Bug 1029959 – Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry

Summary:	Managed Entries betxnpreoperation - transaction not aborted upon failure to c...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	low Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-13 10:40 EST by Ján Rusnačko
Modified:	2015-03-05 04:31 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	389-ds-base-1.3.3.1-1.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Managed entry plugin fails to return an error, when it should return an error. Consequence: A operation rejected by the plugin should also be aborted in the backend Fix: Return the proper error code. Result: An operation rejected by the plugin will not be committed to the database.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 04:31:17 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0416	normal	SHIPPED_LIVE	Important: 389-ds-base security, bug fix, and enhancement update	2015-03-05 09:26:33 EST

Groups: None (edit)

Description Ján Rusnačko 2013-11-13 10:40:19 EST

Description of problem:
From RHEL 7 most DS plugins are converted to be betxn - if their operation fails, whole transaction should fail and not be comitted to database. In case of Managed Entries plugin, we can create a situation where plugin fails to create managed entry, e.g. due to mapped attribute missing.

Version-Release number of selected component (if applicable):
RHEL 7 389-ds-base-1.3.1.6-8.el7.x86_64

Steps to Reproduce:

# enable plugin
ldapmodify -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=Managed Entries,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

# add template entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=template,dc=example,dc=com
objectclass: top
objectclass: mepTemplateEntry
cn: template
mepRDNAttr: cn
mepStaticAttr: objectclass: top
mepStaticAttr: objectclass: person
mepStaticAttr: objectclass: inetOrgPerson
mepMappedAttr: cn: \$cn
mepMappedAttr: uid: \$uid
mepMappedAttr: sn: \$sn
EOF

# add definition entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
cn: definition
originScope: ou=people,dc=example,dc=com
originFilter: objectclass=person
managedBase: ou=Groups,dc=example,dc=com
managedTemplate: cn=template,dc=example,dc=com
EOF

# Add new entry - adding managed entry should fail
ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=tuser,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
cn: tuser
sn: tuser
EOF

# Returns entry
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"

# Returns no such object
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b "cn=tuser,ou=groups,dc=example,dc=com"


Actual results:

[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_parse_mapped_attr:
Mapped attribute "uid" is not present in origin entry
"cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map
attributes required by the schema.
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_create_managed_entry:
Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_add_managed_entry:
Unable to create a managed entry from origin entry
"cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed
Entries,cn=plugins,cn=config". 

and original entry is successfully added:

[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123
-LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
dn: cn=tuser,ou=People,dc=example,dc=com 

Expected results:
If the plugins operation is part of transaction, failure to add managed entry should not commit original entry to the database.

Comment 3 Nathan Kinder 2013-12-18 13:35:45 EST

Upstream ticket:
https://fedorahosted.org/389/ticket/47644

Comment 6 mreynolds 2014-05-30 22:03:35 EDT

Fixed upstream.

Comment 8 Amita Sharma 2014-12-30 04:53:44 EST

[root@dhcp201-126 export]# ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=Managed Entries,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> EOF
modifying entry "cn=Managed Entries,cn=plugins,cn=config"

ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"


[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=template,dc=example,dc=com
> objectclass: top
> objectclass: mepTemplateEntry
> cn: template
> mepRDNAttr: cn
> mepStaticAttr: objectclass: top
> mepStaticAttr: objectclass: person
> mepStaticAttr: objectclass: inetOrgPerson
> mepMappedAttr: cn: \$cn
> mepMappedAttr: uid: \$uid
> mepMappedAttr: sn: \$sn
> EOF
adding new entry "cn=template,dc=example,dc=com"

[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> cn: definition
> originScope: ou=people,dc=example,dc=com
> originFilter: objectclass=person
> managedBase: ou=Groups,dc=example,dc=com
> managedTemplate: cn=template,dc=example,dc=com
> EOF
adding new entry "cn=definition,cn=Managed Entries, cn=plugins,cn=config"

[root@dhcp201-126 export]# ldapmodify -a -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=tuser,ou=people,dc=example,dc=com
> objectclass: top
> objectclass: person
> cn: tuser
> sn: tuser
> EOF
adding new entry "cn=tuser,ou=people,dc=example,dc=com"
ldap_add: Server is unwilling to perform (53)
	additional info: Managed Entry Plugin rejected add operation (see errors log).

[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com"
No such object (32)
Matched DN: ou=people,dc=example,dc=com
[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=groups,dc=example,dc=com"
No such object (32)
Matched DN: ou=groups,dc=example,dc=com
[root@dhcp201-126 export]# ldapsearch -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
No such object (32)
Matched DN: ou=people,dc=example,dc=com


logs::
========
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_parse_mapped_attr: Mapped attribute "uid" is not present in origin entry "cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map attributes required by the schema.
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_create_managed_entry: Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_add_managed_entry: Unable to create a managed entry from origin entry "cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed Entries,cn=plugins,cn=config".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_parse_mapped_attr: Mapped attribute "uid" is not present in origin entry "cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map attributes required by the schema.
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_create_managed_entry: Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[30/Dec/2014:15:21:23 +051800] managed-entries-plugin - mep_add_managed_entry: Unable to create a managed entry from origin entry "cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed Entries,cn=plugins,cn=config".

Hence VERIFIED,

Comment 10 errata-xmlrpc 2015-03-05 04:31:17 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.