Re: (ITS#7423) [PATCH] Update slapo-constraint tests
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms070008080905030605060503
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
jsynacek(a)redhat.com wrote:
> This patch updates the slapo-constraint testsuit. It adds additional te=
sts for
> any constraints using 'uri'. Furthermore, it improves testing of the 'r=
estrict'
> parameter.
In my RE24 working tree:
git apply --stat jsynacek-20121025-constraint-tests-update.patch
Then I expected
=2E/run -b hdb test064 to fail (without the patch in ITS#7418) but it ret=
urned
"Test succeeded".
Ciao, Michael.
--------------ms070008080905030605060503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC
BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG
EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM
MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF
MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M
VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K
b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/
kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB
1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC
EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0
Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw
QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1
c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/
BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2
KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj
Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M
MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK
KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR
GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4
B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ
FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx
QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw
ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl
ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ
MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV
BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz
IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt
5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z
5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH
hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1
3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst
smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB
BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv
dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p
dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ
dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB
MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E
gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k
ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu
dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy
MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE
m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV
0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz
UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9
ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X
iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU
QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD
bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIxMDI3MTA1MzQ1WjAjBgkq
hkiG9w0BCQQxFgQUbmzaJFtkRvKKODnnBAp8DLfiWrIwbAYJKoZIhvcNAQkPMV8wXTALBglg
hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq
hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP
MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL
ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl
ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS
oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl
bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE
ggEAdf/2uF/F/Htah4Ot/ms0g9WO2JlUz97qvAXbU2mDCwC+VqjzfrRYDbSP9kxVwPGhh3/h
Cp1GbtrPxzT7nhWhpdURwh6JULcOtAWMUawCwyY87DsbcrKD5kDZTi61lGpSO2JbMmfxcEft
1nlBhzuWFMsyPMjsunjumxstBpbn65+1vcaYN8KMz3CGP2gRniG411zOchah31lA6h+dvEnc
z6zzsjw2Z7P8Xuqh1MV39im/HPsgnHEzMTyIwywlLNH6HEwqKH7ELjhlQEpNtIqRvdRQKLY8
85lnO/FMH2ujpxhx1c+FgjHtqOHXSJzzApWaIcqKC4yCxtLQ+EZebM3obgAAAAAAAA==
--------------ms070008080905030605060503--
10 years, 11 months
(ITS#7423) [PATCH] Update slapo-constraint tests
by jsynacek@redhat.com
Full_Name: Jan Synacek
Version: master
OS: linux-fedora17
URL: ftp://ftp.openldap.org/incoming/jsynacek-20121025-constraint-tests-update...
Submission from: (NULL) (209.132.186.34)
This patch updates the slapo-constraint testsuit. It adds additional tests for
any constraints using 'uri'. Furthermore, it improves testing of the 'restrict'
parameter.
The attached file is derived from OpenLDAP Software. All of the modifications
to
OpenLDAP Software represented in the following patch(es) were developed by Red
Hat. Red Hat has not assigned rights and/or interest in this work to any party.
I, Jan Synacek am authorized by Red Hat, my employer, to release this work
under the following terms.
Red Hat hereby place the following modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.
10 years, 11 months
Re: AW: AW: (ITS#7418) slapo-constraint are broken
by jsynacek@redhat.com
On 10/25/2012 01:41 PM, Sascha.Kuehndel(a)deka.de wrote:
> Hi,
>
> it looks better.
> make test an my own tests was successful.
Great.
URL:
ftp://ftp.openldap.org/incoming/jsynacek-20121025-slapo-constraint-uri-re...
The attached file is derived from OpenLDAP Software. All of the modifications
to
OpenLDAP Software represented in the following patch(es) were developed by Red
Hat. Red Hat has not assigned rights and/or interest in this work to any party.
I, Jan Synacek am authorized by Red Hat, my employer, to release this work
under the following terms.
Red Hat hereby place the following modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.
--
Jan Synacek
Software Engineer, BaseOS team Brno, Red Hat
10 years, 11 months
AW: AW: (ITS#7418) slapo-constraint are broken
by Sascha.Kuehndel@deka.de
Hi,
it looks better.
make test an my own tests was successful.
Thanks,
Sascha
---------------------------------------------------------------------------------------
#!RESULT OK
dn: dc=1,ou=user,ou=deka,dc=example,dc=com
changetype: modify
replace: description
description: ab
-
#!RESULT ERROR
#!ERROR [LDAP: error code 19 - modify breaks constraint on associatedName]
dn: dc=1,ou=user,ou=deka,dc=example,dc=com
changetype: modify
replace: associatedName
associatedName: uid=15,ou=group,ou=deka,dc=example,dc=com
-
#!RESULT OK
dn: uid=14,ou=group,ou=deka,dc=example,dc=com
changetype: delete
#!RESULT OK
dn: dc=1,ou=user,ou=deka,dc=example,dc=com
changetype: modify
replace: description
description: abc
-
#!RESULT ERROR
#!ERROR [LDAP: error code 19 - modify breaks constraint on associatedName]
dn: dc=1,ou=user,ou=deka,dc=example,dc=com
changetype: modify
replace: associatedName
associatedName: uid=14,ou=group,ou=deka,dc=example,dc=com
-
10 years, 11 months
Re: AW: (ITS#7418) slapo-constraint are broken
by jsynacek@redhat.com
This is a multi-part message in MIME format.
--------------030809010302060201080601
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
On 10/22/2012 09:14 PM, Sascha.Kuehndel(a)deka.de wrote:
> Hello,
>
> i have reduced the configuration and the DIT to a minium.
> So i can now send the slapd.conf, the initial dit and the test-change.
>
> I hope you can reproduce the error, with it.
>
> The uses software:
> OpenLDAP: 2.4.33
> BDB: 5.3.21
> OpenSSL: 1.0.1c
>
> Thanks,
> Sascha Kuehndel
>
Could you please try the attached patch?
Thank you,
--
Jan Synacek
Software Engineer, BaseOS team Brno, Red Hat
--------------030809010302060201080601
Content-Type: text/x-patch;
name="constraint2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="constraint2.patch"
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index 2d943a2..e7b5689 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -845,9 +845,6 @@ constraint_check_count_violation( Modifications *m, Entry *target_entry, constra
unsigned ca;
int j;
- if ( cp->set )
- return 0;
-
for ( j = 0; cp->ap[j]; j++ ) {
/* Get this attribute count */
if ( target_entry )
@@ -905,7 +902,6 @@ constraint_update( Operation *op, SlapReply *rs )
int rc;
char *msg = NULL;
int is_v;
- int first = 1;
if (get_relax(op)) {
return SLAP_CB_CONTINUE;
@@ -933,15 +929,17 @@ constraint_update( Operation *op, SlapReply *rs )
return(rs->sr_err);
}
+ op->o_bd = on->on_info->oi_origdb;
+ rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
+ op->o_bd = be;
+
/* Do we need to count attributes? */
for(cp = c; cp; cp = cp->ap_next) {
- if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
- if (first) {
- op->o_bd = on->on_info->oi_origdb;
- rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
- op->o_bd = be;
- first = 0;
- }
+ if (cp->restrict_lud && constraint_check_restrict(op, cp, target_entry) == 0) {
+ continue;
+ }
+
+ if (cp->count != 0) {
if (rc != 0 || target_entry == NULL) {
Debug(LDAP_DEBUG_TRACE,
"==> constraint_update rc = %d DN=\"%s\"%s\n",
@@ -964,6 +962,7 @@ constraint_update( Operation *op, SlapReply *rs )
}
}
+
rc = LDAP_CONSTRAINT_VIOLATION;
for(;m; m = m->sml_next) {
unsigned ce = 0;
--------------030809010302060201080601--
10 years, 11 months
(ITS#7422) olcExtraAttrs doesn't work
by k3kk0n3n@gmail.com
Full_Name:
Version: 2.4.32
OS: Ubuntu 10, Debian Squeeze
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (130.233.152.136)
olcExtraAttrs does not seem to work with the rwm overlay (like in ITS#6513).
With the rwm overlay present, ACIs are not evaluated when requesting a specific
attribute, regardless of whether olcExtraAttrs is specified or not. In order to
apply the ACI, you can pass the ACI attribute name in the search. I'm providing
a configuration file that can be used to reproduce the problem as well as some
search examples to demonstrate the issue.
----Configuration file----
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /usr/local/var/run/slapd.pid
olcArgsFile: /usr/local/var/run/slapd.args
#olcLogLevel: -1
olcToolThreads: 1
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by *
break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcRequires: authc
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleload: back_hdb
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: pass
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcExtraAttrs: OpenLDAPaci
olcAccess: to attrs=userpassword
by anonymous auth
olcAccess: to dn.base="dc=example,dc=com"
by * search
olcAccess: to *
by self manage
by dynacl/aci=OpenLDAPaci manage
----Note----
To disable the rwm overlay, comment the following 4 lines in the config:
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
----Test data----
dn: dc=example,dc=com
objectClass: dcObject
objectClass: top
objectClass: organization
dc: example
o: example
dn: cn=a,dc=example,dc=com
objectClass: top
objectClass: person
cn: a
sn: a
userPassword: pass
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
userPassword: pass
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
----Search examples----
Without rwm, requesting the whole object (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
# numResponses: 2
# numEntries: 1
Without rwm, requesting an attribute (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# b, example.com
dn: cn=b,dc=example,dc=com
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting the whole object (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting an attribute (notice the object is not returned here):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# numResponses: 1
With rwm, requesting an attribute and openldapaci (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
openldapaci
# b, example.com
dn: cn=b,dc=example,dc=com
sn: b
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
# numResponses: 2
# numEntries: 1
( Taken from my post on the openldap-technical mailing list:
http://www.openldap.org/lists/openldap-technical/201210/msg00104.html )
10 years, 11 months
Re: AW: (ITS#7418) slapo-constraint are broken
by quanah@zimbra.com
--On Tuesday, October 23, 2012 5:26 AM +0000 jsynacek(a)redhat.com wrote:
> On 10/22/2012 09:19 PM, quanah(a)zimbra.com wrote:
>> --On Monday, October 22, 2012 7:14 PM +0000 Sascha.Kuehndel(a)deka.de
>> wrote:
>>
>>> --_004_F12A906A1F17554CB9CDFC8F4779F3C469A046FAB9EXCCREX9dekag_
>>> Content-Type: text/plain; charset="iso-8859-1"
>>> Content-Transfer-Encoding: quoted-printable
>>>
>>> Hello,
>>>
>>> i have reduced the configuration and the DIT to a minium.
>>> So i can now send the slapd.conf, the initial dit and the test-change.
>>>
>>> I hope you can reproduce the error, with it.
>>
>> Hi Jan,
>>
>> It appears your changes to slapo-constraint broke at least one
>> configuration option. Can you please review the information in this ITS
>> and update your changes. Thanks.
>>
>
> Hi,
>
> those changes were made by me (different Jan).
> I will look into it and update the testcases.
Thanks. Sorry for the mixup, I picked the first Jan that came up in my
mailbox search.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 11 months
Re: (ITS#7420) Way to bypass overlay unique and constranit
by hyc@symas.com
kmenshikov(a)hostcomm.ru wrote:
> Full_Name: Konstantin Menshikov
> Version: 2.4.33
> OS: FreeBSD 8.2-RELEASE-p4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (212.116.101.94)
>
>
> Overlay unique and constraint use list attributes for check.
> If we use restriction by rdn (attribute cn for example), and don`t add attribute
> cn in ldif-file, we can bypass restriction.
>
> Overlay unique look list attributes in op->ora_e->e_attrs,
> if this list not contain attribute cn, checks isn`t running.
>
> IMHO: problem not in overlays, but in slapd code, that allow add object without
> explicit set rdn.
The slapd behavior was discussed long ago, in ITS#2243. The current slapd
behavior is consistent with RFC4511 (though this differs from older releases
and the now obsoleted RFC2251). It seems that because of this behavior, the
fix will have to be made to each overlay accordingly. It would be nice if we
had a more centralized approach though.
>
> Example configuration:
> [root(a)rdn.problem openldap]# cat slapd.conf
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/corba.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/dyngroup.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/java.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /usr/local/etc/openldap/schema/ppolicy.schema
> include /usr/local/etc/openldap/schema/sudo.schema
> include /usr/local/etc/openldap/schema/samba.schema
> include /usr/local/etc/openldap/schema/spamassassin.schema
> include /usr/local/etc/openldap/schema/openssh-lpk.schema
> include /usr/local/etc/openldap/schema/vega-base.schema
> include /usr/local/etc/openldap/schema/vega-corp.schema
> include /usr/local/etc/openldap/schema/vega-net.schema
> include /usr/local/etc/openldap/schema/oversun-base.schema
> include /usr/local/etc/openldap/schema/oversun-corp.schema
> include /usr/local/etc/openldap/schema/oversun-mail.schema
> include /usr/local/etc/openldap/schema/oversun-net.schema
> include /usr/local/etc/openldap/schema/asterisk.schema
>
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> loglevel config stats sync trace
>
> # Load dynamic backend modules:
> modulepath /usr/local/libexec/openldap
> moduleload back_hdb
>
> database hdb
> suffix "o=company"
> rootdn "cn=ldapadm,o=company"
> rootpw password
> directory /var/db/openldap-data/o=company
>
> overlay unique
> unique_uri ldap:///ou=groups,o=company?cn?sub
>
> How to repeat:
>
> [root(a)rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.false
> adding new entry "cn=test,ou=system,ou=groups,o=company"
> ldap_add: Constraint violation (19)
> additional info: some attributes not unique
>
> [root(a)rdn.problem openldap]# cat /root/add.ldif.false
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> cn: test
> gidNumber: 1000
> [root(a)rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.true
> adding new entry "cn=test,ou=system,ou=groups,o=company"
>
> [root(a)rdn.problem openldap]# cat /root/add.ldif.true
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> gidNumber: 1000
> [root(a)rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true
>
> --- /root/add.ldif.false 2012-10-23 06:22:16.000000000 +0000
> +++ /root/add.ldif.true 2012-10-23 06:22:25.000000000 +0000
> @@ -2,5 +2,4 @@
> changetype: add
> objectClass: posixGroup
> description: test
> -cn: test
> gidNumber: 1000
>
>
> Log file records:
>
> Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6):
> Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098
> (IP=0.0.0.0:389)
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind
> Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
> <cn=ldapadm,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
> mech=SIMPLE ssf=0
> Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
> "cn=ldapadm,o=company"
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text=
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring
> operation: binding
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add
> Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>,
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:21 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104
> target="cn=test,ou=system,ou=groups,o=company"
> matched="ou=system,ou=groups,o=company"
> Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test))
> Oct 23 06:23:21 rdn slapd[44326]: => hdb_search
> Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company"
> (0x00000002) scope=2
> Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass)
> Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not
> indexed
> Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn)
> Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed
> Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb
> <cn=test,ou=personal,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
> Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some
> attributes not unique
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
> (Undefined error: 0)
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND
> Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed
>
> Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6):
> Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://)
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738
> (IP=0.0.0.0:389)
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind
> Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
> <cn=ldapadm,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
> mech=SIMPLE ssf=0
> Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
> "cn=ldapadm,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text=
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring
> operation: binding
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add
> Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>,
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104
> target="cn=test,ou=system,ou=groups,o=company"
> matched="ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry
> (cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn"
> Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160
> 20121023062352.127471Z#000000#000#000000
> Oct 23 06:23:52 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6:
> "cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0
> Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6,
> "cn=test,ou=system,ou=groups,o=company" )
> Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6,
> "cn=test,ou=system,ou=groups,o=company" ) success
> Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006):
> Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006):
> Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text=
> Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0
> 20121023062352.127471Z#000000#000#000000
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
> (Undefined error: 0)
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND
> Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 11 months