Bug 742163 - Overlay constraint with count option work bad with modify operation
Overlay constraint with count option work bad with modify operation
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.2
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Jan Synacek
BaseOS QE Security Team
: Patch
Depends On:
Blocks: 795766
  Show dependency treegraph
 
Reported: 2011-09-29 05:34 EDT by David Spurek
Modified: 2015-03-02 00:26 EST (History)
6 users (show)

See Also:
Fixed In Version: openldap-2.4.23-21.el6
Doc Type: Bug Fix
Doc Text:
- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications - openldap server doesn't react with a count violation error - applied a patch that fixes the count overlay - 'count' restriction in 'constraint' overlay now works properly
Story Points: ---
Clone Of:
: 795766 (view as bug list)
Environment:
Last Closed: 2012-06-20 03:29:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Slapd configuration file (1.27 KB, application/octet-stream)
2011-09-29 05:34 EDT, David Spurek
no flags Details
data.ldif (415 bytes, application/octet-stream)
2011-09-29 05:34 EDT, David Spurek
no flags Details
Fixes constraint (count) problem (3.24 KB, patch)
2012-02-08 08:35 EST, Jan Synacek
no flags Details | Diff
Constraint count patch (3.91 KB, patch)
2012-02-09 03:05 EST, Jan Synacek
jvcelak: review-
Details | Diff
simple test cases (2.42 KB, application/x-gzip)
2012-02-09 08:19 EST, Jan Vcelak
no flags Details
Constraint count patch (4.14 KB, patch)
2012-02-13 08:09 EST, Jan Synacek
no flags Details | Diff
Constraint count patch (4.15 KB, patch)
2012-02-13 09:00 EST, Jan Synacek
no flags Details | Diff
Constraint count patch (3.91 KB, patch)
2012-02-15 09:39 EST, Jan Synacek
jvcelak: review+
Details | Diff

  None (edit)
Description David Spurek 2011-09-29 05:34:20 EDT
Created attachment 525495 [details]
Slapd configuration file

Description of problem:
Overlay constraint with count option work bad with modify operation. When I add more then permitted attribute values with ldapmodify, the operation is success. With ldapadd works well.

Version-Release number of selected component (if applicable):
openldap-servers-2.4.23-19.el6

How reproducible:
always

Steps to Reproduce:
1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
(slapd.conf is in attachement)

2.slapadd -l data.ldif
(data.ldif is in attachement)

3.Test modify operation
Content of count_modify.ldif:
dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify

Run:
ldapmodify -D cn=Manager,dc=my-domain,dc=com -w x -f count_modify.ldif

Actual results:
Operation success.

Expected results:
Operation fail with Constraint violation (19).

Additional info:
With ldapadd wors well. Example:
count.ldif

dn: cn=usr1, dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: usr1
sn: usr1
mail: usr@example.com
uid: usr1
description: usr1
description: check
description: constraint count

ldapadd -D cn=Manager,dc=my-domain,dc=com -w x -f count.ldif
Comment 1 David Spurek 2011-09-29 05:34:43 EDT
Created attachment 525496 [details]
data.ldif
Comment 2 Ondrej Moriš 2011-10-17 09:59:55 EDT
Jan, do you think that this bug could have an important impact in 6.2.0? May be we should consider proposing an exception for this and include it in 6.2.0. However, I am not sure if it might cause anything serious.
Comment 5 Jan Vcelak 2012-01-12 09:04:04 EST
Found the problem.

The constraint validator verifies operations one by one, therefore this violation is catched:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
description: constraint count
description: with modify

And this is not:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify
Comment 6 Jan Synacek 2012-02-08 08:35:47 EST
Created attachment 560260 [details]
Fixes constraint (count) problem
Comment 7 Jan Synacek 2012-02-08 08:38:02 EST
I attached a patch that should fix the problems mentioned above.
Comment 8 Jan Synacek 2012-02-09 03:05:28 EST
Created attachment 560469 [details]
Constraint count patch

Revised and fixed the last patch, which has been causing slapd to loop forever.
Comment 9 Jan Vcelak 2012-02-09 08:15:17 EST
Comment on attachment 560469 [details]
Constraint count patch

patch looks good, but there are still some problems (I will attach some tests)
Comment 10 Jan Vcelak 2012-02-09 08:19:38 EST
Created attachment 560577 [details]
simple test cases

run with ./run_test.sh
(optionally set SLAPD and SLAPADD environmental variables before)

== results with old version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] OK
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] FAIL
[t_ok_10.ldif] FAIL

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] OK
[t_fail_04.ldif] OK
[t_fail_05.ldif] OK
[t_fail_06.ldif] FAIL
[t_fail_07.ldif] FAIL

== results with patched version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] FAIL
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] OK
[t_ok_10.ldif] OK

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] FAIL
[t_fail_04.ldif] FAIL
[t_fail_05.ldif] FAIL
[t_fail_06.ldif] OK
[t_fail_07.ldif] FAIL
Comment 11 Jan Synacek 2012-02-13 08:09:14 EST
Created attachment 561537 [details]
Constraint count patch
Comment 12 Jan Synacek 2012-02-13 08:11:01 EST
Fixed the previous patch. It should work as intended now.
Comment 13 Jan Synacek 2012-02-13 09:00:43 EST
Created attachment 561553 [details]
Constraint count patch

Additional tweaks.
Comment 14 Jan Synacek 2012-02-15 09:39:23 EST
Created attachment 562235 [details]
Constraint count patch

Some more patch tweaking.
Comment 15 Jan Vcelak 2012-02-15 09:43:28 EST
Comment on attachment 562235 [details]
Constraint count patch

looks good, works fine (my tests are passning)
Comment 16 Jan Synacek 2012-02-16 09:15:01 EST
Patch proposed upstream:
http://www.openldap.org/its/index.cgi?findid=7168
Comment 20 Jan Synacek 2012-03-01 05:55:52 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
- count overlay now works properly
Comment 21 Jan Synacek 2012-03-01 06:00:23 EST
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
-- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
 - openldap server doesn't react with a count violation error
 - applied a patch that fixes the count overlay
 - count overlay now works properly
Comment 22 Jan Vcelak 2012-03-01 11:00:43 EST
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
-- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
 - openldap server doesn't react with a count violation error
 - applied a patch that fixes the count overlay
-- count overlay now works properly+- 'count' restriction in 'constraint' overlay now works properly
Comment 24 errata-xmlrpc 2012-06-20 03:29:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html

Note You need to log in before you can comment on or make changes to this bug.