If memberof plugin is enabled and the client adds an entry with a membership attr it hangs if the memberof_postop_add rejects the operation
This seems to be a regression introduced by fix 47810.
Steps to reproduce: 1] enable memberof plugin (use memberof and uniquemember )
2] add a group A dn: cn=group_sub_A,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com objectClass: groupofuniquenames objectClass: top uniqueMember: uid=user.5010,ou=people,ou=suffix_active,dc=example,dc=com
3] add a group B with group A as member, note that objectclass groupofuniquenames does not allow memberof dn: cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com changetype: add objectClass: groupofuniquenames uniqueMember: cn=group_sub_A,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com
Result:
[11/Jul/2014:09:38:39 +0200] - Entry "cn=xx_01,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed [11/Jul/2014:09:38:39 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com), error (-1)
[11/Jul/2014:09:38:39 +0200] conn=30 op=1 ADD dn="cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com" [11/Jul/2014:09:38:39 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0
Looks like DS does finish/abort the operation due to the error in memberof, but does not send a result to the client
Since it's a regression introduced by #47810, setting the priority to 1.3.3 (August).
I can not reproduce the problem on master branch:
I tried this:
ldapmodify: dn: cn=group,dc=example,dc=com changetype: add objectclass: top objectclass: groupofuniquenames cn: group uniquemember: cn=directory administrators, dc=example,dc=com
adding new entry "cn=group,dc=example,dc=com" ldap_add: Object class violation (65)
[14/Jul/2014:15:18:42 -0400] - Entry "cn=Directory Administrators,dc=example,dc=com" -- attribute "memberOf" not allowed [14/Jul/2014:15:18:42 -0400] memberof-plugin - memberof_postop_add: failed to add dn(cn=group,dc=example,dc=com), error (65)
Then I tried (after creating cn=group):
ldapmodify... dn: cn=directory administrators, dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=group,dc=example,dc=com
modifying entry "cn=directory administrators, dc=example,dc=com" ldap_modify: Object class violation (65)
[14/Jul/2014:15:11:12 -0400] - Entry "cn=group,dc=example,dc=com" -- attribute "memberOf" not allowed [14/Jul/2014:15:11:13 -0400] memberof-plugin - memberof_postop_modify: failed to add dn (cn=directory administrators,dc=example,dc=com) to target. Error (65)
ldapmodify does not hang in either case, and everything looks correct.
You get an error -1, while I get an error 65. Are there other steps missing to reproduce this, other plugins that need to be configured/enabled?
attachment memberof.ldif
You're right, if I try with new groups I always get err=65, in my testcase I had some entries existing before enabling memberof. I can still reproduce with the following steps:
import attached memberof.ldif
try to add a new group
dn: cn=Z,ou=groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupofuniquenames uniquemember: cn=Y,ou=groups,dc=example,dc=com
then I get err=-1 and the hang: - Entry "cn=X,ou=groups,dc=example,dc=com" -- attribute "memberOf" not allowed [15/Jul/2014:09:28:15 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=Z,ou=groups,dc=example,dc=com), error (-1)
attachment 0001-Ticket-47853-client-hangs-in-add-if-memberof-fails.patch
I was able to reproduce the hang with the ldif provided. Issue was an invalid error code being set in the pblock, patch attached.
git merge ticket47853 Updating 238d8fe..41f984c Fast-forward ldap/servers/plugins/memberof/memberof.c | 5 ++---
git push origin master 238d8fe..41f984c master -> master
commit 41f984c Author: Mark Reynolds mreynolds@redhat.com Date: Tue Jul 15 10:46:09 2014 -0400
Added missing newline characters
41f984c..068ee18 master -> master commit 068ee18
Metadata Update from @nhosoi: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.3 - 8/14 (August)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1184
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.