#47644 Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
Closed: wontfix None Opened 7 years ago by nkinder.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1029959

Description of problem:
From RHEL 7 most DS plugins are converted to be betxn - if their operation
fails, whole transaction should fail and not be comitted to database. In case
of Managed Entries plugin, we can create a situation where plugin fails to
create managed entry, e.g. due to mapped attribute missing.

Version-Release number of selected component (if applicable):
RHEL 7 389-ds-base-1.3.1.6-8.el7.x86_64

Steps to Reproduce:

# enable plugin
ldapmodify -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=Managed Entries,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

# add template entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=template,dc=example,dc=com
objectclass: top
objectclass: mepTemplateEntry
cn: template
mepRDNAttr: cn
mepStaticAttr: objectclass: top
mepStaticAttr: objectclass: person
mepStaticAttr: objectclass: inetOrgPerson
mepMappedAttr: cn: \$cn
mepMappedAttr: uid: \$uid
mepMappedAttr: sn: \$sn
EOF

# add definition entry
ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=definition,cn=Managed Entries, cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
cn: definition
originScope: ou=people,dc=example,dc=com
originFilter: objectclass=person
managedBase: ou=Groups,dc=example,dc=com
managedTemplate: cn=template,dc=example,dc=com
EOF

# Add new entry - adding managed entry should fail
ldapmodify -a -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=tuser,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
cn: tuser
sn: tuser
EOF

# Returns entry
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b
"cn=tuser,ou=people,dc=example,dc=com"

# Returns no such object
ldapsearch -D "cn=directory manager" -w Secret123 -LLL -b
"cn=tuser,ou=groups,dc=example,dc=com"


Actual results:

[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_parse_mapped_attr:
Mapped attribute "uid" is not present in origin entry
"cn=tuser,ou=People,dc=example,dc=com".  Please correct template to only map
attributes required by the schema.
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_create_managed_entry:
Error parsing mapped attribute in template "cn=template,dc=example,dc=com".
[13/Nov/2013:01:47:02 -0700] managed-entries-plugin - mep_add_managed_entry:
Unable to create a managed entry from origin entry
"cn=tuser,ou=People,dc=example,dc=com" using config "cn=definition,cn=Managed
Entries,cn=plugins,cn=config".

and original entry is successfully added:

[root@localhost jrusnack]# ldapsearch -D "cn=directory manager" -w Secret123
-LLL -b "cn=tuser,ou=people,dc=example,dc=com" dn
dn: cn=tuser,ou=People,dc=example,dc=com

Expected results:
If the plugins operation is part of transaction, failure to add managed entry
should not commit original entry to the database.

ack

Note that this may be a general problem with many post-op plugins - before they were betxn post-op, it didn't matter what value they returned, because the return value could not change the outcome of the original operation, nor could the error be returned to clients, so many post-op plugins may have just returned any value.

Replying to [comment:6 rmeggins]:

ack

Note that this may be a general problem with many post-op plugins - before they were betxn post-op, it didn't matter what value they returned, because the return value could not change the outcome of the original operation, nor could the error be returned to clients, so many post-op plugins may have just returned any value.

That's a good point. I'll open a new ticket to investigate the other plugins.

git merge ticket47644
Updating 43cd7db..ea6ac91
Fast-forward
ldap/servers/plugins/mep/mep.c | 44 +++++++++++++++++++++++++++++++++++---------
1 file changed, 35 insertions(+), 9 deletions(-)

git push origin master
43cd7db..ea6ac91 master -> master

commit ea6ac91
Author: Mark Reynolds mreynolds@redhat.com
Date: Fri May 30 14:57:15 2014 -0400

Coverity fix:

ea6ac91..fa31627 master -> master
commit fa31627

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.3 backlog

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/981

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a year ago

Login to comment on this ticket.

Metadata