Unfortunately, the problem still exists, but it is more clearly understood. The
problem is caused by CR 4622166, which points to an issue with parsing LDAP
entries. The entries in exec_attr corresponding to CDE actions are not being
parsed correctly. The exec_attr(4) man page states:
If the Trusted Extensions feature is configured
and the profile entry type is act, the id is
either the fully qualified name of a CDE action,
or an asterisk (*) representing a wildcard. A
fully qualified CDE action is specified using the
action name and four additional semicolon-
separated fields.
For example:
All Actions:solaris:act:::*;*;*;*;*:
The semicolon is a special character to LDAP and must be escaped with a
backslash. The ldapaddent command currently does not handle this correctly. If
you are not using CDE, you can simply remove all the CDE actions from exec_attr.
If you are willing to do the work, you can get around the problem by
hand-editing the LDIF and escaping the semicolons with a backslash:
% ldaplist -l prof_attr 'Test Profile'
dn: cn=Test Profile,ou=SolarisProfAttr,dc=sun,dc=com
objectClass: SolarisProfAttr
objectClass: top
cn: Test Profile
SolarisAttrKeyValue: help=TestProfile.html
SolarisAttrLongDesc: Special profile for testing
dn: cn=Test
Profile+SolarisKernelSecurityPolicy=solaris+SolarisProfileType=act+SolarisProfileId=TestAction\;*\;*\;*\;*,ou=SolarisProfAttr,dc=sun,dc=com
objectClass: top
objectClass: SolarisProfAttr
objectClass: SolarisExecAttr
cn: Test Profile
SolarisKernelSecurityPolicy: solaris
SolarisProfileType: act
SolarisProfileId: TestAction;*;*;*;*
SolarisAttrReserved1:
SolarisAttrReserved2:
SolarisAttrKeyValue: privs=zone
This message posted from opensolaris.org
