Red Hat Bugzilla – Bug 1109336
Parent numsubordinate count can be incorrectly updated if an error occurs
Last modified: 2015-03-05 04:35:19 EST
+++ This bug was initially created as a clone of Bug #1109335 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47782 When adding or deleting an entry it is possible the parent entry has its numsubordinate count adjusted and applied to the entry cache - even if the operation fails.
Verification Steps: None. (This is not systematic, and may be very hard to verify. The issue was spotted in the source code as a possible problem while investigating a different bug. This was simply a proactive fix with no testcase). This issue can only be seen if an add or delete operation fails in a backend transaction plugin. Possible verification steps(for 1.3.1 - not sure if these steps will work on 1.2.11 as we aren't using backend transaction plugins in that version); [1] Enable memberOf plugin (default settings) [2] Enable automember plugin [3] Enable retro changelog plugin [4] Add automember config entry: dn: cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config objectClass: autoMemberDefinition objectClass: top autoMemberScope: dc=example,dc=com autoMemberFilter: cn=user autoMemberDefaultGroup: cn=group,dc=example,dc=com autoMemberGroupingAttr: member:dn cn: group cfg [5] Restart the server [6] Add automember group: dn: cn=group,dc=example,dc=com objectclass: top objectclass: groupOfNames cn: group [7] Add a user that will trigger the automember plugin dn: cn=user,dc=example,dc=com objectclass: person objectclass: top cn: user sn: user [8] This add operation should fail on 1.3.1 [9] Verify the numsubordinate count on "dc=example,dc=com" is correct.
Build tested: $ rpm -qa | grep 389 389-ds-base-libs-1.3.3.1-10.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-10.el7.x86_64 389-ds-base-1.3.3.1-10.el7.x86_64 [1-4] Configure plugins: $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:389 << EOF dn: cn=Auto Membership Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - dn: cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config changetype: add objectClass: autoMemberDefinition objectClass: top autoMemberScope: dc=example,dc=com autoMemberFilter: cn=user autoMemberDefaultGroup: cn=group,dc=example,dc=com autoMemberGroupingAttr: member:dn cn: group cfg EOF modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" modifying entry "cn=Retro Changelog Plugin,cn=plugins,cn=config" adding new entry "cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config" [5] Restart server: $ sudo systemctl restart dirsrv.target [6] Add automember group: $ ldapadd -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:389 << EOF dn: cn=group,dc=example,dc=com changetype: add objectclass: top objectclass: groupOfNames cn: group EOF adding new entry "cn=group,dc=example,dc=com" $ ldapsearch -LLL -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -s base 'numsubordinates' dn: dc=example,dc=com numsubordinates: 5 [7] Add a user that will trigger the automember plugin $ ldapadd -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:389 << EOF dn: cn=user,dc=example,dc=com objectclass: person objectclass: top cn: user sn: user EOF adding new entry "cn=user,dc=example,dc=com" ldap_add: Server is unwilling to perform (53) additional info: Automember Plugin update unexpectedly failed. [8] Operation fails with exit code 53: $ echo $? 53 In the error log: [27/Dec/2014:20:14:53 +0100] - Entry "cn=user,dc=example,dc=com" -- attribute "memberOf" not allowed [27/Dec/2014:20:14:54 +0100] memberof-plugin - memberof_postop_modify: failed to add dn (cn=group,dc=example,dc=com) to target. Error (65) [27/Dec/2014:20:14:54 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "cn=user,dc=example,dc=com" as a "member" value to group "cn=group,dc=example,dc=com" (Object class violation). [27/Dec/2014:20:14:54 +0100] - Entry "cn=user,dc=example,dc=com" -- attribute "memberOf" not allowed [27/Dec/2014:20:14:54 +0100] memberof-plugin - memberof_postop_modify: failed to add dn (cn=group,dc=example,dc=com) to target. Error (65) [27/Dec/2014:20:14:54 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "cn=user,dc=example,dc=com" as a "member" value to group "cn=group,dc=example,dc=com" (Object class violation). [9] Verify the numsubordinate count on "dc=example,dc=com" is correct: $ ldapsearch -LLL -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -s base 'numsubordinates' dn: dc=example,dc=com numsubordinates: 5 Number of subordinates is correct. Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html