Bug 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
Managed Entries betxnpreoperation - transaction not aborted upon failure to c...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
low Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-13 10:40 EST by Ján Rusnačko
Modified: 2015-03-05 04:31 EST (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: Managed entry plugin fails to return an error, when it should return an error. Consequence: A operation rejected by the plugin should also be aborted in the backend Fix: Return the proper error code. Result: An operation rejected by the plugin will not be committed to the database.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 04:31:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ján Rusnačko 2013-11-13 10:40:19 EST
Description of problem:
From RHEL 7 most DS plugins are converted to be betxn - if their operation fails, whole transaction should fail and not be comitted to database. In case of Managed Entries plugin, we can create a situation where plugin fails to create managed entry, e.g. due to mapped attribute missing.

Version-Release number of selected component (if applicable):
RHEL 7 389-ds-base-1.3.1.6-8.el7.x86_64

Steps to Reproduce:

# enable plugin
ldapmodify -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=Managed Entries,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

# add template entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=template,dc=example,dc=com
objectclass: top
objectclass: mepTemplateEntry
cn: template
mepRDNAttr: cn
mepStaticAttr: objectclass: top
mepStaticAttr: objectclass: person
mepStaticAttr: objectclass: inetOrgPerson
mepMappedAttr: cn: \$cn
mepMappedAttr: uid: \$uid
mepMappedAttr: sn: \$sn
EOF

# add definition entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
cn: definition
originScope: ou=people,dc=example,dc=com
originFilter: objectclass=person
managedBase: ou=Groups,dc=example,dc=com
managedTemplate: cn=template,dc=example,dc=com
EOF

# Add new entry - adding managed entry should fail
ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=tuser,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
cn: tuser
sn: tuser
EOF

# Returns entry
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"

# Returns no such object
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b "cn=tuser,ou=groups,dc=example,dc=com"


Actual results:

[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_parse_mapped_attr:
Mapped attribute "uid" is not present in origin entry
"cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map
attributes required by the schema.
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_create_managed_entry:
Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_add_managed_entry:
Unable to create a managed entry from origin entry
"cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed
Entries,cn=plugins,cn=config". 

and original entry is successfully added:

[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123
-LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
dn: cn=tuser,ou=People,dc=example,dc=com 

Expected results:
If the plugins operation is part of transaction, failure to add managed entry should not commit original entry to the database.
Comment 3 Nathan Kinder 2013-12-18 13:35:45 EST
Upstream ticket:
https://fedorahosted.org/389/ticket/47644
Comment 6 mreynolds 2014-05-30 22:03:35 EDT
Fixed upstream.
Comment 8 Amita Sharma 2014-12-30 04:53:44 EST
[root@dhcp201-126 export]# ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=Managed Entries,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> EOF
modifying entry "cn=Managed Entries,cn=plugins,cn=config"

ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"


[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=template,dc=example,dc=com
> objectclass: top
> objectclass: mepTemplateEntry
> cn: template
> mepRDNAttr: cn
> mepStaticAttr: objectclass: top
> mepStaticAttr: objectclass: person
> mepStaticAttr: objectclass: inetOrgPerson
> mepMappedAttr: cn: \$cn
> mepMappedAttr: uid: \$uid
> mepMappedAttr: sn: \$sn
> EOF
adding new entry "cn=template,dc=example,dc=com"

[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> cn: definition
> originScope: ou=people,dc=example,dc=com
> originFilter: objectclass=person
> managedBase: ou=Groups,dc=example,dc=com
> managedTemplate: cn=template,dc=example,dc=com
> EOF
adding new entry "cn=definition,cn=Managed Entries, cn=plugins,cn=config"

[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=tuser,ou=people,dc=example,dc=com
> objectclass: top
> objectclass: person
> cn: tuser
> sn: tuser
> EOF
adding new entry "cn=tuser,ou=people,dc=example,dc=com"
ldap_add: Server is unwilling to perform (53)
	additional info: Managed Entry Plugin rejected add operation (see errors log).

[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"
No such object (32)
Matched DN: ou=people,dc=example,dc=com
[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=groups,dc=example,dc=com"
No such object (32)
Matched DN: ou=groups,dc=example,dc=com
[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
No such object (32)
Matched DN: ou=people,dc=example,dc=com


logs::
========
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_parse_mapped_attr: Mapped attribute "uid" is not present in origin entry "cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map attributes required by the schema.
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_create_managed_entry: Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_add_managed_entry: Unable to create a managed entry from origin entry "cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed Entries,cn=plugins,cn=config".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_parse_mapped_attr: Mapped attribute "uid" is not present in origin entry "cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map attributes required by the schema.
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_create_managed_entry: Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_add_managed_entry: Unable to create a managed entry from origin entry "cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed Entries,cn=plugins,cn=config".

Hence VERIFIED,
Comment 10 errata-xmlrpc 2015-03-05 04:31:17 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.