Bug 853355 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-31 04:30 EDT by Ján Rusnačko
Modified: 2014-06-17 22:54 EDT (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.1.6-15.el7
Doc Type: Bug Fix
Doc Text:
Cause: There was no code to check if the values of nsslapd-allowed-to-delete-attrs are the valid configuration attribute or not. Consequence: Invalid configuration attributes were silently accepted. Fix: Code to check the validity of the configuration attribute. Result: If the value of nsslapd-allowed-to-delete-attrs contains invalid configuration parameters, they are not stored in the configuration entry and it logs in the error log as "nsslapd-allowed-to-delete-attrs: Unknown attribute bogus will be ignored".
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:36:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ján Rusnačko 2012-08-31 04:30:33 EDT
Description of problem:

See Bug 602456. Adding attribute to nsslapd-allowed-to-delete-attrs should allow attribute to be deleted. However, it is possible to add invalid attribute to nsslapd-allowed-to-delete-attrs.


Version-Release number of selected component (if applicable):
389-ds-base-1.2.10.2-15.el6.x86_64

How reproducible:
always


Steps to Reproduce:
1. 
ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: invalid-attr
EOF
modifying entry "cn=config"

[jrusnack@dhcp-31-42 /]$ echo $?
0


Actual results: Succeeds


Expected results: Should fail


Additional info: See related Bug 853106.
Comment 4 Nathan Kinder 2012-09-06 12:57:57 EDT
Upstream ticket:
https://fedorahosted.org/389/ticket/447
Comment 8 Rich Megginson 2013-10-01 19:24:42 EDT
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 10 Amita Sharma 2014-01-07 05:05:13 EST
Hi Noriko,

Following is the execution done for testing ::
[root@dhcp201-149 ~]# rpm -qa | grep 389
389-adminutil-1.1.15-3.fc19.1.x86_64
389-admin-1.1.31-1.fc19.2.x86_64
389-admin-console-doc-1.1.8-5.fc19.noarch
389-console-1.1.7-4.fc19.noarch
389-ds-base-1.3.1.6-12.el7.x86_64
389-admin-console-1.1.8-5.fc19.noarch
389-ds-console-doc-1.2.7-2.fc19.noarch
389-dsgw-1.1.10-1.fc19.x86_64
389-ds-base-libs-1.3.1.6-12.el7.x86_64
389-ds-console-1.2.7-2.fc19.noarch
389-ds-1.2.2-4.fc19.noarch

[root@dhcp201-149 ~]# ldapmodify -h localhost -p 389 -D "cn=directory manager" -w Secret123 <<EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-allowed-to-delete-attrs
> nsslapd-allowed-to-delete-attrs: invalid-attr
> EOF
modifying entry "cn=config"

[root@dhcp201-149 ~]# systemctl restart dirsrv@dhcp201-149
[root@dhcp201-149 ~]# tail -f /var/log/dirsrv/slapd-dhcp201-149/errors
[07/Jan/2014:11:55:52 +051800] config - nsslapd-allowed-to-delete-attrs: Unknown attribute invalid-attr will be ignored
[07/Jan/2014:11:56:09 +051800] - slapd shutting down - signaling operation threads
[07/Jan/2014:11:56:09 +051800] - slapd shutting down - waiting for 17 threads to terminate
[07/Jan/2014:11:56:09 +051800] - slapd shutting down - closing down internal subsystems and plugins
[07/Jan/2014:11:56:09 +051800] - Waiting for 4 database threads to stop
[07/Jan/2014:11:56:09 +051800] - All database threads now stopped
[07/Jan/2014:11:56:09 +051800] - slapd stopped.
[07/Jan/2014:11:56:10 +051800] config - nsslapd-allowed-to-delete-attrs: Unknown attribute invalid-attr will be ignored
[07/Jan/2014:11:56:10 +051800] - 389-Directory/1.3.1.6 B2013.344.2051 starting up
[07/Jan/2014:11:56:10 +051800] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
^C
[root@dhcp201-149 ~]# ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep -i "nsslapd-allowed-to-delete-attrs"
nsslapd-allowed-to-delete-attrs: invalid-attr

Issues ::
==========
1. Although the error message is logged in the error logs, the following search returns the invalid value assigned to the attribute nsslapd-allowed-to-delete-attrs. which is not correct.

2. The error should be given as the output of one of these operations ::
a. while setting the invalid value of the attribute using ldapmodify.
b. Restarting the server after setting the invalid value.
Comment 11 Amita Sharma 2014-01-07 05:49:19 EST
Acceptance results are also failing :: http://dhcp201-149.englab.pnq.redhat.com/qa/archive/ds/90/acceptance/output/Linux/20140107-154306/acceptance/basic.run.out.17579

Automated under -- /acceptance/basic/config.sh - test case bug602456_13
Committed revision https://engineering.redhat.com/trac/DStetframework/changeset/8268
Comment 12 Amita Sharma 2014-01-09 02:21:54 EST
[root@dhcp201-149 ~]# rpm -qa | grep 389
389-adminutil-1.1.15-3.fc19.1.x86_64
389-console-1.1.7-4.fc19.noarch
389-ds-base-libs-1.3.1.6-14.el7.x86_64
389-ds-base-1.3.1.6-14.el7.x86_64

Acceptance Results :: http://dhcp201-149.englab.pnq.redhat.com/qa/archive/ds/90/acceptance/output/Linux/20140109-122004/acceptance/basic.run.out.14411

----------------- Starting Test bug602456_13 -------------------------
Adding a new invalid attribute to nsslapd-allwed-to-delete-attrs at runtime to cn=config
Adding the nsslapd-invalidhost-attr attribute to nsslapd-allowed-to-delete-attrs
ldap_modify: DSA is unwilling to perform
modifying entry cn=config

[09/Jan/2014:12:21:45 +051800] config - nsslapd-allowed-to-delete-attrs: Unknown attribute nsslapd-invalidhost-attr will be ignored
bug602456_13: error log logged expected error.
TestCase [bug602456_13] result-> [PASS]
/usr/lib64/mozldap/ldapsearch -1 -p 24372 -h dhcp201-149.englab.pnq.redhat.com -D cn=directory manager -w Secret123 -b cn=config -s base objectclass=* | grep nsslapd-allowed-to-delete-attrs:        | grep nsslapd-invalidhost-attr
Test result for bug602456_13, Adding a new invalid attribute to nsslapd-allwed-to-delete-attrs at runtime to cn=config, Actual_Result=1, Expected_Result=1
TestCase [bug602456_13] result-> [PASS]
------------------Test bug602456_13 Completed-------------------------

Manual execution
================
[root@dhcp201-149 ~]# ldapmodify -h localhost -p 24372 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: invalid-attr
EOF
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

[root@dhcp201-149 ~]# ldapsearch -x -h localhost -p 24372 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep -i "nsslapd-allowed-to-delete-attrs"
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost n

Logs ::
[09/Jan/2014:12:27:38 +051800] config - nsslapd-allowed-to-delete-attrs: Unknown attribute invalid-attr will be ignored
[09/Jan/2014:12:27:39 +051800] config - nsslapd-allowed-to-delete-attrs: Given attributes are all invalid.  No effects.


Hence marking VERIFIED.
Comment 13 Noriko Hosoi 2014-01-13 14:24:29 EST
Sorry, 2 valgrind errors were found (DS 47660).  Reopening this bug.
Comment 14 Sankar Ramalingam 2014-01-30 05:56:37 EST
############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:03:04
    Basic run Tests PASS      : 100% (63/63)

All test cases in basic acceptance tests passed. Hence, marking it as verified.

Build tested - 389-ds-base-1.3.1.6-15
Comment 15 Ludek Smid 2014-06-13 06:36:34 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.