Bug 734267 - upgradednformat failed to add RDN value - subtree and user account lockout policies implemented?
Summary: upgradednformat failed to add RDN value - subtree and user account lockout po...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 6.2
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
Depends On: 732153
Blocks: 434915 734945
TreeView+ depends on / blocked
Reported: 2011-08-29 23:22 UTC by Noriko Hosoi
Modified: 2015-01-04 23:50 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Clone Of: 732153
Last Closed: 2011-12-06 17:56:17 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:1711 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2011-12-06 01:02:20 UTC

Description Noriko Hosoi 2011-08-29 23:22:14 UTC
+++ This bug was initially created as a clone of Bug #732153 +++

Description of problem:

Unless I am missing something, it seem not possible to add a subtree or user account lockout policies in 8.2, is it supposed to be an implemented feature, or I am missing some steps?

Not documented in

But the directory console allows a right click context menu selection to manage subtree or user, so it seem to be available, (was it working in 8.0?)

When using the directory console, when editing a subtree or user level account lockout policy, the save button stays grey, or if there are some change to the passwords policy, then it is possible to click on the Save button, but a popup error window appears with message "Operation not allowed on RDN", 
with access log:
[19/Aug/2011:22:45:25 -0700] conn=10 op=96 MOD dn="cn=cn\5c3DnsPwPolicyEntry\5c2Cou\5c3Dpeople\5c2Cdc\5c3Dexample\5c2Cdc\5c3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"
[19/Aug/2011:22:45:25 -0700] conn=10 op=96 RESULT err=67 tag=103 nentries=0 etime=0

The QE tests at
seem to run global policy, no account lockout on subtree or user level fine grained policies.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
Linux ca1.example.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:

Steps to Reproduce:
1. already have a global password policy, can have subtree and user level password policies
2. use either cli or directory console
3. with directory console, "Directory | example | people | right click | Manage Password policy | For subtree... | Account Lockout | check Accounts may be locked out | Lockout account after 10 login failures | Reset failure account after 10 minutes"
-> cannot save, button stays grey
4. select Passwords tab, change something, go back to "Account Lockout" tab, click Save
Actual results:

after step 3:
cannot save, button stays grey

after step 4:
popup window with title "Error Updating Directory" with message "Operation not allowed on RDN - OK"

Expected results:
subtree and user fine grained level for account lockout in nsPwPolicyContainer not just global in cn=config?

Additional info:

==> /var/log/dirsrv/slapd-ca1/access <==
[19/Aug/2011:22:45:25 -0700] conn=10 op=96 MOD dn="cn=cn\5c3DnsPwPolicyEntry\5c2Cou\5c3Dpeople\5c2Cdc\5c3Dexample\5c2Cdc\5c3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"
[19/Aug/2011:22:45:25 -0700] conn=10 op=96 RESULT err=67 tag=103 nentries=0 etime=0

From an older test and notes I seem to have it working with 8.0, may have been cli only, not sure if the console was used:

# entry-id: 26
dn: cn="cn=nsPwPolicyEntry,ou=People,dc=mstest2",cn=nsPwPolicyContainer,dc=mst
passwordMaxFailure: 2
passwordUnlock: on
passwordResetFailureCount: 60
passwordLockoutDuration: 120
passwordLockout: on
passwordStorageScheme: ssha
passwordChange: off
passwordMinAge: 0
passwordHistory: off
passwordExp: off
passwordMustChange: off
modifyTimestamp: 20090825221850Z
createTimestamp: 20090825221850Z
modifiersName: cn=directory manager
creatorsName: cn=directory manager
cn: "cn=nsPwPolicyEntry,ou=People,dc=mstest2"
objectClass: ldapsubentry
objectClass: passwordpolicy
objectClass: top
nsUniqueId: 2a2ef982-91c511de-ab1fbc42-a01af143

with 8.1 and 8.2, global account lockout configured:

ldapmodify -x -D "cn=directory manager" -w password -h -p 389
dn: cn="cn=nsPwPolicyEntry,uid=guest2,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
changetype: modify
add: passwordMaxFailure 
passwordMaxFailure: 2
add: passwordUnlock 
passwordUnlock: on
add: passwordResetFailureCount    
passwordResetFailureCount: 60
add: passwordLockoutDuration     
passwordLockoutDuration: 120
add: passwordLockout    
passwordLockout: on

modifying entry "cn="cn=nsPwPolicyEntry,uid=guest2,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"
ldap_modify: Operation not allowed on RDN (67)

same for


--- Additional comment from rmeggins@redhat.com on 2011-08-23 18:38:38 EDT ---

This is an 8.1 to 8.2 upgrade issue.  The problem is that with 8.1 (or earlier) the cn value was added with quotes, but that does not match the DN value which does not have double quotes:
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol
cn: "cn=nsPwPolicyEntry,ou=people,dc=example,dc=com"

The code in ldbm_back_modify attempts to see if a modify op has removed the RDN value.  It looks for a value of cn: cn=nsPwPolicyEntry,ou=people,dc=example,dc=com in the entry and doesn't find it because the value is actually double quoted in the entry.

The workaround is to use ldapmodify to add the value without quotes to the entry:

ldapmodify .... << EOF
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol
changetype: modify
add: cn
cn: cn=nsPwPolicyEntry,ou=people,dc=example,dc=com

--- Additional comment from msauton@redhat.com on 2011-08-25 19:07:16 EDT ---

the simple workaround works as expected.

--- Additional comment from nhosoi@redhat.com on 2011-08-25 21:37:43 EDT ---

Created attachment 520000 [details]
git patch file (master)

Description: Upgradedbformat utility converts old dn format to
new one.  It's called at the in-place upgrade time.  The utility
failed to check if the normalized RDN value is in the entry's
attribute list.  This patch properly checks it.  If the value
does not exist, it adds the normalized value to the entry.

--- Additional comment from rmeggins@redhat.com on 2011-08-29 14:54:54 EDT ---

Comment on attachment 520000 [details]
git patch file (master)

This seems quite complex - is there some reason you can't just use slapi_entry_add_rdn_values or extend/alter that function to suit your needs?

--- Additional comment from nhosoi@redhat.com on 2011-08-29 19:15:54 EDT ---

Created attachment 520483 [details]
git patch file (master)

Thanks to Rich for his comments.  By using the API slapi_entry_add_rdn_values, the patch could get simplified.

Comment 1 Noriko Hosoi 2011-08-30 17:32:53 UTC
For the steps to verify, see the upstream bug: 732153.

Comment 6 Amita Sharma 2011-09-22 10:40:36 UTC
As clone https://bugzilla.redhat.com/show_bug.cgi?id=732153 is Verified, marking this as VERIFIED.

Comment 7 errata-xmlrpc 2011-12-06 17:56:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.