Issue #47853: client hangs in add if memberof fails - 389-ds-base

389-ds-base

#47853 client hangs in add if memberof fails

Closed: wontfix None Opened 9 years ago by lkrispen.

If memberof plugin is enabled and the client adds an entry with a membership attr it hangs if the memberof_postop_add rejects the operation

This seems to be a regression introduced by fix 47810.

Steps to reproduce:
1] enable memberof plugin (use memberof and uniquemember )

2] add a group A
dn: cn=group_sub_A,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
uniqueMember: uid=user.5010,ou=people,ou=suffix_active,dc=example,dc=com

3] add a group B with group A as member, note that objectclass groupofuniquenames does not allow memberof
dn: cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com
changetype: add
objectClass: groupofuniquenames
uniqueMember: cn=group_sub_A,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com

Result:

the ldapmodify client now hangs
error log contains

[11/Jul/2014:09:38:39 +0200] - Entry "cn=xx_01,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
[11/Jul/2014:09:38:39 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com), error (-1)

access log contains

[11/Jul/2014:09:38:39 +0200] conn=30 op=1 ADD dn="cn=group_sub_X,ou=groups,ou=sub2,ou=suffix_active,dc=example,dc=com"
[11/Jul/2014:09:38:39 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0

in the DS the add operation is no longer existing, verified with gdb

Looks like DS does finish/abort the operation due to the error in memberof, but does not send a result to the client

nhosoi commented 9 years ago

Since it's a regression introduced by #47810, setting the priority to 1.3.3 (August).

mreynolds commented 9 years ago

I can not reproduce the problem on master branch:

I tried this:

ldapmodify:
dn: cn=group,dc=example,dc=com
changetype: add
objectclass: top
objectclass: groupofuniquenames
cn: group
uniquemember: cn=directory administrators, dc=example,dc=com

adding new entry "cn=group,dc=example,dc=com"
ldap_add: Object class violation (65)

[14/Jul/2014:15:18:42 -0400] - Entry "cn=Directory Administrators,dc=example,dc=com" -- attribute "memberOf" not allowed
[14/Jul/2014:15:18:42 -0400] memberof-plugin - memberof_postop_add: failed to add dn(cn=group,dc=example,dc=com), error (65)

Then I tried (after creating cn=group):

ldapmodify...
dn: cn=directory administrators, dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=group,dc=example,dc=com

modifying entry "cn=directory administrators, dc=example,dc=com"
ldap_modify: Object class violation (65)

[14/Jul/2014:15:11:12 -0400] - Entry "cn=group,dc=example,dc=com" -- attribute "memberOf" not allowed
[14/Jul/2014:15:11:13 -0400] memberof-plugin - memberof_postop_modify: failed to add dn (cn=directory administrators,dc=example,dc=com) to target. Error (65)

ldapmodify does not hang in either case, and everything looks correct.

You get an error -1, while I get an error 65. Are there other steps missing to reproduce this, other plugins that need to be configured/enabled?

lkrispen commented 9 years ago

attachment
memberof.ldif

lkrispen commented 9 years ago

You're right, if I try with new groups I always get err=65, in my testcase I had some entries existing before enabling memberof.
I can still reproduce with the following steps:

import attached memberof.ldif
try to add a new group

dn: cn=Z,ou=groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupofuniquenames
uniquemember: cn=Y,ou=groups,dc=example,dc=com

then I get err=-1 and the hang:
- Entry "cn=X,ou=groups,dc=example,dc=com" -- attribute "memberOf" not allowed
[15/Jul/2014:09:28:15 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=Z,ou=groups,dc=example,dc=com), error (-1)

mreynolds commented 9 years ago

attachment
0001-Ticket-47853-client-hangs-in-add-if-memberof-fails.patch

mreynolds commented 9 years ago

I was able to reproduce the hang with the ldif provided. Issue was an invalid error code being set in the pblock, patch attached.

mreynolds commented 9 years ago

git merge ticket47853
Updating 238d8fe..41f984c
Fast-forward
ldap/servers/plugins/memberof/memberof.c | 5 ++---

git push origin master
238d8fe..41f984c master -> master

commit 41f984c
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue Jul 15 10:46:09 2014 -0400

mreynolds commented 9 years ago

Added missing newline characters

41f984c..068ee18 master -> master
commit 068ee18

Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.3 - 8/14 (August)

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1184

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

mreynolds

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.3.3 - 8/14 (August)

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1118081

origin

389-ds-base

Source Code

#47853 client hangs in add if memberof fails Closed: wontfix None Opened 9 years ago by lkrispen.

Metadata

#47853 client hangs in add if memberof fails

Closed: wontfix None Opened 9 years ago by lkrispen.