Ticket 47653 - Need a way to allow users to create entries assigned to themselves

Bug Description:  There are cases where users need to be able to create, edit and delete
                  their own entries.  Using an ACI with the "userattr" keyword does not
                  work with ADD operations(to prevent a security hole).  This prevents IPA's
                  OTP plugin from performing some necessary operations.

Fix Description:  Added a new config attribute "nsslapd-access-userattr-strict".  The default
                  is "on" or strict.  For the IPA case, it would need to be set to "off" in
                  order to allow the desired behavior.

https://fedorahosted.org/389/ticket/47653

Reviewed by: nhosoi(Thanks!)

ldap/ldif/template-dse.ldif.in

@@ -33,6 +33,7 @@ nsslapd-validate-cert: warn
 nsslapd-allow-unauthenticated-binds: off
 nsslapd-require-secure-binds: off
 nsslapd-allow-anonymous-access: on
+nsslapd-access-userattr-strict: on
 nsslapd-localssf: 71
 nsslapd-minssf: 0
 nsslapd-port: %ds_port%

ldap/servers/plugins/acl/acllas.c

@@ -1170,6 +1170,7 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 	char			*attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
 	lasInfo			lasinfo;
 	int				got_undefined = 0;
+	int				userattr_strict;
 
 	if ( 0 !=  (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */
 									attr_pattern,cachable,LAS_cookie,
@@ -1265,6 +1266,8 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 
 	slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName);
 	matched = ACL_FALSE;
+	userattr_strict = config_get_access_userattr_strict();
+
 	for (i=0; i < numOflevels; i++) {
 		if ( levels[i] == 0 ) {
 			Slapi_Value *sval=NULL;
@@ -1276,10 +1279,10 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			 * must never be allowed to grant access--
 			 * This is because access would be granted based on a value
 		 	 * of an attribute in the new entry--security hole.
-			 * 
-			*/
-
-			if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
+		 	 *
+		 	 * There are valid cases where we want to allow this, or be less strict.
+			 */
+			if ( userattr_strict && lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
 				slapi_log_error( SLAPI_LOG_ACL, plugin_name,
 					"ACL info: userdnAttr does not allow ADD permission at level 0.\n");
 				got_undefined = 1;

ldap/servers/slapd/libglobs.c

@@ -265,6 +265,7 @@ slapi_onoff_t init_plugin_logging;
 slapi_int_t init_connection_buffer;
 slapi_int_t init_listen_backlog_size;
 slapi_onoff_t init_ignore_time_skew;
+slapi_onoff_t init_access_userattr_strict;
 #ifdef MEMPOOL_EXPERIMENTAL
 slapi_onoff_t init_mempool_switch;
 #endif
@@ -273,6 +274,7 @@ slapi_onoff_t init_mempool_switch;
 #define DEFAULT_ALLOW_ANON_ACCESS "on"
 #define DEFAULT_VALIDATE_CERT "warn"
 #define DEFAULT_UNHASHED_PW_SWITCH "on"
+#define DEFAULT_ACCESS_USERATTR_STRICT "on"
 
 static int
 isInt(ConfigVarType type)
@@ -954,6 +956,12 @@ static struct config_get_and_set {
 		CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
 		(ConfigGetFunc)config_get_anon_access_switch,
 		DEFAULT_ALLOW_ANON_ACCESS},
+	{CONFIG_ACCESS_USERATTR_STRICT, config_set_access_userattr_strict,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.access_userattr_strict,
+		CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_access_userattr_strict,
+		&init_access_userattr_strict},
 	{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.localssf,
@@ -1519,6 +1527,7 @@ FrontendConfig_init () {
   init_plugin_logging = cfg->plugin_logging = LDAP_OFF;
   init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
   init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF;
+  init_access_userattr_strict = cfg->access_userattr_strict = LDAP_ON;
 #ifdef MEMPOOL_EXPERIMENTAL
   init_mempool_switch = cfg->mempool_switch = LDAP_ON;
   cfg->mempool_maxfreelist = 1024;
@@ -6672,6 +6681,36 @@ config_set_force_sasl_external( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_set_access_userattr_strict( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->access_userattr_strict),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
+int
+config_get_access_userattr_strict(void)
+{
+	int retVal;
+
+
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_ONOFF_LOCK_READ(slapdFrontendConfig);
+	retVal = (int)slapdFrontendConfig->access_userattr_strict;
+	CFG_ONOFF_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
 int
 config_get_entryusn_global(void)
 {

ldap/servers/slapd/proto-slap.h

@@ -401,6 +401,7 @@ int config_set_return_orig_type_switch(const char *attrname, char *value, char *
 int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_ignore_time_skew(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_access_userattr_strict( const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -577,6 +578,7 @@ int config_get_plugin_logging();
 int config_set_connection_nocanon(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_plugin_logging(const char *attrname, char *value, char *errorbuf, int apply);
 int config_get_listen_backlog_size(void);
+int config_get_access_userattr_strict(void);
 
 PLHashNumber hashNocaseString(const void *key);
 PRIntn hashNocaseCompare(const void *v1, const void *v2);

ldap/servers/slapd/slap.h

@@ -2012,6 +2012,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
 #define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
 #define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
+#define CONFIG_ACCESS_USERATTR_STRICT "nsslapd-access-userattr-strict"
 #define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf"
 #define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf"
 #define CONFIG_MINSSF_EXCLUDE_ROOTDSE "nsslapd-minssf-exclude-rootdse"
@@ -2392,6 +2393,7 @@ typedef struct _slapdFrontendConfig {
   slapi_onoff_t connection_nocanon; /* if "on" sets LDAP_OPT_X_SASL_NOCANON */
   slapi_onoff_t plugin_logging; /* log all internal plugin operations */
   slapi_onoff_t ignore_time_skew;
+  slapi_onoff_t access_userattr_strict;
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */