diff options
author | Rich Megginson <rmeggins@redhat.com> | 2005-03-22 04:31:46 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2005-03-22 04:31:46 +0000 |
commit | f76d077e475a8467bef8825d37967c2e50cad0a8 (patch) | |
tree | ed8909067ca2858f15cef68e0029f006875e4bdd /ldap | |
parent | 79a8cdc70ff7a36b50f676551f0e2fcdc73b5607 (diff) | |
download | ds-f76d077e475a8467bef8825d37967c2e50cad0a8.tar.gz ds-f76d077e475a8467bef8825d37967c2e50cad0a8.tar.xz ds-f76d077e475a8467bef8825d37967c2e50cad0a8.zip |
Bug(s) fixed: 145179
Bug Description: 1) The full Admin DN was being put into the RDN 2) It was creating ACIs for the directory manager
Reviewed by: Noriko (Thanks!)
Fix Description: Always check to see if the given Admin ID is the full DN. Check if the DN is the root DN before creating an ACI.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly install and manual console testing
New Tests integrated into TET: none
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/admin/src/cfg_sspt.c | 51 |
1 files changed, 31 insertions, 20 deletions
diff --git a/ldap/admin/src/cfg_sspt.c b/ldap/admin/src/cfg_sspt.c index 8487c45f..0875b973 100644 --- a/ldap/admin/src/cfg_sspt.c +++ b/ldap/admin/src/cfg_sspt.c @@ -187,6 +187,15 @@ getEntryAndAccess(int index, const char **entry, const char **access) return 1; } +static int +is_root_user(const char *name, QUERY_VARS* query) +{ + if (!name || !query->rootDN) { + return 0; + } + return !PL_strcasecmp(name, query->rootDN); +} + /* ** --------------------------------------------------------------------------- ** @@ -1356,6 +1365,7 @@ config_suitespot(SLAPD_CONFIG* slapd, QUERY_VARS* query) char *adminGroupDN = 0; char *parentDN = 0; char *localDAGroupDN = 0; + char realuid[1024] = {0}; if (!query->rootDN || *query->rootDN == '\0') { usageErrorMsg = "You must enter the distinguished name of a user with " @@ -1379,14 +1389,30 @@ config_suitespot(SLAPD_CONFIG* slapd, QUERY_VARS* query) name_topologyRDN, query->netscaperoot, 0); } + if (query->config_admin_uid) { + getUIDFromDN(query->config_admin_uid, realuid); + if (realuid[0]) { + /* admid is already a DN */ + configAdminDN = strdup(query->config_admin_uid); + } else if (parentDN) { + /* create a DN for admid */ + configAdminDN = make_dn(DN_formatUID, query->config_admin_uid, parentDN, 0); + } else { + /* create one from scratch */ + configAdminDN = make_dn("%s=%s, %s, %s, %s", name_uid, query->config_admin_uid, + name_administratorsRDN, name_topologyRDN, + name_netscaperootDN, 0); + } + } + if (query->suffix) { status = create_base(connection, query->suffix); if (!status) { - if (parentDN && query->config_admin_uid) { - add_aci_v(connection, query->suffix, ACI_user_allow_1, - "all", query->config_admin_uid, parentDN, 0); + if (configAdminDN && !is_root_user(configAdminDN, query)) { + add_aci_v(connection, query->suffix, ACI_user_allow_2, + "all", configAdminDN, 0); } status = create_group(connection, query->suffix, name_localDAGroup); @@ -1400,21 +1426,6 @@ config_suitespot(SLAPD_CONFIG* slapd, QUERY_VARS* query) if (!status) { - char realuid[1024] = {0}; - - if (query->config_admin_uid) { - getUIDFromDN(query->config_admin_uid, realuid); - } - - if (realuid[0]) - { - /* admid is already a DN */ - configAdminDN = strdup(query->config_admin_uid); - } else if (query->config_admin_uid) { - /* create a DN for admid */ - configAdminDN = make_dn(DN_formatUID, query->config_admin_uid, parentDN, 0); - } - /* Give the Configuration Admin group access to the root DSE entries */ @@ -1442,7 +1453,7 @@ config_suitespot(SLAPD_CONFIG* slapd, QUERY_VARS* query) entryAndAccessList[ii].access, adminGroupDN, 0); } - if (configAdminDN) { + if (configAdminDN && !is_root_user(configAdminDN, query)) { add_aci_v(connection, entryAndAccessList[ii].entryDN, ACI_user_allow_2, entryAndAccessList[ii].access, @@ -1527,7 +1538,7 @@ config_suitespot(SLAPD_CONFIG* slapd, QUERY_VARS* query) } /* create the ss admin user */ - if (!status) + if (!status && !is_root_user(query->ssAdmID, query)) { /* group to add the uid to */ char *groupdn = make_dn("%s, %s=%s, %s, %s", value_configAdminGroupRDN, |