Bug 1271054 - RFE: LDAP command verification
RFE: LDAP command verification
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
x86_64 Linux
unspecified Severity low
: pre-dev-freeze
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-10-13 00:31 EDT by Glen Babiano
Modified: 2016-12-04 21:44 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-12-04 21:44:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Glen Babiano 2015-10-13 00:31:05 EDT
Description of problem:

1. Proposed title of this feature request  

Checking command parameters are correct before committing changes in to the LDAP database
2. Who is the customer behind the request?  
    Account: Fonterra Co-Operative Group 
    TAM customer: NO
    SRM customer: YES  
    Strategic: YES 
3. What is the nature and description of the request?  

Customer is requesting that a sanity check will be performed before committing changes in the database. For example the customer commits a typo in the update command below:  
ldapmodify -D "cn=Directory Manager" -w ******** <<EOF
dn: cn=${server}Role,dc=zeus,dc=ghsewn,dc=com
changetype: modify
add: nsroledn
nsroledn: cn=sapCorpRole,dc=zeus,dc=ghsewn,dc=com
changetype: modify
add: nsroledn
nsroledn: cn=sapANZRole,ou=people,dc=zeus,dc=ghsewn,dc=com

The system should be able to detect the mistake on the command and show the an error/suggestion to the user such as below:
This one is incorrect "nsroledn: cn=sapCorpRole,dc=zeus,dc=ghsewn,dc=com"
This role is correct "nsroledn: cn=sapANZRole,ou=people,dc=zeus,dc=ghsewn,dc=com"

The customer suggested that the following parameters be checked:

- does role exist
- does policy exist
- group exist

4. Why does the customer need this? (List the business requirements here)  
   A typo in the command makes host/s unusable especially if you are using a script to run the command on multiple servers
5. How would the customer like to achieve this? (List the functional requirements here)

   The customer wants a script that will check the syntax of the ldap command before it makes any changes in the database.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

   The customer can test this functionality in their test environment.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  

   I don't think there is one already.
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

9. Is the sales team involved in this request and do they have any additional input?  

10. List any affected packages or components.  

11. Would the customer be able to assist in testing this functionality if implemented?

Comment 1 Rich Megginson 2015-10-13 09:27:54 EDT
Instead of an argument checker, what if there were a way to do a "dry-run" of the ldapmodify command, that would show you what the command would do?  Would that satisfy the customer's requirement?
Comment 4 Glen Babiano 2015-10-13 19:29:10 EDT
Hi all,

Not sure if this is relevant but the customer is running their Directory server on RHEL 6.6.


Comment 7 Glen Babiano 2015-10-13 22:17:23 EDT
(In reply to Rich Megginson from comment #1)
> Instead of an argument checker, what if there were a way to do a "dry-run"
> of the ldapmodify command, that would show you what the command would do? 
> Would that satisfy the customer's requirement?

Reply from Customer:

if the dry-run was to say:


warning: attribute /policy / role doesnt exist
Comment 8 Noriko Hosoi 2015-12-23 17:21:06 EST
Upstream ticket:
Comment 10 Nathan Kinder 2016-12-04 21:44:33 EST
This functionality would really require a new LDAP standard, as LDAP clients (like ldapmodify) would need the ability to ask the server to perform a dry-run option via a control or extended operation.  This would be a very time consuming process to go through, and it's unclear that a new standard would be accepted.  In addition, the change would be very complex to implement on the server side.  Unless there is a really stong request to do this, I do not believe it is worth the investment.  Closing as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.