Fedora directory users - Aug 2009 - [389-users] can't modify userPassword with proxy user: after code debugging...

Following http://www.mail-archive.com/fedora-directory-
users@redhat.com/msg09799.html

As of now, no solution but give to proxy user write access on entries..
if you succeeded in another way you''re welcome to post.


I looked+gdb the code of modify.c: when I try to change userPassword another 
flow is done.

modify.c:
...
if (has_password_mod):
	PasswordFlow
	return

StandardFlow
return



in PasswordFlow, the function
 op_shared_allow_pw_change() 
change the password ignoring controls and evaluating proxy user access 
permissions as a local user

in StandardFlow, all the controls are evaluated and the proxy_dn is set

To make a specific request using only the interesting controls, avoiding 
evaluation of unneeded ones (), I used the following options to ldapmodify|
passwd
* -g  -R -J 2.16.840.1.113730.3.4.18 


Peace,
R.

-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."

Roberto Polli wrote:
> Following http://www.mail-archive.com/fedora-directory-
> users@redhat.com/msg09799.html
>
> As of now, no solution but give to proxy user write access on entries..
> if you succeeded in another way you''re welcome to post.
>
>
> I looked+gdb the code of modify.c: when I try to change userPassword
another
> flow is done.
>
> modify.c:
> ...
> if (has_password_mod):
> 	PasswordFlow
> 	return
>
> StandardFlow
> return
>
>
>
> in PasswordFlow, the function
>  op_shared_allow_pw_change() 
> change the password ignoring controls and evaluating proxy user access 
> permissions as a local user
>   
Thanks for debugging this.  So the problem is that 
slapi_acl_check_mods() at line 945 is failing?
> in StandardFlow, all the controls are evaluated and the proxy_dn is set
>
> To make a specific request using only the interesting controls, avoiding 
> evaluation of unneeded ones (), I used the following options to ldapmodify|
> passwd
> * -g  -R -J 2.16.840.1.113730.3.4.18 
>
>
> Peace,
> R.
>
>

On Monday 10 August 2009 19:55:39 Rich Megginson wrote:
> > in PasswordFlow, the function
> >  op_shared_allow_pw_change()
> > change the password ignoring controls and evaluating proxy user access
> > permissions as a local user
>
> Thanks for debugging this.  So the problem is that
> slapi_acl_check_mods() at line 945 is failing?
I got slapi_acl_check_mods()   on line 934
fds release is fedora-ds-base-1.1.2

the difference is that 
> > in StandardFlow, all the controls are evaluated and the proxy_dn is
set
in PasswordFlow the controls are not evaluated

Peace, 
R.
-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."

Roberto Polli wrote:
> On Monday 10 August 2009 19:55:39 Rich Megginson wrote:
>   
>>> in PasswordFlow, the function
>>>  op_shared_allow_pw_change()
>>> change the password ignoring controls and evaluating proxy user
access
>>> permissions as a local user
>>>       
>> Thanks for debugging this.  So the problem is that
>> slapi_acl_check_mods() at line 945 is failing?
>>     
> I got slapi_acl_check_mods()   on line 934
> fds release is fedora-ds-base-1.1.2
>
> the difference is that 
>   
>>> in StandardFlow, all the controls are evaluated and the proxy_dn is
set
>>>       
> in PasswordFlow the controls are not evaluated
>
> Peace, 
> R.
>   
Thanks - I think this is a bug - please file a bug about this issue.