Bug 1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs
Summary: Parent numsubordinate count can be incorrectly updated if an error occurs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.1
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On: 1109335
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-13 17:18 UTC by Noriko Hosoi
Modified: 2015-03-05 09:35 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1109335
Environment:
Last Closed: 2015-03-05 09:35:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-06-13 17:18:38 UTC
+++ This bug was initially created as a clone of Bug #1109335 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47782

When adding or deleting an entry it is possible the parent entry has its numsubordinate count adjusted and applied to the entry cache - even if the operation fails.

Comment 2 Jenny Severance 2014-10-23 11:49:18 UTC
Verification Steps:

None.

(This is not systematic, and may be very hard to verify.  The issue was spotted in the source code as a possible problem while investigating a different bug.  This was simply a proactive fix with no testcase).

This issue can only be seen if an add or delete operation fails in a backend transaction plugin.

Possible verification steps(for 1.3.1 - not sure if these steps will work on 1.2.11 as we aren't using backend transaction plugins in that version);

[1] Enable memberOf plugin (default settings)
[2] Enable automember plugin
[3] Enable retro changelog plugin
[4] Add automember config entry:

dn: cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config
objectClass: autoMemberDefinition
objectClass: top
autoMemberScope: dc=example,dc=com
autoMemberFilter: cn=user
autoMemberDefaultGroup: cn=group,dc=example,dc=com
autoMemberGroupingAttr: member:dn
cn: group cfg

[5] Restart the server
[6] Add automember group:

dn: cn=group,dc=example,dc=com
objectclass: top
objectclass: groupOfNames
cn: group

[7] Add a user that will trigger the automember plugin

dn: cn=user,dc=example,dc=com
objectclass: person
objectclass: top
cn: user
sn: user

[8] This add operation should fail on 1.3.1
[9] Verify the numsubordinate count on "dc=example,dc=com" is correct.

Comment 3 Viktor Ashirov 2014-12-27 19:19:10 UTC
Build tested:
$ rpm -qa | grep 389
389-ds-base-libs-1.3.3.1-10.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-10.el7.x86_64
389-ds-base-1.3.3.1-10.el7.x86_64

[1-4] Configure plugins: 
$ ldapmodify -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389  << EOF 
dn: cn=Auto Membership Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-

dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-

dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-

dn: cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config
changetype: add
objectClass: autoMemberDefinition
objectClass: top
autoMemberScope: dc=example,dc=com
autoMemberFilter: cn=user
autoMemberDefaultGroup: cn=group,dc=example,dc=com
autoMemberGroupingAttr: member:dn
cn: group cfg
EOF
modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config"

modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"

modifying entry "cn=Retro Changelog Plugin,cn=plugins,cn=config"

adding new entry "cn=group cfg,cn=Auto Membership Plugin,cn=plugins,cn=config"

[5] Restart server:
$ sudo systemctl restart dirsrv.target

[6] Add automember group:
$ ldapadd -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389 << EOF
dn: cn=group,dc=example,dc=com
changetype: add
objectclass: top
objectclass: groupOfNames
cn: group
EOF
adding new entry "cn=group,dc=example,dc=com"

$ ldapsearch -LLL -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -s base 'numsubordinates'
dn: dc=example,dc=com
numsubordinates: 5

[7] Add a user that will trigger the automember plugin
$ ldapadd -D 'cn=Directory Manager' -w Secret123  -H ldap://localhost:389 << EOF
dn: cn=user,dc=example,dc=com
objectclass: person
objectclass: top
cn: user
sn: user
EOF
adding new entry "cn=user,dc=example,dc=com"
ldap_add: Server is unwilling to perform (53)
	additional info: Automember Plugin update unexpectedly failed.

[8] Operation fails with exit code 53:
$ echo $?
53

In the error log: 
[27/Dec/2014:20:14:53 +0100] - Entry "cn=user,dc=example,dc=com" -- attribute "memberOf" not allowed
[27/Dec/2014:20:14:54 +0100] memberof-plugin - memberof_postop_modify: failed to add dn (cn=group,dc=example,dc=com) to target.  Error (65)
[27/Dec/2014:20:14:54 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "cn=user,dc=example,dc=com" as a "member" value to group "cn=group,dc=example,dc=com" (Object class violation).
[27/Dec/2014:20:14:54 +0100] - Entry "cn=user,dc=example,dc=com" -- attribute "memberOf" not allowed
[27/Dec/2014:20:14:54 +0100] memberof-plugin - memberof_postop_modify: failed to add dn (cn=group,dc=example,dc=com) to target.  Error (65)
[27/Dec/2014:20:14:54 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "cn=user,dc=example,dc=com" as a "member" value to group "cn=group,dc=example,dc=com" (Object class violation).

[9] Verify the numsubordinate count on "dc=example,dc=com" is correct:
$ ldapsearch -LLL -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -s base 'numsubordinates'
dn: dc=example,dc=com
numsubordinates: 5

Number of subordinates is correct. Marking as VERIFIED.

Comment 5 errata-xmlrpc 2015-03-05 09:35:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.