Re: Groupe modifications and internalModifiersName

Ludwig Krispenz <lkrispen@xxxxxxxxxx> · Tue, 11 Nov 2014 11:06:10 +0100



    On 11/11/2014 10:45 AM, Ivanov Andrey
      (M.) wrote:

    
        Hi,,

        
        i continue with my tests of 389ds v1.3.2.24. I've
          encountered another bug or strange behavior (by design?).

        
        I've activated bind dn tracking (nsslapd-plugin-binddn-tracking:
            on). There is an account that has the write to add
          the entries and to change some attributes (e.g. description).
          The corresponding ACI:

        
        dn:
          ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu

          aci: (targetattr = "objectClass || uniqueMember ||
            owner || cn || description || businessCategory" )
          (version 3.0;acl "Droits de rejouter/supprimer/modifier les
          groupes et leurs att

          ributs";allow (add, delete, read,compare,search,write)(userdn="ldap:///uid=sync-cours,ou=Comptes
          generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
        

        Any attempt to modify an authorized attribute from the list
          above (for ex., description) results in 

        
        ldap_modify: Insufficient access (50)

                  additional info: Insufficient 'write' privilege to the
          'internalModifiersName' attribute of entry
'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
        

        [11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256
          connection from 129.104.31.54 to 129.104.69.49

          [11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn=""
          method=sasl version=3 mech=GSSAPI

          [11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97
          nentries=0 etime=0.008000, SASL bind in progress

          [11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn=""
          method=sasl version=3 mech=GSSAPI

          [11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97
          nentries=0 etime=0.002000, SASL bind in progress

          [11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn=""
            method=sasl version=3 mech=GSSAPI

          [11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0
            tag=97 nentries=0 etime=0.001000
            dn="uid=sync-cours,ou=comptes
            generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"

          [11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH
          base="dc=id,dc=polytechnique,dc=edu" scope=2
          filter="(cn=MEC431-2014)" attrs=ALL

          [11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101
          nentries=1 etime=0.003000

          [11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD
dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"

          [11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50
            tag=103 nentries=0 etime=0.002000
        

        is it an expected behavior and i need to add to all the
          ACIs that allow modifications the right to
          modify internalModifiersName attribute 
      
    
    good question, not sure if thus was intentional, butI think
    internalModifiersName should be written like modifiersname without
    specific permission.

      
    so for now I suggest you add the aci and open a ticket to
    get it investigated

    
        (if i add it, everything is fine and the attribute internalModifiersName
          becomes "cn=ldbm database,cn=plugins,cn=config").
        Or is it a bug?

        
        Thank you!

        
        Regards,

        
      --
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
    
    
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users