#47644 Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
Closed: Fixed None Opened 5 years ago by nkinder.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1029959

Description of problem:
From RHEL 7 most DS plugins are converted to be betxn - if their operation
fails, whole transaction should fail and not be comitted to database. In case
of Managed Entries plugin, we can create a situation where plugin fails to
create managed entry, e.g. due to mapped attribute missing.

Version-Release number of selected component (if applicable):
RHEL 7 389-ds-base-1.3.1.6-8.el7.x86_64

Steps to Reproduce:

# enable plugin
ldapmodify -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=Managed Entries,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

# add template entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=template,dc=example,dc=com
objectclass: top
objectclass: mepTemplateEntry
cn: template
mepRDNAttr: cn
mepStaticAttr: objectclass: top
mepStaticAttr: objectclass: person
mepStaticAttr: objectclass: inetOrgPerson
mepMappedAttr: cn: \$cn
mepMappedAttr: uid: \$uid
mepMappedAttr: sn: \$sn
EOF

# add definition entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
cn: definition
originScope: ou=people,dc=example,dc=com
originFilter: objectclass=person
managedBase: ou=Groups,dc=example,dc=com
managedTemplate: cn=template,dc=example,dc=com
EOF

# Add new entry - adding managed entry should fail
ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=tuser,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
cn: tuser
sn: tuser
EOF

# Returns entry
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b
"cn=tuser,ou=people,dc=example,dc=com"

# Returns no such object
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b
"cn=tuser,ou=groups,dc=example,dc=com"


Actual results:

[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_parse_mapped_attr:
Mapped attribute "uid" is not present in origin entry
"cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map
attributes required by the schema.
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_create_managed_entry:
Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_add_managed_entry:
Unable to create a managed entry from origin entry
"cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed
Entries,cn=plugins,cn=config".

and original entry is successfully added:

[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123
-LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
dn: cn=tuser,ou=People,dc=example,dc=com

Expected results:
If the plugins operation is part of transaction, failure to add managed entry
should not commit original entry to the database.

ack

Note that this may be a general problem with many post-op plugins - before they were betxn post-op, it didn't matter what value they returned, because the return value could not change the outcome of the original operation, nor could the error be returned to clients, so many post-op plugins may have just returned any value.

Replying to [comment:6 rmeggins]:

ack

Note that this may be a general problem with many post-op plugins - before they were betxn post-op, it didn't matter what value they returned, because the return value could not change the outcome of the original operation, nor could the error be returned to clients, so many post-op plugins may have just returned any value.

That's a good point. I'll open a new ticket to investigate the other plugins.

git merge ticket47644
Updating 43cd7db..ea6ac91
Fast-forward
ldap/servers/plugins/mep/mep.c | 44 +++++++++++++++++++++++++++++++++++---------
1 file changed, 35 insertions(+), 9 deletions(-)

git push origin master
43cd7db..ea6ac91 master -> master

commit ea6ac91
Author: Mark Reynolds mreynolds@redhat.com
Date: Fri May 30 14:57:15 2014 -0400

Coverity fix:

ea6ac91..fa31627 master -> master
commit fa31627

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.3 backlog

2 years ago

Login to comment on this ticket.

Metadata