With directory server Console, attribute "aci" appears as "passworddAllowChangeTime"

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5/6
  • Red Hat Directory Server 8/9
  • redhat-ds-8.2.0-2.el5dsrv (RHDS 8)
  • 389-ds-base-1.2.11 or earlier (RHDS 9/ IdM)

Issue

  • I have Console Framework 1.1.5 last release on Windows7 Enterprise SP1 64bit and I notice that on every LDAP entry with "aci" attribute, the attribute name appears as "passwordallowchangetime", ldapsearch returns proper results, also dumping the db to an ldif shows correct values.

  • When performing a search that requests the unhashed#user#password attribute, the attribute names for the returned values are incorrect. If this attribute is requested as a part of the attribute list, the entire list of attributes afterwards gets shifted off by one.

    • This bug can be reproduced by installing 389-ds-base-1.2.11 or earlier, creating a DS instance with a suffix of "dc=example,dc=com", then performing this search:

      ldapsearch -x -D "cn=directory manager" -w <password> -b "dc=example,dc=com" -s base "objectclass=*" unhashed#user#password nsrole aci nsuniqueid

    • The results will show the values of the "aci" attribute as the "nsrole" attribute. Similarly, "nsuniqueid" values will be shown as the "aci" attribute:

Resolution

The issue has been addressed in Red Hat Directory Server 8. Update redhat-ds-base package to redhat-ds-base-8.2.11-13.el5 to fix the issue.
For RHDS 9/ IdM, A fix is expected to be included in RHEL6.5 release.

Root Cause

Attribute list given by a client to ldapsearch is first copied to op->o_searchattrs to respect the client input. Then the attribute types are normalized and if the list contains any forbidden attributes, they are removed from the list. When the search result is returned, the internal normalized attribute types are replaced with the original input op->o_searchattrs, respectively. Since forbidden attributes are in op->o_searchattrs but not in the internal attribute list, wrong type from copy is associated to the value and returned to the client.

Fix Description: This patch removes the forbidden attribute before copying the original attribute list to op->o_searchattrs.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments