From 0fa9e46da9f56221b579a7729deebaed73364c27 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Tue, 10 Nov 2015 15:35:41 -0800

Subject: [PATCH 74/75] Ticket #48344 - acl - regression - trailing ', (comma)'

 in macro matched value is not removed.

Description: acl_match_macro_in_target in acl plug-in returns matched value

with a trailing comma, e.g., "o=kaki.com,". It's used to create a group DN,

e.g., "cn=Domain Administrators,ou=Groups,o=kaki.como=ace industry,c=us".

Due to the duplicated commas, the bind unexpectedly fails with 50 (insufficient

access).

In getting the matched value from target DN, it checks if a character at the

end position is a comma or not.  If it is, '\0' is set there.  The position

was one byte ahead.  It was introduced by #48141 - aci with wildcard and macro

not correctly evaluated.

https://fedorahosted.org/389/ticket/48344

Reviewed by mreynolds@redhat.com (Thank you, Mark!!)

(cherry picked from commit 8e421fb9af2752144cc93e62090fd873524c5633)

(cherry picked from commit 1a6390d6ffa743f38be206f7ed7bb0ac3bcfe26b)

---

 ldap/servers/plugins/acl/aclutil.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c

index 2f37107..308cf8b 100644

--- a/ldap/servers/plugins/acl/aclutil.c

+++ b/ldap/servers/plugins/acl/aclutil.c

@@ -935,7 +935,7 @@ acl_match_macro_in_target( const char *ndn, char * match_this,

 					matched_val_len = ndn_len-macro_suffix_len-

 										ndn_prefix_end;

-					if (ndn[ndn_len - macro_suffix_len] == ',')

+					if (ndn[ndn_len - macro_suffix_len - 1] == ',')

 						matched_val_len -= 1;

 					matched_val = (char *)slapi_ch_malloc(matched_val_len + 1);

-- 

2.4.3