LDAP modify attempt on non-existing object produces misleading "Range Check error". This may indicate a problem in Range Check plugin and is confusing for end user.
There is an example which modifies non-existing object:
$ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin@IPA.EXAMPLE SASL SSF: 56 SASL data security layer installed. dn: idnsname=test,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example changetype: modify add: idnsZoneActive idnsZoneActive: TRUE - modifying entry "idnsname=test,idnsname=ipa.example.,cn=dns,dc=ipa,dc=example" ldap_modify: No such object (32) additional info: Range Check error
Sumit, shouldn't ipa_range_check_pre_op only react to confirmed changes to actual ID ranges objects?
ipa_range_check_pre_op
The messages is triggered by
case LDAP_CHANGETYPE_MODIFY: ret = slapi_search_internal_get_entry(dn, NULL, &entry, ctx->plugin_id); if (ret != 0 || entry == NULL) { LOG_FATAL("Missing entry to modify.\n"); ret = LDAP_NO_SUCH_OBJECT; goto done; }
in the done: block the 'Range Check error' message is added unconditionally on errors.
Instead of returning LDAP_NO_SUCH_OBJECT we should simple return 0 and do nothing as in other cases where we find that no range object is handled.
master:
ipa-4-1:
Duplicate: #3387.
Metadata Update from @pspacek: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 4.1.4
Login to comment on this ticket.