From ce5449b330eb2096b861d887d369080f11dddee0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 12 Apr 2023 12:10:36 +0300 Subject: [PATCH] Fix base DN searches outside the compat tree Resolves: rhbz#2183469 Signed-off-by: Alexander Bokovoy --- slapi-nis-bz2183469.patch | 46 +++++++++++++++++++++++++++++++++++++++ slapi-nis.spec | 9 +++++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 slapi-nis-bz2183469.patch diff --git a/slapi-nis-bz2183469.patch b/slapi-nis-bz2183469.patch new file mode 100644 index 0000000..5b0c9b3 --- /dev/null +++ b/slapi-nis-bz2183469.patch @@ -0,0 +1,46 @@ +From 24eeccd408d9627299231d7843ca9e65e71af3de Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 21 Mar 2023 17:32:47 +0200 +Subject: [PATCH] Test the case when container is a child of the target DN + +We can have target DN both inside or outside of a container. +Previously, the code did not look into the latter one. When container is +a child of the target DN (like using IPA's base DN instead of +cn=compat,$BASE_DN) and a search was done with a subtree scope, the +check failed. + +With this change a subtree scope search which starts with a base DN +that includes a compat tree's container would be considered for the +search. + +Fixes: rhbz#2168893 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 93746b1..e447bda 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1340,11 +1340,12 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_ + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, +- cbdata->scope) == 1) { ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; +- } +- +- if (slapi_sdn_issuffix(cbdata->target_dn, set_data->container_sdn) == 1) { ++ } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) && ++ slapi_sdn_scope_test(set_data->container_sdn, ++ cbdata->target_dn, ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; + } + +-- +2.39.2 + diff --git a/slapi-nis.spec b/slapi-nis.spec index 83d60cd..8310f8f 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -11,14 +11,16 @@ Name: slapi-nis Version: 0.60.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv3 URL: http://pagure.io/slapi-nis/ Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch0: slapi-nis-bz2183469.patch +BuildRequires: make BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -56,6 +58,7 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch0 -p1 %build autoconf --force @@ -84,6 +87,10 @@ make check %{_sbindir}/nisserver-plugin-defs %changelog +* Wed Apr 13 2023 Alexander Bokovoy - 0.60.0-2 +- Fix base DN searches outside the compat tree +- Resolves: rhbz#2183469 + * Sat Aug 20 2022 Alexander Bokovoy - 0.60.0-1 - upstream release 0.60.0 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing