From a4c4daaa54d1ba94e342fcbf9af13a547886f0e3 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mar 27 2013 21:25:39 +0000 Subject: Ticket 620 - Better logging of error messages for 389-ds-base Bug Description: In a replication environment, if you have one master set with passwordIsGlobalpolicy to on, and another master does not, then the password policy updates are rejected. However, there is no clear logging to tell you why the operatoin was rejected. Fix Description: Write a clear message in the error log stating what was the cause of the failure. https://fedorahosted.org/389/ticket/620 Reviewed by: nhosoi & nkinder (Thanks!!) --- diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index d42ef2c..cc1621b 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -128,22 +128,22 @@ static struct attr_value_check { void do_modify( Slapi_PBlock *pb ) { - Slapi_Operation *operation; - BerElement *ber; - char *last, *type = NULL; - ber_tag_t tag; - ber_len_t len; - LDAPMod *mod; - LDAPMod **mods; - Slapi_Mods smods; - int err; - int pw_change = 0; /* 0= no password change */ - int ignored_some_mods = 0; - int has_password_mod = 0; /* number of password mods */ - char *old_pw = NULL; /* remember the old password */ - char *rawdn = NULL; - int minssf_exclude_rootdse = 0; - LDAPMod **normalized_mods = NULL; + Slapi_Operation *operation; + Slapi_Mods smods; + BerElement *ber; + ber_tag_t tag; + ber_len_t len; + LDAPMod **normalized_mods = NULL; + LDAPMod *mod; + LDAPMod **mods; + char *last, *type = NULL; + char *old_pw = NULL; /* remember the old password */ + char *rawdn = NULL; + int minssf_exclude_rootdse = 0; + int ignored_some_mods = 0; + int has_password_mod = 0; /* number of password mods */ + int pw_change = 0; /* 0 = no password change */ + int err; LDAPDebug( LDAP_DEBUG_TRACE, "do_modify\n", 0, 0, 0 ); @@ -291,8 +291,10 @@ do_modify( Slapi_PBlock *pb ) /* check if user is allowed to modify the specified attribute */ if (!op_shared_is_allowed_attr (mod->mod_type, pb->pb_conn->c_isreplication_session)) { - /* for now we just ignore attributes that client is not allowed - to modify so not to break existing clients */ + /* + * For now we just ignore attributes that client is not allowed + * to modify so not to break existing clients + */ ++ignored_some_mods; ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&(mod->mod_type)); @@ -310,6 +312,14 @@ do_modify( Slapi_PBlock *pb ) } if (ignored_some_mods && (0 == smods.num_elements)) { + if(pb->pb_conn->c_isreplication_session){ + int connid, opid; + slapi_pblock_get(pb, SLAPI_CONN_ID, &connid); + slapi_pblock_get(pb, SLAPI_OPERATION_ID, &opid); + LDAPDebug( LDAP_DEBUG_ANY,"Rejecting replicated password policy operation(conn=%d op=%d) for " + "entry %s. To allow these changes to be accepted, set passwordIsGlobalPolicy to 'on' in " + "cn=config.\n", connid, opid, rawdn); + } send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL ); goto free_and_return; }