Bug 795766

Summary:	count constraint broken when using multiple modifications
Product:	[Fedora] Fedora	Reporter:	Jan Vcelak <jvcelak>
Component:	openldap	Assignee:	Jan Vcelak <jvcelak>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	rawhide	CC:	jsynacek, jvcelak, rmeggins, tsmetana
Target Milestone:	---	Keywords:	Patch
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	openldap-2.4.29-3.fc17	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	742163	Environment:
Last Closed:	2012-02-28 10:39:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	742163
Bug Blocks:

Description Jan Vcelak 2012-02-21 13:45:18 UTC

+++ This bug was initially created as a clone of Bug #742163 +++

Created attachment 525495 [details]
Slapd configuration file

Description of problem:
Overlay constraint with count option work bad with modify operation. When I add more then permitted attribute values with ldapmodify, the operation is success. With ldapadd works well.

Version-Release number of selected component (if applicable):
openldap-servers-2.4.23-19.el6

How reproducible:
always

Steps to Reproduce:
1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
(slapd.conf is in attachement)

2.slapadd -l data.ldif
(data.ldif is in attachement)

3.Test modify operation
Content of count_modify.ldif:
dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify

Run:
ldapmodify -D cn=Manager,dc=my-domain,dc=com -w x -f count_modify.ldif

Actual results:
Operation success.

Expected results:
Operation fail with Constraint violation (19).

Additional info:
With ldapadd wors well. Example:
count.ldif

dn: cn=usr1, dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: usr1
sn: usr1
mail: usr
uid: usr1
description: usr1
description: check
description: constraint count

ldapadd -D cn=Manager,dc=my-domain,dc=com -w x -f count.ldif

--- Additional comment from dspurek on 2011-09-29 11:34:43 CEST ---

Created attachment 525496 [details]
data.ldif

--- Additional comment from omoris on 2011-10-17 15:59:55 CEST ---

Jan, do you think that this bug could have an important impact in 6.2.0? May be we should consider proposing an exception for this and include it in 6.2.0. However, I am not sure if it might cause anything serious.

--- Additional comment from jvcelak on 2012-01-12 15:04:04 CET ---

Found the problem.

The constraint validator verifies operations one by one, therefore this violation is catched:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
description: constraint count
description: with modify

And this is not:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify

--- Additional comment from jsynacek on 2012-02-08 14:35:47 CET ---

Created attachment 560260 [details]
Fixes constraint (count) problem

--- Additional comment from jsynacek on 2012-02-08 14:38:02 CET ---

I attached a patch that should fix the problems mentioned above.

--- Additional comment from jsynacek on 2012-02-09 09:05:28 CET ---

Created attachment 560469 [details]
Constraint count patch

Revised and fixed the last patch, which has been causing slapd to loop forever.

--- Additional comment from jvcelak on 2012-02-09 14:15:17 CET ---

Comment on attachment 560469 [details]
Constraint count patch

patch looks good, but there are still some problems (I will attach some tests)

--- Additional comment from jvcelak on 2012-02-09 14:19:38 CET ---

Created attachment 560577 [details]
simple test cases

run with ./run_test.sh
(optionally set SLAPD and SLAPADD environmental variables before)

== results with old version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] OK
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] FAIL
[t_ok_10.ldif] FAIL

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] OK
[t_fail_04.ldif] OK
[t_fail_05.ldif] OK
[t_fail_06.ldif] FAIL
[t_fail_07.ldif] FAIL

== results with patched version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] FAIL
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] OK
[t_ok_10.ldif] OK

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] FAIL
[t_fail_04.ldif] FAIL
[t_fail_05.ldif] FAIL
[t_fail_06.ldif] OK
[t_fail_07.ldif] FAIL

--- Additional comment from jsynacek on 2012-02-13 14:09:14 CET ---

Created attachment 561537 [details]
Constraint count patch

--- Additional comment from jsynacek on 2012-02-13 14:11:01 CET ---

Fixed the previous patch. It should work as intended now.

--- Additional comment from jsynacek on 2012-02-13 15:00:43 CET ---

Created attachment 561553 [details]
Constraint count patch

Additional tweaks.

--- Additional comment from jsynacek on 2012-02-15 15:39:23 CET ---

Created attachment 562235 [details]
Constraint count patch

Some more patch tweaking.

--- Additional comment from jvcelak on 2012-02-15 15:43:28 CET ---

Comment on attachment 562235 [details]
Constraint count patch

looks good, works fine (my tests are passning)

--- Additional comment from jsynacek on 2012-02-16 15:15:01 CET ---

Patch proposed upstream:
http://www.openldap.org/its/index.cgi?findid=7168

Comment 1 Jan Vcelak 2012-02-21 15:18:25 UTC

Resolved in:
openldap-2.4.29-3.fc17
openldap-2.4.29-3.fc18

Comment 2 Fedora Update System 2012-02-21 15:19:56 UTC

openldap-2.4.29-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openldap-2.4.29-3.fc17

Comment 3 Fedora Update System 2012-02-21 17:44:12 UTC

Package openldap-2.4.29-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.29-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2113/openldap-2.4.29-3.fc17
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-02-28 10:39:08 UTC

openldap-2.4.29-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.