Hi,,
i continue with my tests of 389ds v1.3.2.24. I've encountered another bug or strange behavior (by design?). I've activated bind dn tracking ( nsslapd-plugin-binddn-tracking: on ). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu aci: (targetattr = " objectClass || uniqueMember || owner || cn || description || businessCategory " ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att ributs";allow ( add, delete, read,compare,search,write )(userdn="ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
Any attempt to modify an authorized attribute from the list above (for ex., description ) results in ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49 [11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress [11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress [11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu" [11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL [11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000 [11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu" [11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000
is it an expected behavior and i need to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute (if i add it, everything is fine and the attribute internalModifiersName becomes " cn=ldbm database,cn=plugins,cn=config "). Or is it a bug?
Thank you!
Regards,
On 11/11/2014 10:45 AM, Ivanov Andrey (M.) wrote:
Hi,,
i continue with my tests of 389ds v1.3.2.24. I've encountered another bug or strange behavior (by design?). I've activated bind dn tracking (*nsslapd-plugin-binddn-tracking: on*). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu aci: (targetattr = "*objectClass || uniqueMember || owner || cn || description || businessCategory*" ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att ributs";allow (*add, delete, read,compare,search,write*)(userdn="ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
Any attempt to modify an authorized attribute from the list above (for ex., *description*) results in ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49 [11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress [11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress *[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI* *[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"* [11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL [11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000 [11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu" *[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000*
is it an expected behavior and i need to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute
good question, not sure if thus was intentional, butI think internalModifiersName should be written like modifiersname without specific permission*.
*so for now I suggest you add the aci and open a ticket to get it investigated* *
(if i add it, everything is fine and the attribute *internalModifiersName* becomes "*cn=ldbm database,cn=plugins,cn=config*"). Or is it a bug?
Thank you!
Regards,
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Thank you Ludwig, i think the attribute behavior should be as you describe it, so i've made a ticket - https://fedorahosted.org/389/ticket/47950
----- Mail original -----
De: "Ludwig Krispenz" lkrispen@redhat.com À: 389-users@lists.fedoraproject.org Envoyé: Mardi 11 Novembre 2014 11:06:10 Objet: Re: [389-users] Groupe modifications and internalModifiersName
On 11/11/2014 10:45 AM, Ivanov Andrey (M.) wrote:
Hi,,
i continue with my tests of 389ds v1.3.2.24. I've encountered another bug or strange behavior (by design?).
I've activated bind dn tracking ( nsslapd-plugin-binddn-tracking: on ). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
aci: (targetattr = " objectClass || uniqueMember || owner || cn || description || businessCategory " ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att
ributs";allow ( add, delete, read,compare,search,write )(userdn= "ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu" );)
Any attempt to modify an authorized attribute from the list above (for ex., description ) results in
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000
is it an expected behavior and i need to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute
good question, not sure if thus was intentional, butI think internalModifiersName should be written like modifiersname without specific permission .
so for now I suggest you add the aci and open a ticket to get it investigated
(if i add it, everything is fine and the attribute internalModifiersName becomes " cn=ldbm database,cn=plugins,cn=config ").
Or is it a bug?
Thank you!
Regards,
--
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org