#406 Impossible to rename entry (modrdn) with Attribute Uniqueness plugin enabled
Closed: Fixed None Opened 7 years ago by pj101.

I'm testing 389 v1.2.10.12 on CentOS 5.8 x86_64. With Attribute Uniqueness plugin enabled for one of the attributes of the entry (not the naming attribute) modrdn operation for this entry fails with:

ldap_rename: Constraint violation (19)
additional info: Another entry with the same attribute value already exists (attribute: "X-UniqueId")

In our case we need the uniqueness of the X-UniqueId attribute. The modrdn was changing the uid attribute. In the latest version of 1.2.9.x this problem did not exist.

It's a blocking issue for the upgrade 1.2.9.x->1.2.10x on our production servers.

Typical log trace:
[11/Jul/2012:16:20:40 +0200] conn=5 op=6 MODRDN dn="uid=somelogin,ou=Personnel,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu" newrdn="uid=somelogin.test" newsuperior="ou=Personnel,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu"
[11/Jul/2012:16:20:41 +0200] conn=5 op=6 RESULT err=19 tag=109 nentries=0 etime=0.012000


Can you provide your attribute uniqueness configuration?

Here it is (the same conf works ok in version 1.2.9.10)

cn=attribute uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: attribute uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: dc=id,dc=polytechnique,dc=edu
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.10.12
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values

cn=X-UniqueId uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: X-UniqueId uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: X-UniqueId
nsslapd-pluginarg1: dc=id,dc=polytechnique,dc=edu
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.10.12
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values

Wiki puts an additional question mark in the name of the attribute, don't know how to get rid of it.

Ok, i've found how to get rid of the question mark:
{{{

cn=attribute uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: attribute uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: uid
nsslapd-pluginarg1: dc=id,dc=polytechnique,dc=edu
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.10.12
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values

cn=X-UniqueId uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: X-UniqueId uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: X-UniqueId
nsslapd-pluginarg1: dc=id,dc=polytechnique,dc=edu
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.10.12
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values
}}}

I have not been able to reproduce so far. This is what I've done:
setup a plain directory server with 3 attribute uniqueness plugins - the default (for uid), one for nsuniqueid, and one for uidNumber. I'm adding a user entry like this:
{{{
dn: uid=testuser1,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: posixaccount
uidNumber: 999
gidNumber: 999
gecos: Test User1
sn: User1
homeDirectory: /home/testuser1
givenName: Test
cn: Test User1
uid: testuser1
}}}

Then I do a modrdn operation like this:
{{{
[11/Jul/2012:15:09:54 -0600] conn=1 op=4 MODRDN dn="uid=testuser1,ou=people,dc=example,dc=com" newrdn="uid=testuser1changed" newsuperior="ou=people,dc=example,dc=com"
[11/Jul/2012:15:09:54 -0600] conn=1 op=4 RESULT err=0 tag=109 nentries=0 etime=0
}}}

I've tried this with the latest 1.2.11 branch and the latest 1.2.10 branch (on EL6 - have not tried on EL5).

Are you using any other plugins?

Hi Rich,

i've tested it only on EL5(.8) x86_64

There is also an additional index on {{{ X-UniqueId }}} for presence and equality:
{{{
207 cn=x-uniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
nsSystemIndex: false
cn: x-uniqueid
nsIndexType: pres
nsIndexType: eq
}}}

And here are some of the other used plugins and non-default config attributes:

entryusn plugin
pam passthrough plugin
memberOf plugin

{{{

dn: cn=config

nsslapd-ldapilisten: on

nsslapd-ldapiautobind: on

dn: cn=Account Policy Plugin,cn=plugins,cn=config

nsslapd-pluginEnabled: on

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

alwaysrecordlogin: yes

dn: cn=referential integrity postoperation,cn=plugins,cn=config

nsslapd-pluginEnabled: on

nsslapd-pluginarg0: 600

nsslapd-pluginarg1: $DS_BASE_DIR/var/lib/dirsrv/slapd-$LDAP_SERVER_IDENTIFIER/db/refer_integrity_log

nsslapd-pluginarg2: 0

nsslapd-pluginarg3: ou

nsslapd-pluginarg4: member

nsslapd-pluginarg5: uniquemember

nsslapd-pluginarg6: owner

nsslapd-pluginarg7: seeAlso

}}}

I'll try to narrow down the problem tomorrow by disabling plugins one by one.

I've tried it with enabling many plugins at once - still works fine.

I have a CentOS 5 x86_64 machine I can use. It's possible it is related to EL5 and/or mozldap.

Tried with CentOS 5 x86_64 with 389-ds-base 1.2.10.11 from epel-testing - cannot reproduce

Hi Rich, here are the exact steps to reproduce it on CentOS5.8 x86_64 with the latest epel testing rpm :

{{{
cat /etc/redhat-release
CentOS release 5.8 (Final)

cat /proc/version
Linux version 2.6.18-308.11.1.el5 (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Jul 10 08:48:43 EDT 2012

yum --enablerepo=epel-testing install 389-ds-base.x86_64 389-admin.x86_64

rpm -qi 389-ds-base
Name : 389-ds-base Relocations: (not relocatable)
Version : 1.2.10.11 Vendor: Fedora Project
Release : 1.el5 Build Date: Wed 27 Jun 2012 02:55:21 AM CEST
Install Date: Thu 12 Jul 2012 12:37:22 PM CEST Build Host: x86-14.phx2.fedoraproject.org
Group : System Environment/Daemons Source RPM: 389-ds-base-1.2.10.11-1.el5.src.rpm
Size : 4995092 License: GPLv2 with exceptions
Signature : DSA/SHA1, Thu 28 Jun 2012 04:09:37 PM CEST, Key ID 119cc036217521f6
Packager : Fedora Project
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package includes
the LDAP server and command line utilities for server administration.

./setup-ds-admin.pl
...
"2. Typical" installation with dc=example,dc=com
...

ldapmodify -x -h localhost -D "cn= Directory Manager" -w 'mypassword' <<EOF
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.123803.0.7 NAME 'X-UniqueId' DESC 'Identifiant uni
que de la personne' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGI
N 'user defined' )
-
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.123803.1.1 NAME 'X-Misc' DESC 'Additional attribu
tes for Ecole Polytechnique' SUP top STRUCTURAL MAY ( X-UniqueId ) X-ORIGIN '
user defined' )
EOF

ldapadd -x -h localhost -D "cn= Directory Manager" -w 'mypassword' <<EOF
dn: uid=my.account, ou=People,dc=example,dc=com
uid: my.account
objectClass: X-Misc
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Test Account
givenName: Test
sn: Account
X-UniqueId: some-id
EOF

ldapadd -x -h localhost -D "cn= Directory Manager" -w 'mypassword' <<EOF
dn: cn=X-UniqueId uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: attribute uniqueness
cn: X-UniqueId uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: X-UniqueId
nsslapd-pluginarg1: dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.10.12
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values
EOF

/etc/init.d/dirsrv restart

ldapmodify -a -x -h localhost -D "cn= Directory Manager" -w 'mypassword' <<EOF
dn: uid=my.account,ou=People,dc=example,dc=com
changetype: modrdn
newrdn: uid=my.account.test
deleteoldrdn: 1
newsuperior: ou=People,dc=example,dc=com
EOF

modifying rdn of entry "uid=my.account,ou=People,dc=example,dc=com"
rename completed
ldapmodify: Constraint violation (19)
additional info: Another entry with the same attribute value already exists (attribute: "X-UniqueId")

}}}

The logs :

{{{
==> /var/log/dirsrv/slapd-example/errors <==
[12/Jul/2012:12:47:03 +0200] - slapd shutting down - signaling operation threads
[12/Jul/2012:12:47:03 +0200] - slapd shutting down - closing down internal subsystems and plugins
[12/Jul/2012:12:47:03 +0200] - Waiting for 4 database threads to stop
[12/Jul/2012:12:47:03 +0200] - All database threads now stopped
[12/Jul/2012:12:47:03 +0200] - slapd stopped.
[12/Jul/2012:12:47:05 +0200] - 389-Directory/1.2.10.11 B2012.179.054 starting up
[12/Jul/2012:12:47:05 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests

==> /var/log/dirsrv/slapd-example/access <==
[12/Jul/2012:12:47:44 +0200] conn=2 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[12/Jul/2012:12:47:44 +0200] conn=2 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[12/Jul/2012:12:47:44 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[12/Jul/2012:12:47:44 +0200] conn=2 op=1 MODRDN dn="uid=my.account,ou=People,dc=example,dc=com" newrdn="uid=my.account.test" newsuperior="ou=People,dc=example,dc=com"
[12/Jul/2012:12:47:44 +0200] conn=2 op=1 RESULT err=19 tag=109 nentries=0 etime=0
[12/Jul/2012:12:47:44 +0200] conn=2 op=2 UNBIND
[12/Jul/2012:12:47:44 +0200] conn=2 op=2 fd=64 closed - U1

0001-Ticket-406-Impossible-to-rename-entry-modrdn-with-At.patch
0001-Ticket-406-Impossible-to-rename-entry-modrdn-with-At.patch

69ce800..832a52d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit changeset:832a52d/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Thu Jul 12 19:56:55 2012 -0600
c0151f7..d7876a2 master -> master
commit changeset:d7876a2/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Thu Jul 12 19:56:55 2012 -0600

branch 389-ds-base-1.2.10
commit changeset:93011a3/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Thu Jul 12 19:56:55 2012 -0600

fixed in 1.2.10.13

Added initial screened field value.

Metadata Update from @pj101:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.11.8

3 years ago

Login to comment on this ticket.

Metadata