Hide Forgot
Description of problem: Rob Crittenden 2011-02-04 13:23:38 EST Description of problem: An entry that is attempted to be removed but fails due to lack of permissions gets the attribute preventryusn added. This causes objectclass violations later, logging: Entry "uid=mightym,cn=users,cn=accounts,dc=greyoak,dc=com" -- attribute "preventryusn" not allowed Version-Release number of selected component (if applicable): 389-ds-base-1.2.8-0.1.a1.fc14.x86_64 Steps to Reproduce: 1. Add an entry, I created a user in FreeIPA 2. Delete the entry binding as someone withouth delete permissions 3. ldapsearch will show that preventryusn was added. Created attachment 477486 [details] git patch file (master) Description: When an entry is deleted with Entry USN plugin enabled, an operational attribute preventryusn is added to handle indexes and entryusn tombstone. The attribute must have been added only when the delete was successful, but it was added regardless of the result from the operation. This patch checks the delete result in the newly added entryusn delete bepost plugin (usn_bepostop_delete). If it is not successful, the bepost plugin cleans up the attribute.
Hi, Tested this bug, steps are as below : 1. ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=config > changetype: modify > replace: nsslapd-entryusn-global > nsslapd-entryusn-global: on > EOF modifying entry "cn=config" 2.ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep -i ENTRYUSN nsslapd-entryusn-global: on 3. Added one entry : ldapmodify -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=amita,ou=people,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: inetorgperson sn: testkrbuser cn: kkk testkrbuser userPassword: redhat EOF adding new entry "uid=amita,ou=people,dc=example,dc=com" 4. Added another entry which will be used for deletion - dn: uid=test11,dc=example,dc=com mail: test11 uid: test11 givenName: test11 objectClass: top objectClass: person objectClass: inetorgperson objectClass: ntUser objectClass: inetuser objectClass: organizationalPerson sn: test11 cn: rrr test11 ntUserCreateNewAccount: true ntUserDomainId: test11 ntUserDeleteAccount: true userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ= = telephoneNumber: 989898191 5. ldapdelete -x -h localhost -p 1389 -D "uid=amita,ou=people,dc=example,dc=com" -w redhat uid=test11,dc=example,dc=com ldap_delete: Insufficient access (50) additional info: Insufficient 'delete' privilege to delete the entry 'uid=test11,dc=example,dc=com'. 6. ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "dc=example,dc=com" # test11, example.com dn: uid=test11,dc=example,dc=com mail: test11 uid: test11 givenName: test11 objectClass: top objectClass: person objectClass: inetorgperson objectClass: ntUser objectClass: inetuser objectClass: organizationalPerson sn: test11 cn: rrr test11 ntUserCreateNewAccount: true ntUserDomainId: test11 ntUserDeleteAccount: true userPassword:: e1NTSEF9UUdFc29jcEJ6QlZjcG5RaUFrbHgzd3l4MUl2RWZRWXJpVnVaMEE9PQ= = telephoneNumber: 989898191 preventryusn is not added. Hence bug is tested OK. Marking it as VERIFIED. -Amita Sharma
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0533.html