diff --git a/SOURCES/slapi-nis-bz2183950.patch b/SOURCES/slapi-nis-bz2183950.patch new file mode 100644 index 0000000..7f8db7f --- /dev/null +++ b/SOURCES/slapi-nis-bz2183950.patch @@ -0,0 +1,78 @@ +From 24eeccd408d9627299231d7843ca9e65e71af3de Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 21 Mar 2023 17:32:47 +0200 +Subject: [PATCH 1/2] Test the case when container is a child of the target DN + +We can have target DN both inside or outside of a container. +Previously, the code did not look into the latter one. When container is +a child of the target DN (like using IPA's base DN instead of +cn=compat,$BASE_DN) and a search was done with a subtree scope, the +check failed. + +With this change a subtree scope search which starts with a base DN +that includes a compat tree's container would be considered for the +search. + +Fixes: rhbz#2168893 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 93746b1..e447bda 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1340,11 +1340,12 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_ + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, +- cbdata->scope) == 1) { ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; +- } +- +- if (slapi_sdn_issuffix(cbdata->target_dn, set_data->container_sdn) == 1) { ++ } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) && ++ slapi_sdn_scope_test(set_data->container_sdn, ++ cbdata->target_dn, ++ cbdata->scope) != 0) { + cbdata->answer = TRUE; + } + +-- +2.40.0 + + +From 73058645eac86b40913deec01807854e0a8bda0d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 24 Apr 2023 12:19:10 +0300 +Subject: [PATCH 2/2] Identify the container without search base check + +Ignore the actual search base when identifying whether a target DN is +within a known data container. The reason is that we need to know +whether a search would have to descent into a particular container. The +scope validation will happen later. + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index e447bda..a79f61b 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1340,7 +1340,7 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_ + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, +- cbdata->scope) != 0) { ++ LDAP_SCOPE_SUBTREE) != 0) { + cbdata->answer = TRUE; + } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) && + slapi_sdn_scope_test(set_data->container_sdn, +-- +2.40.0 + diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index 0982d22..fceb828 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -11,12 +11,13 @@ Name: slapi-nis Version: 0.60.0 -Release: 2%{?dist} +Release: 4%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server License: GPLv3 URL: http://pagure.io/slapi-nis/ Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch0: slapi-nis-bz2183950.patch BuildRequires: make BuildRequires: autoconf @@ -56,6 +57,7 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch0 -p1 %build autoconf --force @@ -83,6 +85,14 @@ make check %{_sbindir}/nisserver-plugin-defs %changelog +* Mon Apr 24 2023 Alexander Bokovoy - 0.60.0-4 +- Also handle base searches within the compat tree +- Related: rhbz#2183950 + +* Wed Apr 12 2023 Alexander Bokovoy - 0.60.0-3 +- Fix base DN searches outside the compat tree +- Resolves: rhbz#2183950 + * Sun Aug 21 2022 Alexander Bokovoy - 0.60.0-2 - Rebuild to fix changelog - Related: rhbz#2117299