From b19dc5b453751ca63545e39537bfb87707cf867e Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>
Date: Thu, 16 Oct 2014 17:24:15 +0200
Subject: [PATCH 77/84] Ticket 47553: Enhance ACIs to have more control over
MODRDN operations
Bug Description:
The ticket 47553 introduces a new aci right: moddn.
This rights allows/deny to do a MODDN from a part of the DIT to an other.
Before the right allow/deny to do a MODDN was granted if the subject had 'write' access to the rdn attribute.
To switch from the previous mode to the new one, there is a toggle 'nsslapd-moddn-aci'.
The getEffectiveRight control, should report the MODDN right ('n') according to
the acis and the value of this toggle
Fix Description:
test 'nsslapd-moddn-aci' in the geteffectiveright code
https://fedorahosted.org/389/ticket/47553
Reviewed by: Noriko (Thanks !)
Platforms tested: F17
Flag Day: no
Doc impact: no
(cherry picked from commit be67f8128d4a19edec95a6b1b022fd9262710e74)
---
dirsrvtests/tickets/ticket47553_ger.py | 553 ++++++++++++++++++++++++++
ldap/servers/plugins/acl/acleffectiverights.c | 67 ++--
2 files changed, 590 insertions(+), 30 deletions(-)
create mode 100644 dirsrvtests/tickets/ticket47553_ger.py
diff --git a/dirsrvtests/tickets/ticket47553_ger.py b/dirsrvtests/tickets/ticket47553_ger.py
new file mode 100644
index 0000000..d688c70
--- /dev/null
+++ b/dirsrvtests/tickets/ticket47553_ger.py
@@ -0,0 +1,553 @@
+'''
+Created on Nov 7, 2013
+
+@author: tbordaz
+'''
+import os
+import sys
+import time
+import ldap
+import logging
+import socket
+import time
+import logging
+import pytest
+import re
+from lib389 import DirSrv, Entry, tools
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from constants import *
+from lib389._constants import REPLICAROLE_MASTER
+from ldap.controls.simple import GetEffectiveRightsControl
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+#
+# important part. We can deploy Master1 and Master2 on different versions
+#
+installation1_prefix = None
+installation2_prefix = None
+
+TEST_REPL_DN = "cn=test_repl, %s" % SUFFIX
+
+STAGING_CN = "staged user"
+PRODUCTION_CN = "accounts"
+EXCEPT_CN = "excepts"
+
+STAGING_DN = "cn=%s,%s" % (STAGING_CN, SUFFIX)
+PRODUCTION_DN = "cn=%s,%s" % (PRODUCTION_CN, SUFFIX)
+PROD_EXCEPT_DN = "cn=%s,%s" % (EXCEPT_CN, PRODUCTION_DN)
+
+STAGING_PATTERN = "cn=%s*,%s" % (STAGING_CN[:2], SUFFIX)
+PRODUCTION_PATTERN = "cn=%s*,%s" % (PRODUCTION_CN[:2], SUFFIX)
+BAD_STAGING_PATTERN = "cn=bad*,%s" % (SUFFIX)
+BAD_PRODUCTION_PATTERN = "cn=bad*,%s" % (SUFFIX)
+
+BIND_CN = "bind_entry"
+BIND_DN = "cn=%s,%s" % (BIND_CN, SUFFIX)
+BIND_PW = "password"
+
+NEW_ACCOUNT = "new_account"
+MAX_ACCOUNTS = 20
+
+CONFIG_MODDN_ACI_ATTR = "nsslapd-moddn-aci"
+
+class TopologyMaster1Master2(object):
+ def __init__(self, master1, master2):
+ master1.open()
+ self.master1 = master1
+
+ master2.open()
+ self.master2 = master2
+
+
+@pytest.fixture(scope="module")
+def topology(request):
+ '''
+ This fixture is used to create a replicated topology for the 'module'.
+ The replicated topology is MASTER1 <-> Master2.
+ At the beginning, It may exists a master2 instance and/or a master2 instance.
+ It may also exists a backup for the master1 and/or the master2.
+
+ Principle:
+ If master1 instance exists:
+ restart it
+ If master2 instance exists:
+ restart it
+ If backup of master1 AND backup of master2 exists:
+ create or rebind to master1
+ create or rebind to master2
+
+ restore master1 from backup
+ restore master2 from backup
+ else:
+ Cleanup everything
+ remove instances
+ remove backups
+ Create instances
+ Initialize replication
+ Create backups
+ '''
+ global installation1_prefix
+ global installation2_prefix
+
+ # allocate master1 on a given deployement
+ master1 = DirSrv(verbose=False)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+ # Args for the master1 instance
+ args_instance[SER_HOST] = HOST_MASTER_1
+ args_instance[SER_PORT] = PORT_MASTER_1
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1
+ args_master = args_instance.copy()
+ master1.allocate(args_master)
+
+ # allocate master1 on a given deployement
+ master2 = DirSrv(verbose=False)
+ if installation2_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation2_prefix
+
+ # Args for the consumer instance
+ args_instance[SER_HOST] = HOST_MASTER_2
+ args_instance[SER_PORT] = PORT_MASTER_2
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2
+ args_master = args_instance.copy()
+ master2.allocate(args_master)
+
+
+ # Get the status of the backups
+ backup_master1 = master1.checkBackupFS()
+ backup_master2 = master2.checkBackupFS()
+
+ # Get the status of the instance and restart it if it exists
+ instance_master1 = master1.exists()
+ if instance_master1:
+ master1.stop(timeout=10)
+ master1.start(timeout=10)
+
+ instance_master2 = master2.exists()
+ if instance_master2:
+ master2.stop(timeout=10)
+ master2.start(timeout=10)
+
+ if backup_master1 and backup_master2:
+ # The backups exist, assuming they are correct
+ # we just re-init the instances with them
+ if not instance_master1:
+ master1.create()
+ # Used to retrieve configuration information (dbdir, confdir...)
+ master1.open()
+
+ if not instance_master2:
+ master2.create()
+ # Used to retrieve configuration information (dbdir, confdir...)
+ master2.open()
+
+ # restore master1 from backup
+ master1.stop(timeout=10)
+ master1.restoreFS(backup_master1)
+ master1.start(timeout=10)
+
+ # restore master2 from backup
+ master2.stop(timeout=10)
+ master2.restoreFS(backup_master2)
+ master2.start(timeout=10)
+ else:
+ # We should be here only in two conditions
+ # - This is the first time a test involve master-consumer
+ # so we need to create everything
+ # - Something weird happened (instance/backup destroyed)
+ # so we discard everything and recreate all
+
+ # Remove all the backups. So even if we have a specific backup file
+ # (e.g backup_master) we clear all backups that an instance my have created
+ if backup_master1:
+ master1.clearBackupFS()
+ if backup_master2:
+ master2.clearBackupFS()
+
+ # Remove all the instances
+ if instance_master1:
+ master1.delete()
+ if instance_master2:
+ master2.delete()
+
+ # Create the instances
+ master1.create()
+ master1.open()
+ master2.create()
+ master2.open()
+
+ #
+ # Now prepare the Master-Consumer topology
+ #
+ # First Enable replication
+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1)
+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2)
+
+ # Initialize the supplier->consumer
+
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ repl_agreement = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties)
+
+ if not repl_agreement:
+ log.fatal("Fail to create a replica agreement")
+ sys.exit(1)
+
+ log.debug("%s created" % repl_agreement)
+
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties)
+
+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2)
+ master1.waitForReplInit(repl_agreement)
+
+ # Check replication is working fine
+ master1.add_s(Entry((TEST_REPL_DN, {
+ 'objectclass': "top person".split(),
+ 'sn': 'test_repl',
+ 'cn': 'test_repl'})))
+ loop = 0
+ while loop <= 10:
+ try:
+ ent = master2.getEntry(TEST_REPL_DN, ldap.SCOPE_BASE, "(objectclass=*)")
+ break
+ except ldap.NO_SUCH_OBJECT:
+ time.sleep(1)
+ loop += 1
+
+ # Time to create the backups
+ master1.stop(timeout=10)
+ master1.backupfile = master1.backupFS()
+ master1.start(timeout=10)
+
+ master2.stop(timeout=10)
+ master2.backupfile = master2.backupFS()
+ master2.start(timeout=10)
+
+ # clear the tmp directory
+ master1.clearTmpDir(__file__)
+
+ #
+ # Here we have two instances master and consumer
+ # with replication working. Either coming from a backup recovery
+ # or from a fresh (re)init
+ # Time to return the topology
+ return TopologyMaster1Master2(master1, master2)
+
+
+
+def _bind_manager(topology):
+ topology.master1.log.info("Bind as %s " % DN_DM)
+ topology.master1.simple_bind_s(DN_DM, PASSWORD)
+
+def _bind_normal(topology):
+ # bind as bind_entry
+ topology.master1.log.info("Bind as %s" % BIND_DN)
+ topology.master1.simple_bind_s(BIND_DN, BIND_PW)
+
+def _moddn_aci_deny_tree(topology, mod_type=None, target_from=STAGING_DN, target_to=PROD_EXCEPT_DN):
+ '''
+ It denies the access moddn_to in cn=except,cn=accounts,SUFFIX
+ '''
+ assert mod_type != None
+
+ ACI_TARGET_FROM = ""
+ ACI_TARGET_TO = ""
+ if target_from:
+ ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from)
+ if target_to:
+ ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to)
+
+ ACI_ALLOW = "(version 3.0; acl \"Deny MODDN to prod_except\"; deny (moddn)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
+ ACI_BODY = ACI_TARGET_TO + ACI_TARGET_FROM + ACI_ALLOW + ACI_SUBJECT
+ mod = [(mod_type, 'aci', ACI_BODY)]
+ #topology.master1.modify_s(SUFFIX, mod)
+ topology.master1.log.info("Add a DENY aci under %s " % PROD_EXCEPT_DN)
+ topology.master1.modify_s(PROD_EXCEPT_DN, mod)
+
+def _moddn_aci_staging_to_production(topology, mod_type=None, target_from=STAGING_DN, target_to=PRODUCTION_DN):
+ assert mod_type != None
+
+
+ ACI_TARGET_FROM = ""
+ ACI_TARGET_TO = ""
+ if target_from:
+ ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from)
+ if target_to:
+ ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to)
+
+ ACI_ALLOW = "(version 3.0; acl \"MODDN from staging to production\"; allow (moddn)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
+ ACI_BODY = ACI_TARGET_FROM + ACI_TARGET_TO + ACI_ALLOW + ACI_SUBJECT
+ mod = [(mod_type, 'aci', ACI_BODY)]
+ topology.master1.modify_s(SUFFIX, mod)
+
+def _moddn_aci_from_production_to_staging(topology, mod_type=None):
+ assert mod_type != None
+
+ ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % (PRODUCTION_DN, STAGING_DN)
+ ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
+ ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+ mod = [(mod_type, 'aci', ACI_BODY)]
+ topology.master1.modify_s(SUFFIX, mod)
+
+
+def test_ticket47553_init(topology):
+ """
+ Creates
+ - a staging DIT
+ - a production DIT
+ - add accounts in staging DIT
+ - enable ACL logging (commented for performance reason)
+
+ """
+
+ topology.master1.log.info("\n\n######################### INITIALIZATION ######################\n")
+
+ # entry used to bind with
+ topology.master1.log.info("Add %s" % BIND_DN)
+ topology.master1.add_s(Entry((BIND_DN, {
+ 'objectclass': "top person".split(),
+ 'sn': BIND_CN,
+ 'cn': BIND_CN,
+ 'userpassword': BIND_PW})))
+
+ # DIT for staging
+ topology.master1.log.info("Add %s" % STAGING_DN)
+ topology.master1.add_s(Entry((STAGING_DN, {
+ 'objectclass': "top organizationalRole".split(),
+ 'cn': STAGING_CN,
+ 'description': "staging DIT"})))
+
+ # DIT for production
+ topology.master1.log.info("Add %s" % PRODUCTION_DN)
+ topology.master1.add_s(Entry((PRODUCTION_DN, {
+ 'objectclass': "top organizationalRole".split(),
+ 'cn': PRODUCTION_CN,
+ 'description': "production DIT"})))
+
+ # DIT for production/except
+ topology.master1.log.info("Add %s" % PROD_EXCEPT_DN)
+ topology.master1.add_s(Entry((PROD_EXCEPT_DN, {
+ 'objectclass': "top organizationalRole".split(),
+ 'cn': EXCEPT_CN,
+ 'description': "production except DIT"})))
+
+ # enable acl error logging
+ #mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
+ #topology.master1.modify_s(DN_CONFIG, mod)
+ #topology.master2.modify_s(DN_CONFIG, mod)
+
+
+
+
+
+ # add dummy entries in the staging DIT
+ for cpt in range(MAX_ACCOUNTS):
+ name = "%s%d" % (NEW_ACCOUNT, cpt)
+ topology.master1.add_s(Entry(("cn=%s,%s" % (name, STAGING_DN), {
+ 'objectclass': "top person".split(),
+ 'sn': name,
+ 'cn': name})))
+
+
+def test_ticket47553_mode_default_add_deny(topology):
+ '''
+ This test case checks that the ADD operation fails (no ADD aci on production)
+ '''
+
+ topology.master1.log.info("\n\n######################### mode moddn_aci : ADD (should fail) ######################\n")
+
+ _bind_normal(topology)
+
+ #
+ # First try to add an entry in production => INSUFFICIENT_ACCESS
+ #
+ try:
+ topology.master1.log.info("Try to add %s" % PRODUCTION_DN)
+ name = "%s%d" % (NEW_ACCOUNT, 0)
+ topology.master1.add_s(Entry(("cn=%s,%s" % (name, PRODUCTION_DN), {
+ 'objectclass': "top person".split(),
+ 'sn': name,
+ 'cn': name})))
+ assert 0 # this is an error, we should not be allowed to add an entry in production
+ except Exception as e:
+ topology.master1.log.info("Exception (expected): %s" % type(e).__name__)
+ assert isinstance(e, ldap.INSUFFICIENT_ACCESS)
+
+def test_ticket47553_mode_default_ger_no_moddn(topology):
+ topology.master1.log.info("\n\n######################### mode moddn_aci : GER no moddn ######################\n")
+ request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN)
+ msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl])
+ rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id)
+ ger={}
+ value=''
+ for dn, attrs in rdata:
+ topology.master1.log.info ("dn: %s" % dn)
+ value = attrs['entryLevelRights'][0]
+
+ topology.master1.log.info ("############### entryLevelRights: %r" % value)
+ assert 'n' not in value
+
+def test_ticket47553_mode_default_ger_with_moddn(topology):
+ '''
+ This test case adds the moddn aci and check ger contains 'n'
+ '''
+
+ topology.master1.log.info("\n\n######################### mode moddn_aci: GER with moddn ######################\n")
+
+ # successfull MOD with the ACI
+ _bind_manager(topology)
+ _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_ADD, target_from=STAGING_DN, target_to=PRODUCTION_DN)
+ _bind_normal(topology)
+
+ request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN)
+ msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl])
+ rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id)
+ ger={}
+ value = ''
+ for dn, attrs in rdata:
+ topology.master1.log.info ("dn: %s" % dn)
+ value = attrs['entryLevelRights'][0]
+
+ topology.master1.log.info ("############### entryLevelRights: %r" % value)
+ assert 'n' in value
+
+ # successfull MOD with the both ACI
+ _bind_manager(topology)
+ _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_DELETE, target_from=STAGING_DN, target_to=PRODUCTION_DN)
+ _bind_normal(topology)
+
+def test_ticket47553_mode_switch_default_to_legacy(topology):
+ '''
+ This test switch the server from default mode to legacy
+ '''
+ topology.master1.log.info("\n\n######################### Disable the moddn aci mod ######################\n" )
+ _bind_manager(topology)
+ mod = [(ldap.MOD_REPLACE, CONFIG_MODDN_ACI_ATTR, 'off')]
+ topology.master1.modify_s(DN_CONFIG, mod)
+
+def test_ticket47553_mode_legacy_ger_no_moddn1(topology):
+ topology.master1.log.info("\n\n######################### mode legacy 1: GER no moddn ######################\n")
+ request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN)
+ msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl])
+ rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id)
+ ger={}
+ value=''
+ for dn, attrs in rdata:
+ topology.master1.log.info ("dn: %s" % dn)
+ value = attrs['entryLevelRights'][0]
+
+ topology.master1.log.info ("############### entryLevelRights: %r" % value)
+ assert 'n' not in value
+
+def test_ticket47553_mode_legacy_ger_no_moddn2(topology):
+ topology.master1.log.info("\n\n######################### mode legacy 2: GER no moddn ######################\n")
+ # successfull MOD with the ACI
+ _bind_manager(topology)
+ _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_ADD, target_from=STAGING_DN, target_to=PRODUCTION_DN)
+ _bind_normal(topology)
+
+ request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN)
+ msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl])
+ rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id)
+ ger={}
+ value=''
+ for dn, attrs in rdata:
+ topology.master1.log.info ("dn: %s" % dn)
+ value = attrs['entryLevelRights'][0]
+
+ topology.master1.log.info ("############### entryLevelRights: %r" % value)
+ assert 'n' not in value
+
+ # successfull MOD with the both ACI
+ _bind_manager(topology)
+ _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_DELETE, target_from=STAGING_DN, target_to=PRODUCTION_DN)
+ _bind_normal(topology)
+
+def test_ticket47553_mode_legacy_ger_with_moddn(topology):
+ topology.master1.log.info("\n\n######################### mode legacy : GER with moddn ######################\n")
+
+ # being allowed to read/write the RDN attribute use to allow the RDN
+ ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"cn\")" % (PRODUCTION_DN)
+ ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)"
+ ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
+ ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+
+ # successfull MOD with the ACI
+ _bind_manager(topology)
+ mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)]
+ topology.master1.modify_s(SUFFIX, mod)
+ _bind_normal(topology)
+
+ request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN)
+ msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl])
+ rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id)
+ ger={}
+ value=''
+ for dn, attrs in rdata:
+ topology.master1.log.info ("dn: %s" % dn)
+ value = attrs['entryLevelRights'][0]
+
+ topology.master1.log.info ("############### entryLevelRights: %r" % value)
+ assert 'n' in value
+
+ # successfull MOD with the both ACI
+ _bind_manager(topology)
+ mod = [(ldap.MOD_DELETE, 'aci', ACI_BODY)]
+ topology.master1.modify_s(SUFFIX, mod)
+ _bind_normal(topology)
+
+
+def test_ticket47553_final(topology):
+ topology.master1.stop(timeout=10)
+ topology.master2.stop(timeout=10)
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation1_prefix
+ global installation2_prefix
+ installation1_prefix = None
+ installation2_prefix = None
+
+ topo = topology(True)
+ topo.master1.log.info("\n\n######################### Ticket 47553 ######################\n")
+ test_ticket47553_init(topo)
+
+ # Check that without appropriate aci we are not allowed to add/delete
+ test_ticket47553_mode_default_add_deny(topo)
+ test_ticket47553_mode_default_ger_no_moddn(topo)
+ test_ticket47553_mode_default_ger_with_moddn(topo)
+ test_ticket47553_mode_switch_default_to_legacy(topo)
+ test_ticket47553_mode_legacy_ger_no_moddn1(topo)
+ test_ticket47553_mode_legacy_ger_no_moddn2(topo)
+ test_ticket47553_mode_legacy_ger_with_moddn(topo)
+
+ test_ticket47553_final(topo)
+
+
+
+
+if __name__ == '__main__':
+ run_isolated()
+
diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index b9e2055..3c7d635 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -456,38 +456,45 @@ _ger_get_entry_rights (
entryrights |= SLAPI_ACL_DELETE;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "d", NULL);
}
- /*
- * Some limitation/simplification applied here:
- * - The modrdn right requires the rights to delete the old rdn and
- * the new one. However we have no knowledge of what the new rdn
- * is going to be.
- * - In multi-valued RDN case, we check the right on
- * the first rdn type only for now.
- */
- rdn = slapi_rdn_new_dn ( slapi_entry_get_ndn (e) );
- slapi_rdn_get_first(rdn, &rdntype, &rdnvalue);
- if ( NULL != rdntype ) {
- slapi_log_error (SLAPI_LOG_ACL, plugin_name,
- "_ger_get_entry_rights: SLAPI_ACL_WRITE_DEL & _ADD %s\n", rdntype );
- if (acl_access_allowed(gerpb, e, rdntype, NULL,
- ACLPB_SLAPI_ACL_WRITE_DEL) == LDAP_SUCCESS &&
- acl_access_allowed(gerpb, e, rdntype, NULL,
- ACLPB_SLAPI_ACL_WRITE_ADD) == LDAP_SUCCESS)
- {
- /* n - rename e */
- entryrights |= SLAPI_ACL_WRITE;
- _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
- }
- }
- slapi_rdn_free ( &rdn );
-
- if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_MODDN) == LDAP_SUCCESS) {
- slapi_log_error (SLAPI_LOG_ACL, plugin_name,
- "_ger_get_entry_rights: SLAPI_ACL_MODDN %s\n", slapi_entry_get_ndn (e) );
+
+ if (config_get_moddn_aci()) {
+ /* The server enforces the new MODDN aci right.
+ * So the status 'n' is set if this right is granted.
+ * Opposed to the legacy mode where this flag is set if
+ * WRITE was granted on rdn attrbibute
+ */
+ if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_MODDN) == LDAP_SUCCESS) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "_ger_get_entry_rights: SLAPI_ACL_MODDN %s\n", slapi_entry_get_ndn(e));
+ /* n - rename e */
+ entryrights |= SLAPI_ACL_MODDN;
+ _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
+ }
+ } else {
+ /*
+ * Some limitation/simplification applied here:
+ * - The modrdn right requires the rights to delete the old rdn and
+ * the new one. However we have no knowledge of what the new rdn
+ * is going to be.
+ * - In multi-valued RDN case, we check the right on
+ * the first rdn type only for now.
+ */
+ rdn = slapi_rdn_new_dn(slapi_entry_get_ndn(e));
+ slapi_rdn_get_first(rdn, &rdntype, &rdnvalue);
+ if (NULL != rdntype) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "_ger_get_entry_rights: SLAPI_ACL_WRITE_DEL & _ADD %s\n", rdntype);
+ if (acl_access_allowed(gerpb, e, rdntype, NULL,
+ ACLPB_SLAPI_ACL_WRITE_DEL) == LDAP_SUCCESS &&
+ acl_access_allowed(gerpb, e, rdntype, NULL,
+ ACLPB_SLAPI_ACL_WRITE_ADD) == LDAP_SUCCESS) {
/* n - rename e */
- entryrights |= SLAPI_ACL_MODDN;
- _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
+ entryrights |= SLAPI_ACL_WRITE;
+ _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
+ }
}
+ slapi_rdn_free(&rdn);
+ }
if ( entryrights == 0 )
{
_append_gerstr(gerstr, gerstrsize, gerstrcap, "none", NULL);
--
1.9.3