Bug 675866
| Summary: | preventryusn gets added to entries on a failed delete | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Noriko Hosoi <nhosoi> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | amsharma, benl, dpal, jgalipea, rcritten |
| Target Milestone: | rc | Keywords: | screened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.8-0.3.a3.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 675265 | Environment: | |
| Last Closed: | 2011-05-19 12:41:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 676871 | ||
Hi,
Tested this bug, steps are as below :
1. ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-entryusn-global
> nsslapd-entryusn-global: on
> EOF
modifying entry "cn=config"
2.ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep -i ENTRYUSN
nsslapd-entryusn-global: on
3. Added one entry :
ldapmodify -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=amita,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
sn: testkrbuser
cn: kkk testkrbuser
userPassword: redhat
EOF
adding new entry "uid=amita,ou=people,dc=example,dc=com"
4. Added another entry which will be used for deletion -
dn: uid=test11,dc=example,dc=com
mail: test11
uid: test11
givenName: test11
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: ntUser
objectClass: inetuser
objectClass: organizationalPerson
sn: test11
cn: rrr test11
ntUserCreateNewAccount: true
ntUserDomainId: test11
ntUserDeleteAccount: true
userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ=
=
telephoneNumber: 989898191
5. ldapdelete -x -h localhost -p 1389 -D "uid=amita,ou=people,dc=example,dc=com" -w redhat uid=test11,dc=example,dc=com
ldap_delete: Insufficient access (50)
additional info: Insufficient 'delete' privilege to delete the entry 'uid=test11,dc=example,dc=com'.
6. ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com"
# test11, example.com
dn: uid=test11,dc=example,dc=com
mail: test11
uid: test11
givenName: test11
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: ntUser
objectClass: inetuser
objectClass: organizationalPerson
sn: test11
cn: rrr test11
ntUserCreateNewAccount: true
ntUserDomainId: test11
ntUserDeleteAccount: true
userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ=
=
telephoneNumber: 989898191
preventryusn is not added.
Hence bug is tested OK. Marking it as VERIFIED.
-Amita Sharma
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0533.html |
Description of problem: Rob Crittenden 2011-02-04 13:23:38 EST Description of problem: An entry that is attempted to be removed but fails due to lack of permissions gets the attribute preventryusn added. This causes objectclass violations later, logging: Entry "uid=mightym,cn=users,cn=accounts,dc=greyoak,dc=com" -- attribute "preventryusn" not allowed Version-Release number of selected component (if applicable): 389-ds-base-1.2.8-0.1.a1.fc14.x86_64 Steps to Reproduce: 1. Add an entry, I created a user in FreeIPA 2. Delete the entry binding as someone withouth delete permissions 3. ldapsearch will show that preventryusn was added. Created attachment 477486 [details] git patch file (master) Description: When an entry is deleted with Entry USN plugin enabled, an operational attribute preventryusn is added to handle indexes and entryusn tombstone. The attribute must have been added only when the delete was successful, but it was added regardless of the result from the operation. This patch checks the delete result in the newly added entryusn delete bepost plugin (usn_bepostop_delete). If it is not successful, the bepost plugin cleans up the attribute.