Re: [Freeipa-devel] [PATCH] 1056 sudorule cn uniqueness

[Rob Crittenden]

Martin Kosek wrote:

On 09/14/2012 05:13 PM, Rob Crittenden wrote:

Rob Crittenden wrote:

A sudorule dn uses ipaUniqueId as the cn so we have to do a search to
ensure uniqueness. This leaves us vulnerable to a race. Configure the
uniqueness plugin to ensure no dups.

rob


Add missing attribute to the fresh install ldif. I had already fixed this in
the update, missed it on fresh install.

rob



Works fine. Reproduced the issue with simple ldapadd.

ACK if you change the whitespace error below:

# git apply /home/mkosek/freeipa-rcrit-1056-2-sudorule-uniqueness.patch
/home/mkosek/freeipa-rcrit-1056-2-sudorule-uniqueness.patch:70: new blank line
at EOF.
+
warning: 1 line adds whitespace errors.

Martin



Fixed and pushed to master and ipa-3-0

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1056 sudorule cn uniqueness

[Martin Kosek]

On 09/14/2012 05:13 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> A sudorule dn uses ipaUniqueId as the cn so we have to do a search to
>> ensure uniqueness. This leaves us vulnerable to a race. Configure the
>> uniqueness plugin to ensure no dups.
>>
>> rob
> 
> Add missing attribute to the fresh install ldif. I had already fixed this in
> the update, missed it on fresh install.
> 
> rob
> 

Works fine. Reproduced the issue with simple ldapadd.

ACK if you change the whitespace error below:

# git apply /home/mkosek/freeipa-rcrit-1056-2-sudorule-uniqueness.patch
/home/mkosek/freeipa-rcrit-1056-2-sudorule-uniqueness.patch:70: new blank line
at EOF.
+
warning: 1 line adds whitespace errors.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1056 sudorule cn uniqueness

[Rob Crittenden]

Rob Crittenden wrote:

A sudorule dn uses ipaUniqueId as the cn so we have to do a search to
ensure uniqueness. This leaves us vulnerable to a race. Configure the
uniqueness plugin to ensure no dups.

rob


Add missing attribute to the fresh install ldif. I had already fixed 
this in the update, missed it on fresh install.


rob

>From 2783dc65b80d1de1e69873f4b6efef45b470f3fd Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 13 Sep 2012 15:11:57 -0400
Subject: [PATCH] Add uniqueness plugin configuration for sudorule cn

We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.

https://fedorahosted.org/freeipa/ticket/3017
---
 install/share/unique-attributes.ldif | 18 ++
 install/updates/10-uniqueness.update | 17 +
 install/updates/Makefile.am  |  1 +
 3 files changed, 36 insertions(+)
 create mode 100644 install/updates/10-uniqueness.update

diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 4537e7468ad69891565ccd51f7b67e9db8889857..0e680a0e45b455469f9be9555aed1e63f1d97faf 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -70,6 +70,24 @@ nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
 
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+changetype: add
+objectClass: top
+objectClass: nsSlapdPlugin
+objectClass: extensibleObject
+cn: sudorule name uniqueness
+nsslapd-pluginDescription: Enforce unique attribute values
+nsslapd-pluginPath: libattr-unique-plugin
+nsslapd-pluginInitfunc: NSUniqueAttr_Init
+nsslapd-pluginType: preoperation
+nsslapd-pluginEnabled: on
+nsslapd-pluginarg0: cn
+nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+nsslapd-plugin-depends-on-type: database
+nsslapd-pluginId: NSUniqueAttr
+nsslapd-pluginVersion: 1.1.0
+nsslapd-pluginVendor: Fedora Project
+
 #dn: cn=uid uniqueness,cn=plugins,cn=config
 #objectClass: top
 #objectClass: nsSlapdPlugin
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
new file mode 100644
index ..33bd2fc09e12f52200de83b245b89e26ebf8af8e
--- /dev/null
+++ b/install/updates/10-uniqueness.update
@@ -0,0 +1,17 @@
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: sudorule name uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:nsslapd-pluginarg0: cn
+default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 9e068966530d897fe18802c9dfa13406aeb3b010..54e57ef3e441e5f2f4ce0a6af97d6856506df8f8 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -11,6 +11,7 @@ app_DATA =\
 	10-sudo.update			\
 	10-ssh.update			\
 	10-bind-schema.update		\
+	10-uniqueness.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
 	20-dna.update			\
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel