From 41aee2425e9d90d733dd41c9a3b346b40d709893 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 16 2023 09:17:30 +0000 Subject: import slapi-nis-0.60.0-3.module+el8.8.0+18715+930e9ba0 --- diff --git a/SOURCES/slapi-nis-bz2183953.patch b/SOURCES/slapi-nis-bz2183953.patch new file mode 100644 index 0000000..7f8db7f --- /dev/null +++ b/SOURCES/slapi-nis-bz2183953.patch @@ -0,0 +1,78 @@ +From 24eeccd408d9627299231d7843ca9e65e71af3de Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 21 Mar 2023 17:32:47 +0200 +Subject: [PATCH 1/2] Test the case when container is a child of the target DN + +We can have target DN both inside or outside of a container. +Previously, the code did not look into the latter one. When container is +a child of the target DN (like using IPA's base DN instead of +cn=compat,$BASE_DN) and a search was done with a subtree scope, the +check failed. + +With this change a subtree scope search which starts with a base DN +that includes a compat tree's container would be considered for the +search. + +Fixes: rhbz#2168893 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 93746b1..e447bda 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1340,11 +1340,12 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_ + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, +- cbdata->scope) == 1) { ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; +- } +- +- if (slapi_sdn_issuffix(cbdata->target_dn, set_data->container_sdn) == 1) { ++ } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) && ++ slapi_sdn_scope_test(set_data->container_sdn, ++ cbdata->target_dn, ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; + } + +-- +2.40.0 + + +From 73058645eac86b40913deec01807854e0a8bda0d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 24 Apr 2023 12:19:10 +0300 +Subject: [PATCH 2/2] Identify the container without search base check + +Ignore the actual search base when identifying whether a target DN is +within a known data container. The reason is that we need to know +whether a search would have to descent into a particular container. The +scope validation will happen later. + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index e447bda..a79f61b 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1340,7 +1340,7 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_ + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, +- cbdata->scope) != 0) { ++ LDAP_SCOPE_SUBTREE) != 0) { + cbdata->answer = TRUE; + } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) && + slapi_sdn_scope_test(set_data->container_sdn, +-- +2.40.0 + diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index 83d60cd..4d09a9d 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -11,14 +11,16 @@ Name: slapi-nis Version: 0.60.0 -Release: 1%{?dist} +Release: 3%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv3 URL: http://pagure.io/slapi-nis/ Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch0: slapi-nis-bz2183953.patch +BuildRequires: make BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -56,6 +58,7 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch0 -p1 %build autoconf --force @@ -84,6 +87,14 @@ make check %{_sbindir}/nisserver-plugin-defs %changelog +* Mon Apr 24 2023 Alexander Bokovoy - 0.60.0-3 +- Also handle base searches within the compat tree +- Related: rhbz#2183469 + +* Wed Apr 12 2023 Alexander Bokovoy - 0.60.0-2 +- Fix base DN searches outside the compat tree +- Resolves: rhbz#2183953 + * Sat Aug 20 2022 Alexander Bokovoy - 0.60.0-1 - upstream release 0.60.0 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing