Bug 674430 - Any error in uid uniqueness always returns the same error message (value already exists).
Summary: Any error in uid uniqueness always returns the same error message (value alre...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Server - Plugins
Version: 1.2.8
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 639035 389_1.2.8
TreeView+ depends on / blocked
 
Reported: 2011-02-01 20:57 UTC by Simo Sorce
Modified: 2015-12-07 16:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:43:15 UTC


Attachments (Terms of Use)
Patch (3.08 KB, patch)
2011-02-03 22:33 UTC, Nathan Kinder
nhosoi: review+
Details | Diff
Revised Patch (3.12 KB, patch)
2011-02-03 23:04 UTC, Nathan Kinder
no flags Details | Diff
Re-revised patch (3.12 KB, patch)
2011-02-03 23:24 UTC, Nathan Kinder
nkinder: review?
rmeggins: review+
Details | Diff

Description Simo Sorce 2011-02-01 20:57:53 UTC
The uniqueness plugin should return the right text for the error (or be silent).

Otherwise the error can be extremely confusing. For example see freeipa ticket 558: https://fedorahosted.org/freeipa/ticket/558

Comment 1 Nathan Kinder 2011-02-03 19:21:59 UTC
An interesting find in testing is that a modify operation on a non-existent entry will only return the constraint violation if the modify would indeed result in a uniqueness conflict (if the target existed).  For example:

========================================================================
[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user2,dc=example,dc=com
changetype: add
objectclass: posixAccount
uid: tuser2
homeDirectory: /home/tuser
uidnumber: 500
gidnumber: 500

adding new entry "cn=test user2,dc=example,dc=com"

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modify
replace: uid
uid: tuser2

modifying entry "cn=test user3,dc=example,dc=com"
ldap_modify: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "uid")

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modify
replace: uid
uid: tuser3

modifying entry "cn=test user3,dc=example,dc=com"
ldap_modify: No such object (32)
	matched DN: dc=example,dc=com
========================================================================

Now for a MODRDN operation, a constraint violation is returned when you attempt to rename a non-existent entry even if the operation would not result in a uniqueness conflict:

========================================================================
[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuser2
deleteoldrdn: 1

modifying rdn of entry "cn=test user3,dc=example,dc=com"
ldap_rename: Operations error (1)
	additional info: Another entry with the same attribute value already exists (attribute: "uid")

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuser3
deleteoldrdn: 1

modifying rdn of entry "cn=test user3,dc=example,dc=com"
ldap_rename: Operations error (1)
	additional info: Another entry with the same attribute value already exists (attribute: "uid")
========================================================================

I feel that the MODRDN should return an error 32 if the change would not result in a conflict.  I'm not so sure about changing the result code to 32 if the changes would result in a conflict.  It's true that the target does not exist at the time of checking for uniqueness (preop), but there is a slight window where the target entry could be created between the check for uniqueness and the actual processing of the operation by the server.  This would result in a duplicate value for an attribute that is supposed to be unique.

Comment 2 Nathan Kinder 2011-02-03 19:56:12 UTC
If you look at the error in my previous examples closely, the result code differs when there is really a uniqueness collision vs. some other error (LDAP_CONSTRAINT_VIOLATION vs. LDAP_OPERATIONS_ERROR).  I think the right thing to do is to only return the "Another entry with the same attribute value already exists" error text when there is a constraint violation and to return something more generic for other errors, such as "Error checking for attribute uniqueness."  In addition, the attribute uniqueness plug-in should return LDAP_NO_SUCH_OBJECT when a target does not exist instead of LDAP_OPERATIONS_ERROR.

Comment 3 Rich Megginson 2011-02-03 20:53:39 UTC
I agree.  Note that the way the attribute uniqueness plugin is designed, there is a window for race conditions for any operation.

Comment 4 Nathan Kinder 2011-02-03 22:33:54 UTC
Created attachment 476902 [details]
Patch

Comment 5 Rich Megginson 2011-02-03 22:39:14 UTC
Comment on attachment 476902 [details]
Patch

+        result = uid_op_error(35);
+        /* We want to return a no such object error if the target doesn't exist. */
+        result = LDAP_NO_SUCH_OBJECT;

try (void)uid_op_error(35);
instead of assigning to result.

Also, if err != LDAP_SUCCESS, does that always mean NO_SUCH_OBJECT?  Or is it possible that there could be some other LDAP error?

Comment 6 Nathan Kinder 2011-02-03 23:04:21 UTC
Created attachment 476905 [details]
Revised Patch

This addresses the issues pointed out in Rich's review.

Comment 7 Nathan Kinder 2011-02-03 23:24:56 UTC
Created attachment 476911 [details]
Re-revised patch

Comment 8 Nathan Kinder 2011-02-03 23:34:35 UTC
Pushed to master.  Thanks to Rich and Noriko for their reviews!

Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.07 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   be92452..da53383  master -> master

Comment 9 Amita Sharma 2011-05-16 14:11:32 UTC
[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user2,dc=example,dc=com
changetype: add
objectclass: posixAccount
uid: tuser2
homeDirectory: /home/tuser
uidnumber: 500
gidnumber: 500

adding new entry "cn=test user2,dc=example,dc=com"

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modify
replace: uid
uid: tuser2

<<modifying entry "cn=test user3,dc=example,dc=com"
ldap_modify: No such object (32)
	matched DN: dc=example,dc=com
>>

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modify
replace: uid
uid: tuser3

<<modifying entry "cn=test user3,dc=example,dc=com"
ldap_modify: No such object (32)
	matched DN: dc=example,dc=com
>>

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuser2
deleteoldrdn: 1

<<modifying rdn of entry "cn=test user3,dc=example,dc=com"
ldap_rename: No such object (32)
	matched DN: dc=example,dc=com
>>

[nkinder@localhost ~]$ ldapmodify -x -D "cn=directory manager" -w -
dn: cn=test user3,dc=example,dc=com
changetype: modrdn
newrdn: uid=tuser3
deleteoldrdn: 1

<<
modifying rdn of entry "cn=test user3,dc=example,dc=com"
ldap_rename: No such object (32)
	matched DN: dc=example,dc=com

>>

Till here all is well.. but then .. I guess the below, should return some error like "ldap_modify: Constraint violation (19)
 additional info: Another entry with the same attribute value already exists
(attribute: "uid")" But it just passed :

[root@testvm /]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test11,dc=example,dc=com
> changetype: add
> objectclass: posixAccount
> uid: rosy
> homeDirectory: /home/tuser
> uidnumber: 500
> gidnumber: 500
> EOF
adding new entry "cn=test11,dc=example,dc=com"

[root@testvm /]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test12,dc=example,dc=com
> changetype: add
> objectclass: posixAccount
> uid: rosy1
> homeDirectory: /home/tuser
> uidnumber: 500
> gidnumber: 500
> EOF
adding new entry "cn=test12,dc=example,dc=com"

[root@testvm /]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test12,dc=example,dc=com
> changetype: modify
> replace: uid
> uid: rosy
> EOF
modifying entry "cn=test12,dc=example,dc=com"

Comment 10 Nathan Kinder 2011-05-17 16:17:27 UTC
Amita - What does your attribute uniqueness config entry look like?  It's the "cn=attribute uniqueness,cn=plugins,cn=config" entry.

Comment 11 Amita Sharma 2011-05-18 10:44:39 UTC
It has the uid included...

dn: cn=attribute uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: attribute uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: off
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.8.3
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values

Comment 12 Nathan Kinder 2011-05-18 14:26:44 UTC
(In reply to comment #11)
> It has the uid included...
> 
> dn: cn=attribute uniqueness,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: attribute uniqueness
> nsslapd-pluginPath: libattr-unique-plugin
> nsslapd-pluginInitfunc: NSUniqueAttr_Init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: off
> nsslapd-pluginarg0: uid
> nsslapd-pluginarg1: dc=example,dc=com
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginId: NSUniqueAttr
> nsslapd-pluginVersion: 1.2.8.3
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: Enforce unique attribute values

It does have uid included, but the plug-in is disabled.  You need to set nsslapd-pluginEnabled to "on" and re-run all of your verification tests.

Comment 13 Amita Sharma 2011-05-19 07:17:07 UTC
oops, I just missed that ..
> dn: cn=attribute uniqueness,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> EOF
modifying entry "cn=attribute uniqueness,cn=plugins,cn=config"

Now----

dn: cn=attribute uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: attribute uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.8.3
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values
modifiersName: cn=directory manager
modifyTimestamp: 20110519070110Z

testing ---

[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w xxx << EOF
> dn: cn=test111,dc=example,dc=com
> changetype: add
> objectclass: posixAccount
> uid: ripsi
> homeDirectory: /home/tuser
> uidnumber: 500
> gidnumber: 500
> EOF
adding new entry "cn=test111,dc=example,dc=com"

[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w xxx << EOF
> dn: cn=test112,dc=example,dc=com
> changetype: add
> objectclass: posixAccount
> uid: ripsi
> homeDirectory: /home/tuser
> uidnumber: 500
> gidnumber: 500
> EOF
adding new entry "cn=test112,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "uid")


[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test112,dc=example,dc=com
> changetype: add
> objectclass: posixAccount
> uid: ripsi1
> homeDirectory: /home/tuser
> uidnumber: 500
> gidnumber: 500
> EOF
adding new entry "cn=test112,dc=example,dc=com"

[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test112,dc=example,dc=com
> changetype: modify
> replace: uid
> uid: ripsi
> EOF
modifying entry "cn=test112,dc=example,dc=com"
ldap_modify: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "uid")
[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=test111,dc=example,dc=com
> changetype: modify
> replace: uid
> uid: ripsi11
> EOF
modifying entry "cn=test111,dc=example,dc=com"

[root@testvm ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=test112,dc=example,dc=com
changetype: modify
replace: uid
uid: ripsi  
EOF
modifying entry "cn=test112,dc=example,dc=com"

now, we are good to mark it VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.