Bug 39878 – ldap/acl/read/ips does not work

Bug 39878 - ldap/acl/read/ips does not work


Summary:	ldap/acl/read/ips does not work

Status:	CLOSED FIXED

Product:	UCS Test
Classification:	Unclassified
Component:	LDAP
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Philipp Hahn
QA Contact:

URL:
Keywords:

Depends on:	39877
Blocks:
	Show dependency tree / graph

Reported:	2015-11-11 15:13 CET by Stefan Gohmann
Modified:	2023-03-25 06:51 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-11-11 15:13:26 CET

We should add some test cases.

+++ This bug was initially created as a clone of Bug #39877 +++

The fix for Bug #29482 seems to break the anonymous read via IP, for example:
 ucr set ldap/acl/read/ips="127.0.0.1"

This results in my test setup to:
-------------------------------------------------------------------
access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid
   by anonymous auth
   by * +0 break
access to *
   by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write
   by users read
   by peername.ip=127.0.0.1 read
-------------------------------------------------------------------

A anonymous search via 127.0.0.1 is not possible. After removing the lines
-------------------------------------------------------------------
access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid
   by anonymous auth
   by * +0 break
-------------------------------------------------------------------
it works again.


+++ This bug was initially created as a clone of Bug #29482 +++

Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen:

Administrator@master411:~$ kinit Administrator
Administrator@DEADLOCK41.LOCAL's Password: 
Administrator@master411:~$ ldapadd -Y GSSAPI -f x
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=users2,dc=deadlock41,dc=local"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: uid=Administrator,cn=users,dc=deadlock41,dc=local
uid: Administrator

Administrator@master411:~$

Comment 1 Philipp Hahn

2015-12-14 13:32:47 CET

r66314 | Bug #39878 test: Test LDAP anonymous read
 tests/10_ldap/11anonymous

Package: ucs-test
Version: 6.0.28-4.1359.201512141330
Branch: ucs_4.1-0
Scope: errata4.1-0

Comment 2 Stefan Gohmann

2015-12-21 05:51:32 CET

The test case failed:
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=slave/151/testReport/junit/10_ldap/11anonymous/test/

Is it still or again broken?

*** BEGIN *** ['/bin/bash', '11anonymous'] ***
*** 10_ldap/11anonymous *** Test that LDAP anonymous read works ***
*** START TIME: 2015-12-20 20:29:18 ***
Testing ldap/acl/read/anonymous=no ldap/acl/read/ips= ...
Setting ldap/acl/read/anonymous
Create ldap/acl/read/ips
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
Operations error (1)
Additional information: 00002020: Operation unavailable without authentication
Testing ldap/acl/read/anonymous=no ldap/acl/read/ips=127.0.0.1 ...
Setting ldap/acl/read/anonymous
Setting ldap/acl/read/ips
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
Operations error (1)
Additional information: 00002020: Operation unavailable without authentication
error 2015-12-20 20:29:20	 Failed anonymous read by IP
Testing ldap/acl/read/anonymous=yes ldap/acl/read/ips= ...
error 2015-12-20 20:29:20	 **************** Test failed above this line (110) ****************
Setting ldap/acl/read/anonymous
Setting ldap/acl/read/ips
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
Operations error (1)
Additional information: 00002020: Operation unavailable without authentication
error 2015-12-20 20:29:21	 *** Check failed (110), but this might be caused by the error above ***
Unsetting ldap/acl/read/ips
Unsetting ldap/acl/read/ips
Unsetting ldap/acl/read/ips
Multifile: /etc/ldap/slapd.conf
Setting ldap/acl/read/anonymous
Setting ldap/acl/read/anonymous
Setting ldap/acl/read/anonymous
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...done.
*** END TIME: 2015-12-20 20:29:23 ***
*** TEST DURATION (H:MM:SS.ms): 0:00:04.687187 ***
*** END *** 110 ***

Comment 3 Philipp Hahn

2015-12-21 15:44:48 CET

r66510 | Bug #39878 test: Fix LDAP anonymous read
 Added explicit TCP port 7389 for OpenLDAP

Package: ucs-test
Version: 6.0.30-2.1370.201512211543
Branch: ucs_4.1-0
Scope: errata4.1-0

Comment 4 Stefan Gohmann

2016-10-12 07:48:06 CEST

For this bug is no separate QA needed.