxfreelist = 1024;
@@ -6682,36 +6673,6 @@ config_set_force_sasl_external( const char *attrname, char *value,
 }
 
 int
-config_set_access_userattr_strict( const char *attrname, char *value,
-		char *errorbuf, int apply )
-{
-	int retVal = LDAP_SUCCESS;
-	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
-	retVal = config_set_onoff(attrname,
-		value,
-		&(slapdFrontendConfig->access_userattr_strict),
-		errorbuf,
-		apply);
-
-	return retVal;
-}
-
-int
-config_get_access_userattr_strict(void)
-{
-	int retVal;
-
-
-	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-	CFG_ONOFF_LOCK_READ(slapdFrontendConfig);
-	retVal = (int)slapdFrontendConfig->access_userattr_strict;
-	CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig);
-
-	return retVal;
-}
-
-int
 config_get_entryusn_global(void)
 {
     int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 120f20d..358e103 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -401,7 +401,6 @@ int config_set_return_orig_type_switch(const char *attrname, char *value, char *
 int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int apply);
-int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -578,7 +577,6 @@ int config_get_plugin_logging();
 int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int apply);
 int config_get_listen_backlog_size(void);
-int config_get_access_userattr_strict(void);
 
 PLHashNumber hashNocaseString(const void *key);
 PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index c5b5242..710da22 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2012,7 +2012,6 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
 #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
-#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict"
 #define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf"
 #define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf"
 #define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse"
@@ -2393,7 +2392,6 @@ typedef struct _slapdFrontendConfig {
   slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */
   slapi_onoff_t plugin_logging; /* log all internal plugin operations */
   slapi_onoff_t ignore_time_skew;
-  slapi_onoff_t access_userattr_strict;
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */

More information about the 389-commits mailing list