ldap/ldif/template-dse.ldif.in | 1
ldap/servers/plugins/acl/acllas.c | 11 +++-------
ldap/servers/slapd/libglobs.c | 39 --------------------------------------
ldap/servers/slapd/proto-slap.h | 2 -
ldap/servers/slapd/slap.h | 2 -
5 files changed, 4 insertions(+), 51 deletions(-)
New commits:
commit c25c08f52b2877333b65c1a0d8c94b51797748ba
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Jan 10 12:29:54 2014 -0800
Revert "Ticket 47653 - Need a way to allow users to create entries assigned to
themselves"
This reverts commit a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1.
Description: It turned out this patch does not satisfy the IPA's needs
and has a possibility to introduce a security issue.
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index bca7076..af176e9 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -33,7 +33,6 @@ nsslapd-validate-cert: warn
nsslapd-allow-unauthenticated-binds: off
nsslapd-require-secure-binds: off
nsslapd-allow-anonymous-access: on
-nsslapd-access-userattr-strict: on
nsslapd-localssf: 71
nsslapd-minssf: 0
nsslapd-port: %ds_port%
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 63169f2..3646fcd 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1170,7 +1170,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t
comparator,
char *attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
lasInfo lasinfo;
int got_undefined = 0;
- int userattr_strict;
if ( 0 != (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow
range comparators */
attr_pattern,cachable,LAS_cookie,
@@ -1266,8 +1265,6 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t
comparator,
slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName);
matched = ACL_FALSE;
- userattr_strict = config_get_access_userattr_strict();
-
for (i=0; i < numOflevels; i++) {
if ( levels[i] == 0 ) {
Slapi_Value *sval=NULL;
@@ -1279,10 +1276,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t
comparator,
* must never be allowed to grant access--
* This is because access would be granted based on a value
* of an attribute in the new entry--security hole.
- *
- * There are valid cases where we want to allow this, or be less strict.
- */
- if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD)
{
+ *
+ */
+
+ if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
slapi_log_error( SLAPI_LOG_ACL, plugin_name,
"ACL info: userdnAttr does not allow ADD permission at level 0.\n");
got_undefined = 1;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 603c7ce..5f65a17 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -265,7 +265,6 @@ slapi_onoff_t init_plugin_logging;
slapi_int_t init_connection_buffer;
slapi_int_t init_listen_backlog_size;
slapi_onoff_t init_ignore_time_skew;
-slapi_onoff_t init_access_userattr_strict;
#ifdef MEMPOOL_EXPERIMENTAL
slapi_onoff_t init_mempool_switch;
#endif
@@ -274,7 +273,6 @@ slapi_onoff_t init_mempool_switch;
#define DEFAULT_ALLOW_ANON_ACCESS "on"
#define DEFAULT_VALIDATE_CERT "warn"
#define DEFAULT_UNHASHED_PW_SWITCH "on"
-#define DEFAULT_ACCESS_USERATTR_STRICT "on"
static int
isInt(ConfigVarType type)
@@ -956,12 +954,6 @@ static struct config_get_and_set {
CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
(ConfigGetFunc)config_get_anon_access_switch,
DEFAULT_ALLOW_ANON_ACCESS},
- {CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict,
- NULL, 0,
- (void**)&global_slapdFrontendConfig.access_userattr_strict,
- CONFIG_ON_OFF,
- (ConfigGetFunc)config_get_access_userattr_strict,
- &init_access_userattr_strict},
{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
NULL, 0,
(void**)&global_slapdFrontendConfig.localssf,
@@ -1527,7 +1519,6 @@ FrontendConfig_init () {
init_plugin_logging = cfg->plugin_logging = LDAP_OFF;
init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF;
- init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON;
#ifdef MEMPOOL_EXPERIMENTAL
init_mempool_switch = cfg->mempool_switch = LDAP_ON;
cfg->mempool_maxfreelist = 1024;
@@ -6682,36 +6673,6 @@ config_set_force_sasl_external( const char *attrname, char *value,
}
int
-config_set_access_userattr_strict( const char *attrname, char *value,
- char *errorbuf, int apply )
-{
- int retVal = LDAP_SUCCESS;
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
- retVal = config_set_onoff(attrname,
- value,
- &(slapdFrontendConfig->access_userattr_strict),
- errorbuf,
- apply);
-
- return retVal;
-}
-
-int
-config_get_access_userattr_strict(void)
-{
- int retVal;
-
-
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- CFG_ONOFF_LOCK_READ(slapdFrontendConfig);
- retVal = (int)slapdFrontendConfig->access_userattr_strict;
- CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig);
-
- return retVal;
-}
-
-int
config_get_entryusn_global(void)
{
int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 120f20d..358e103 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -401,7 +401,6 @@ int config_set_return_orig_type_switch(const char *attrname, char
*value, char *
int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int
apply );
int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int
apply);
int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int
apply);
-int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf,
int apply );
#if !defined(_WIN32) && !defined(AIX)
int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int
apply );
@@ -578,7 +577,6 @@ int config_get_plugin_logging();
int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int
apply);
int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int
apply);
int config_get_listen_backlog_size(void);
-int config_get_access_userattr_strict(void);
PLHashNumber hashNocaseString(const void *key);
PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index c5b5242..710da22 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2012,7 +2012,6 @@ typedef struct _slapdEntryPoints {
#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
-#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict"
#define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf"
#define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf"
#define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse"
@@ -2393,7 +2392,6 @@ typedef struct _slapdFrontendConfig {
slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */
slapi_onoff_t plugin_logging; /* log all internal plugin operations */
slapi_onoff_t ignore_time_skew;
- slapi_onoff_t access_userattr_strict;
} slapdFrontendConfig_t;
/* possible values for slapdFrontendConfig_t.schemareplace */