https://bugs.openldap.org/show_bug.cgi?id=9972
Issue ID: 9972 Summary: SSS needs READ instead of SEARCH access Product: OpenLDAP Version: 2.6.3 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
I have configured an OpenLDAP 2.6 server with
dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcAccess: to dn="cn=bodies,dc=aegee,dc=org" by * search # no problem if this is READ olcAccess: to dn.sub="dc=aegee,dc=org" by * read …
dn: olcOverlay=sssvlv,olcDatabase={1}mdb,cn=config objectClass:olcOverlayConfig
The content of the tree is available anymously by calling
ldapsearch -ZZxH ldap://ldap.aegee.org -b "dc=aegee,dc=org" -s sub .
When I modify the call to use SSS:
ldapsearch -ZxH ldap://ldap.aegee.org -b "dc=aegee,dc=org" -s sub -E sss=ou:2.5.13.15
it also returns results, but ends with ``` # search result search: 93 result: 50 Insufficient access
# numResponses: 3 # numEntries: 2
```
When I modify above:
olcAccess: to dn="cn=bodies,dc=aegee,dc=org" by * read
then the access is sufficient.
There is no entry called "dn:cn=bodies,dc=aegee,dc=org", or rather the entry shall not be returned on searches and `ldapsearch -ZxH ldap://ldap.aegee.org -b "dc=aegee,dc=org" -s sub` does not return it.
These work without a problem:
ldapsearch -ZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s one -E sss=ou:2.5.13.15 ldapsearch -ZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s sub ldapsearch -ZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s one
This produces Insufficient access:
ldapsearch -ZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s sub -E sss=ou:2.5.13.15
That said client-side-sorting does work without a problem, but server-side sorting requires not only SEARCH, but also READ privileges on dn="cn=bodies,dc=aegee,dc=org".
I find this is a bug: SSS requires read-acesss to data, which is not supposed to be returned to the client (dn:cn=bodies,dc=aegee,dc=org). For the additional server-side sorting no additional privileges shall be required, compared to returning the results without server-side-sorting.
https://bugs.openldap.org/show_bug.cgi?id=9972
--- Comment #1 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Do you have an idea, why this works without an error:
ldapsearch -ZZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s one -E sss=ou:2.5.13.15
but this:
ldapsearch -ZZxH ldap://ldap.aegee.org -b "cn=bodies,dc=aegee,dc=org" -s one -E sss=ou:2.5.13.15 -E vlv="1/190/4/0"
ends with
# search result search: 4 result: 76 Virtual List View error control: 2.16.840.1.113730.3.4.10 false MBQCAQQCAgC0CgFNBAgg+xB02X8AAA== vlvResult: pos=4 count=180 context=IPsQdNl/AAA= (77) Unknown error
https://bugs.openldap.org/show_bug.cgi?id=9972
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID Keywords|needs_review |
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Server Side Sort requires read privileges to be able to do the sort.
https://bugs.openldap.org/show_bug.cgi?id=9972
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9972
--- Comment #3 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- It would be better if entries, which are anyway not returned in the request, are skipped by the SSS overlay, when sorting.
That is, SSS on SEARCH shall consider only entries which will be returned by SEARCH when no SSS is used.
https://bugs.openldap.org/show_bug.cgi?id=9972
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to dpa-openldap@aegee.org from comment #3)
It would be better if entries, which are anyway not returned in the request, are skipped by the SSS overlay, when sorting.
That is, SSS on SEARCH shall consider only entries which will be returned by SEARCH when no SSS is used.
The SSS overlay should only be evaluating entries that match the original search parameters including scope. If you are seeing different behavior please provide a script that demonstrates the issue.
https://bugs.openldap.org/show_bug.cgi?id=9972
dpa-openldap@aegee.org dpa-openldap@aegee.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dpa-openldap@aegee.org
--- Comment #5 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Created attachment 947 --> https://bugs.openldap.org/attachment.cgi?id=947&action=edit sample configuration
I have created an OCI (~ Docker) image. Run with
$ wget https://mail.aegee.org/dpa/bug9972/openldap-2023-01-23.tar $ skopeo copy oci-archive:openldap-2023-01-23.tar containers-storage:localhost/openldap:2023-01-23 $ podman images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/openldap 2023-01-23 52a9cee2069f 5 minutes ago 7.11 MB
$ podman run -d --security-opt=no-new-privileges -p 3890:3890 localhost/openldap:2023-01-23 d5c6f8c3dc1915f375a6e459a19af2c72f8a4348f4c60eb3d891291b3c2a44e1
$ ldapsearch -xH ldap://127.0.0.0:3890 -b "dc=aegee,dc=org" -s sub -E sss=ou:2.5.13.15
… # aegee.org dn: dc=aegee,dc=org objectClass: dcObject objectClass: organization o: AEGEE dc: aegee
# search result search: 2 result: 50 Insufficient access
# numResponses: 182 # numEntries: 181
The content of the config directory is attached here.
https://bugs.openldap.org/show_bug.cgi?id=9972
--- Comment #6 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- This can be run as rootles podman (no root privileges required). The query
ldapsearch -xH ldap://127.0.0.0:3890 -b "dc=aegee,dc=org" -s sub
that is the same, but without -E sss=ou:2.5.13.15, does not return
# search result search: 2 result: 50 Insufficient access
That is: adding -E sss introduces Insufficient access error, but there are no errors if the same results are obtained without Server-side sort.
https://bugs.openldap.org/show_bug.cgi?id=9972
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|VERIFIED |CONFIRMED Resolution|INVALID |---
--- Comment #7 from Ondřej Kuzník ondra@mistotebe.net --- Thanks for the information, it seems sssvlv has considerable issues with regards to ACL processing, not just the ones you've noticed.
Just to pick a couple: - send_search_entry returning Insufficient access on the last entry will get copied to rs->sr_err - select_value doesn't seem to honour value-based ACLs for sorting
Also there is no test script for this overlay, despite it being a part of core overlays. Would you be interested to write (a start of) a new one?
Thanks
https://bugs.openldap.org/show_bug.cgi?id=9972
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=9972
--- Comment #8 from dpa-openldap@aegee.org dpa-openldap@aegee.org ---
Also there is no test script for this overlay, despite it being a part of core overlays. Would you be interested to write (a start of) a new one?
Unfortunately I am not going to do this.
https://bugs.openldap.org/show_bug.cgi?id=9972
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
-
openldap-its@openldap.org