Bug 675866

Summary: preventryusn gets added to entries on a failed delete
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: amsharma, benl, dpal, jgalipea, rcritten
Target Milestone: rcKeywords: screened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.8-0.3.a3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 675265 Environment:
Last Closed: 2011-05-19 08:41:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 676871    

Description Noriko Hosoi 2011-02-07 20:32:31 EST
Description of problem:
Rob Crittenden 2011-02-04 13:23:38 EST

Description of problem:

An entry that is attempted to be removed but fails due to lack of permissions
gets the attribute preventryusn added. This causes objectclass violations
later, logging:

Entry "uid=mightym,cn=users,cn=accounts,dc=greyoak,dc=com" -- attribute
"preventryusn" not allowed

Version-Release number of selected component (if applicable):

389-ds-base-1.2.8-0.1.a1.fc14.x86_64

Steps to Reproduce:
1. Add an entry, I created a user in FreeIPA
2. Delete the entry binding as someone withouth delete permissions
3. ldapsearch will show that preventryusn was added.

Created attachment 477486 [details]
git patch file (master)

Description: When an entry is deleted with Entry USN plugin enabled,
an operational attribute preventryusn is added to handle indexes and
entryusn tombstone.  The attribute must have been added only when
the delete was successful, but it was added regardless of the result
from the operation.  This patch checks the delete result in the
newly added entryusn delete bepost plugin (usn_bepostop_delete).
If it is not successful, the bepost plugin cleans up the attribute.
Comment 3 Amita Sharma 2011-04-14 10:00:45 EDT
Hi,

Tested this bug, steps are as below :
1. ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-entryusn-global
> nsslapd-entryusn-global: on
> EOF
modifying entry "cn=config"

2.ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep -i ENTRYUSN
nsslapd-entryusn-global: on

3. Added one entry :
ldapmodify -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=amita,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
sn: testkrbuser
cn: kkk testkrbuser
userPassword: redhat
EOF

adding new entry "uid=amita,ou=people,dc=example,dc=com"

4. Added another entry which will be used for deletion -
dn: uid=test11,dc=example,dc=com
mail: test11@redhat.com
uid: test11
givenName: test11
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: ntUser
objectClass: inetuser
objectClass: organizationalPerson
sn: test11
cn: rrr test11
ntUserCreateNewAccount: true
ntUserDomainId: test11
ntUserDeleteAccount: true
userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ=
 =
telephoneNumber: 989898191

5. ldapdelete -x -h localhost -p 1389 -D "uid=amita,ou=people,dc=example,dc=com" -w redhat uid=test11,dc=example,dc=com
ldap_delete: Insufficient access (50)
	additional info: Insufficient 'delete' privilege to delete the entry 'uid=test11,dc=example,dc=com'.

6. ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com"
# test11, example.com
dn: uid=test11,dc=example,dc=com
mail: test11@redhat.com
uid: test11
givenName: test11
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: ntUser
objectClass: inetuser
objectClass: organizationalPerson
sn: test11
cn: rrr test11
ntUserCreateNewAccount: true
ntUserDomainId: test11
ntUserDeleteAccount: true
userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ=
 =
telephoneNumber: 989898191

preventryusn is not added.
Hence bug is tested OK. Marking it as VERIFIED.

-Amita Sharma
Comment 4 errata-xmlrpc 2011-05-19 08:41:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0533.html