Bug 675265

Summary: preventryusn gets added to entries on a failed delete
Product: [Retired] 389 Reporter: Rob Crittenden <rcritten>
Component: Directory ServerAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: high    
Version: 1.2.8CC: amsharma, nhosoi, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 675866 677467 (view as bug list) Environment:
Last Closed: 2015-12-07 16:35:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035, 656390, 677467    
Attachments:
Description Flags
git patch file (master) nkinder: review+

Description Rob Crittenden 2011-02-04 18:23:38 UTC 
Description of problem:

An entry that is attempted to be removed but fails due to lack of permissions gets the attribute preventryusn added. This causes objectclass violations later, logging:

Entry "uid=mightym,cn=users,cn=accounts,dc=greyoak,dc=com" -- attribute "preventryusn" not allowed

Version-Release number of selected component (if applicable):

389-ds-base-1.2.8-0.1.a1.fc14.x86_64

Steps to Reproduce:
1. Add an entry, I created a user in FreeIPA
2. Delete the entry binding as someone withouth delete permissions
3. ldapsearch will show that preventryusn was added.
Comment 1 Noriko Hosoi 2011-02-07 19:28:09 UTC 
Created attachment 477486 [details]
git patch file (master)

Description: When an entry is deleted with Entry USN plugin enabled,
an operational attribute preventryusn is added to handle indexes and
entryusn tombstone.  The attribute must have been added only when
the delete was successful, but it was added regardless of the result
from the operation.  This patch checks the delete result in the
newly added entryusn delete bepost plugin (usn_bepostop_delete).
If it is not successful, the bepost plugin cleans up the attribute.
Comment 2 Noriko Hosoi 2011-02-07 19:52:08 UTC 
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge usn
Updating e259dce..10f6c0e
Fast-forward
 ldap/servers/plugins/usn/usn.c             |   44 +++++++++++++++++++++++++++-
 ldap/servers/slapd/back-ldbm/ldbm_delete.c |   37 +++++++++++++++++++----
 ldap/servers/slapd/slapi-plugin.h          |    1 +
 3 files changed, 74 insertions(+), 8 deletions(-)

$ git push
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 1.82 KiB, done.
Total 11 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   e259dce..10f6c0e  master -> master
Comment 3 Noriko Hosoi 2011-02-08 01:26:40 UTC 
Pushed to 389-ds-base-1.2.8, as well.

$ git cherry-pick 10f6c0e14b52db8e5eaa73016456f41ede9702e6
Finished one cherry-pick.
[ds128-local e87f581] Bug 675265 - preventryusn gets added to entries on a failed delete
 3 files changed, 74 insertions(+), 8 deletions(-)

$ git push origin ds128-local:389-ds-base-1.2.8
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 1.83 KiB, done.
Total 11 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   e259dce..e87f581  ds128-local -> 389-ds-base-1.2.8
Comment 5 Amita Sharma 2011-06-07 13:00:04 UTC 
[root@rhel61 slapd-rhel61]# ldapdelete -x -h localhost -p 389 -D "uid=vlebaron1,ou=people,dc=example,dc=com" -w test "uid=joshinski2,ou=people,dc=example,dc=com"
ldap_delete: Insufficient access (50)
	additional info: Insufficient 'delete' privilege to delete the entry 'uid=JOshinski2,ou=people,dc=example,dc=com'.

[root@rhel61 slapd-rhel61]# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "uid=joshinski2,ou=people,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=joshinski2,ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# JOshinski2, people, example.com
dn: uid=JOshinski2,ou=people,dc=example,dc=com
roomNumber: 2059
employeeType: Peon
homePhone: +1 804 272-4415
givenName: Joon
mobile: +1 415 498-9138
userCertificate;binary:: MIIBvjCCASegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAnMQ8wDQYDV
 QQDEwZjb25maWcxFDASBgNVBAMTC01NUiBDQSBDZXJ0MB4XDTAxMDQwNTE1NTEwNloXDTExMDcwNT
 E1NTEwNlowIzELMAkGA1UEChMCZnIxFDASBgNVBAMTC01NUiBTMSBDZXJ0MIGfMA0GCSqGSIb3DQE
 BAQUAA4GNADCBiQKBgQDNlmsKEaPD+o3mAUwmW4E40MPs7aiui1YhorST3KzVngMqe5PbObUHMeJN
 7CLbq9SjXvdB3y2AoVl/s5UkgGz8krmJ8ELfUCU95AQls321RwBdLRjioiQ3MGJiFjxwYRIVj1CUT
 uX1y8dC7BWvZ1/EB0yv0QDtp2oVMUeoK9/9sQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBADevhxY6Qy
 DMK3Mnr7vLGe/HWEZCObF+qEo2zWScGH0Q+dAmhkCCkNeHJoqGN4NWjTdnBcGaAr5Y85k1o/vOAMB
 sZePbYx4SrywL0b/OkOmQX+mQwieC2IQzvaBRyaNMh309vrF4w5kExReKfjR/gXpHiWQzGSxC5LeQ
 G4k3IP34
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
facsimileTelephoneNumber: +1 804 613-9414
ou: Payroll
departmentNumber: 7460
mail: Joon_Oshinski
uid: JOshinski2
cn: Joon Oshinski
initials: J. O.
telephoneNumber: +1 818 460-3369
carLicense: C7J7LM7
pager: +1 303 344-3697
manager: cn=Ken Anderson
l: San Francisco
postalAddress: 658,  Dept #922, Room#Payroll
description: 2;3569;CN=Red Hat CS 71GA Demo,O=Red Hat CS 71GA Demo,C=US;CN=RHC
 S Agent - admin01,UID=admin01,O=redhat,C=US [1] This is Joon Oshinski's descr
 iption.
sn: Oshinski
secretary: cn=Aime Huhn
title: Junior Payroll Guru
userPassword:: e1NTSEF9TEtydjB5YXpFT1VmaUkvMmo5OFROQVNvd3FpQ3V5YlJ1eDZSQnc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@rhel61 slapd-rhel61]# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "uid=joshinski2,ou=people,dc=example,dc=com" | grep preventryusn