Bug 742163
| Summary: | Overlay constraint with count option work bad with modify operation | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||||||||||||||||
| Component: | openldap | Assignee: | Jan Synacek <jsynacek> | ||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||||||||||||
| Severity: | high | Docs Contact: | |||||||||||||||||||
| Priority: | high | ||||||||||||||||||||
| Version: | 6.2 | CC: | dspurek, ebenes, jplans, jvcelak, omoris, ovasik | ||||||||||||||||||
| Target Milestone: | rc | Keywords: | Patch | ||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||
| Whiteboard: | |||||||||||||||||||||
| Fixed In Version: | openldap-2.4.23-21.el6 | Doc Type: | Bug Fix | ||||||||||||||||||
| Doc Text: |
- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
- 'count' restriction in 'constraint' overlay now works properly
|
Story Points: | --- | ||||||||||||||||||
| Clone Of: | |||||||||||||||||||||
| : | 795766 (view as bug list) | Environment: | |||||||||||||||||||
| Last Closed: | 2012-06-20 07:29:02 UTC | Type: | --- | ||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||
| Embargoed: | |||||||||||||||||||||
| Bug Depends On: | |||||||||||||||||||||
| Bug Blocks: | 795766 | ||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||
Created attachment 525496 [details]
data.ldif
Jan, do you think that this bug could have an important impact in 6.2.0? May be we should consider proposing an exception for this and include it in 6.2.0. However, I am not sure if it might cause anything serious. Found the problem. The constraint validator verifies operations one by one, therefore this violation is catched: dn: cn=usr2, dc=my-domain,dc=com add: description description: check description: constraint count description: with modify And this is not: dn: cn=usr2, dc=my-domain,dc=com add: description description: check - add: description description: constraint count - add: description description: with modify Created attachment 560260 [details]
Fixes constraint (count) problem
I attached a patch that should fix the problems mentioned above. Created attachment 560469 [details]
Constraint count patch
Revised and fixed the last patch, which has been causing slapd to loop forever.
Comment on attachment 560469 [details]
Constraint count patch
patch looks good, but there are still some problems (I will attach some tests)
Created attachment 560577 [details]
simple test cases
run with ./run_test.sh
(optionally set SLAPD and SLAPADD environmental variables before)
== results with old version ==
Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] OK
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] FAIL
[t_ok_10.ldif] FAIL
Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] OK
[t_fail_04.ldif] OK
[t_fail_05.ldif] OK
[t_fail_06.ldif] FAIL
[t_fail_07.ldif] FAIL
== results with patched version ==
Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] FAIL
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] OK
[t_ok_10.ldif] OK
Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] FAIL
[t_fail_04.ldif] FAIL
[t_fail_05.ldif] FAIL
[t_fail_06.ldif] OK
[t_fail_07.ldif] FAIL
Created attachment 561537 [details]
Constraint count patch
Fixed the previous patch. It should work as intended now. Created attachment 561553 [details]
Constraint count patch
Additional tweaks.
Created attachment 562235 [details]
Constraint count patch
Some more patch tweaking.
Comment on attachment 562235 [details]
Constraint count patch
looks good, works fine (my tests are passning)
Patch proposed upstream: http://www.openldap.org/its/index.cgi?findid=7168
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
- count overlay now works properly
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,4 +1,4 @@
-- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
- count overlay now works properly
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,4 +1,4 @@
-- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
-- count overlay now works properly+- 'count' restriction in 'constraint' overlay now works properly
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0899.html |
Created attachment 525495 [details] Slapd configuration file Description of problem: Overlay constraint with count option work bad with modify operation. When I add more then permitted attribute values with ldapmodify, the operation is success. With ldapadd works well. Version-Release number of selected component (if applicable): openldap-servers-2.4.23-19.el6 How reproducible: always Steps to Reproduce: 1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ (slapd.conf is in attachement) 2.slapadd -l data.ldif (data.ldif is in attachement) 3.Test modify operation Content of count_modify.ldif: dn: cn=usr2, dc=my-domain,dc=com add: description description: check - add: description description: constraint count - add: description description: with modify Run: ldapmodify -D cn=Manager,dc=my-domain,dc=com -w x -f count_modify.ldif Actual results: Operation success. Expected results: Operation fail with Constraint violation (19). Additional info: With ldapadd wors well. Example: count.ldif dn: cn=usr1, dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: usr1 sn: usr1 mail: usr uid: usr1 description: usr1 description: check description: constraint count ldapadd -D cn=Manager,dc=my-domain,dc=com -w x -f count.ldif