RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 742163 - Overlay constraint with count option work bad with modify operation
Summary: Overlay constraint with count option work bad with modify operation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Jan Synacek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 795766
TreeView+ depends on / blocked
 
Reported: 2011-09-29 09:34 UTC by David Spurek
Modified: 2015-03-02 05:26 UTC (History)
6 users (show)

Fixed In Version: openldap-2.4.23-21.el6
Doc Type: Bug Fix
Doc Text:
- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications - openldap server doesn't react with a count violation error - applied a patch that fixes the count overlay - 'count' restriction in 'constraint' overlay now works properly
Clone Of:
: 795766 (view as bug list)
Environment:
Last Closed: 2012-06-20 07:29:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Slapd configuration file (1.27 KB, application/octet-stream)
2011-09-29 09:34 UTC, David Spurek 		no flags Details
data.ldif (415 bytes, application/octet-stream)
2011-09-29 09:34 UTC, David Spurek 		no flags Details
Fixes constraint (count) problem (3.24 KB, patch)
2012-02-08 13:35 UTC, Jan Synacek 		no flags Details | Diff
Constraint count patch (3.91 KB, patch)
2012-02-09 08:05 UTC, Jan Synacek 		jvcelak: review-
Details | Diff
simple test cases (2.42 KB, application/x-gzip)
2012-02-09 13:19 UTC, Jan Vcelak 		no flags Details
Constraint count patch (4.14 KB, patch)
2012-02-13 13:09 UTC, Jan Synacek 		no flags Details | Diff
Constraint count patch (4.15 KB, patch)
2012-02-13 14:00 UTC, Jan Synacek 		no flags Details | Diff
Constraint count patch (3.91 KB, patch)
2012-02-15 14:39 UTC, Jan Synacek 		jvcelak: review+
Details | Diff
Show Obsolete (4) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0899 0 normal SHIPPED_LIVE Low: openldap security and bug fix update 2012-06-19 19:28:37 UTC

Description David Spurek 2011-09-29 09:34:20 UTC 
Created attachment 525495 [details]
Slapd configuration file

Description of problem:
Overlay constraint with count option work bad with modify operation. When I add more then permitted attribute values with ldapmodify, the operation is success. With ldapadd works well.

Version-Release number of selected component (if applicable):
openldap-servers-2.4.23-19.el6

How reproducible:
always

Steps to Reproduce:
1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
(slapd.conf is in attachement)

2.slapadd -l data.ldif
(data.ldif is in attachement)

3.Test modify operation
Content of count_modify.ldif:
dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify

Run:
ldapmodify -D cn=Manager,dc=my-domain,dc=com -w x -f count_modify.ldif

Actual results:
Operation success.

Expected results:
Operation fail with Constraint violation (19).

Additional info:
With ldapadd wors well. Example:
count.ldif

dn: cn=usr1, dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: usr1
sn: usr1
mail: usr
uid: usr1
description: usr1
description: check
description: constraint count

ldapadd -D cn=Manager,dc=my-domain,dc=com -w x -f count.ldif
Comment 1 David Spurek 2011-09-29 09:34:43 UTC 
Created attachment 525496 [details]
data.ldif
Comment 2 Ondrej Moriš 2011-10-17 13:59:55 UTC 
Jan, do you think that this bug could have an important impact in 6.2.0? May be we should consider proposing an exception for this and include it in 6.2.0. However, I am not sure if it might cause anything serious.
Comment 5 Jan Vcelak 2012-01-12 14:04:04 UTC 
Found the problem.

The constraint validator verifies operations one by one, therefore this violation is catched:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
description: constraint count
description: with modify

And this is not:

dn: cn=usr2, dc=my-domain,dc=com
add: description
description: check
-
add: description
description: constraint count
-
add: description
description: with modify
Comment 6 Jan Synacek 2012-02-08 13:35:47 UTC 
Created attachment 560260 [details]
Fixes constraint (count) problem
Comment 7 Jan Synacek 2012-02-08 13:38:02 UTC 
I attached a patch that should fix the problems mentioned above.
Comment 8 Jan Synacek 2012-02-09 08:05:28 UTC 
Created attachment 560469 [details]
Constraint count patch

Revised and fixed the last patch, which has been causing slapd to loop forever.
Comment 9 Jan Vcelak 2012-02-09 13:15:17 UTC 
Comment on attachment 560469 [details]
Constraint count patch

patch looks good, but there are still some problems (I will attach some tests)
Comment 10 Jan Vcelak 2012-02-09 13:19:38 UTC 
Created attachment 560577 [details]
simple test cases

run with ./run_test.sh
(optionally set SLAPD and SLAPADD environmental variables before)

== results with old version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] OK
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] FAIL
[t_ok_10.ldif] FAIL

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] OK
[t_fail_04.ldif] OK
[t_fail_05.ldif] OK
[t_fail_06.ldif] FAIL
[t_fail_07.ldif] FAIL

== results with patched version ==

Operations with expected success.
[t_ok_01.ldif] OK
[t_ok_02.ldif] OK
[t_ok_03.ldif] OK
[t_ok_04.ldif] OK
[t_ok_05.ldif] OK
[t_ok_06.ldif] FAIL
[t_ok_07.ldif] FAIL
[t_ok_08.ldif] FAIL
[t_ok_09.ldif] OK
[t_ok_10.ldif] OK

Operations with expected failure.
[t_fail_01.ldif] FAIL
[t_fail_02.ldif] FAIL
[t_fail_03.ldif] FAIL
[t_fail_04.ldif] FAIL
[t_fail_05.ldif] FAIL
[t_fail_06.ldif] OK
[t_fail_07.ldif] FAIL
Comment 11 Jan Synacek 2012-02-13 13:09:14 UTC 
Created attachment 561537 [details]
Constraint count patch
Comment 12 Jan Synacek 2012-02-13 13:11:01 UTC 
Fixed the previous patch. It should work as intended now.
Comment 13 Jan Synacek 2012-02-13 14:00:43 UTC 
Created attachment 561553 [details]
Constraint count patch

Additional tweaks.
Comment 14 Jan Synacek 2012-02-15 14:39:23 UTC 
Created attachment 562235 [details]
Constraint count patch

Some more patch tweaking.
Comment 15 Jan Vcelak 2012-02-15 14:43:28 UTC 
Comment on attachment 562235 [details]
Constraint count patch

looks good, works fine (my tests are passning)
Comment 16 Jan Synacek 2012-02-16 14:15:01 UTC 
Patch proposed upstream:
http://www.openldap.org/its/index.cgi?findid=7168
Comment 20 Jan Synacek 2012-03-01 10:55:52 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
- openldap server doesn't react with a count violation error
- applied a patch that fixes the count overlay
- count overlay now works properly
Comment 21 Jan Synacek 2012-03-01 11:00:23 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
-- 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
 - openldap server doesn't react with a count violation error
 - applied a patch that fixes the count overlay
 - count overlay now works properly
Comment 22 Jan Vcelak 2012-03-01 16:00:43 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
-- openldap server is running with count constraint overlay enabled. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
+- openldap server is running with 'constraint' overlay enabled and 'count' restriction configured. 'modify' operation is expressed as series of multiple smaller (every one of them doesn't break count on its own) modifications
 - openldap server doesn't react with a count violation error
 - applied a patch that fixes the count overlay
-- count overlay now works properly+- 'count' restriction in 'constraint' overlay now works properly
Comment 24 errata-xmlrpc 2012-06-20 07:29:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html
Note You need to log in before you can comment on or make changes to this bug.