This is an automated email from the git hooks/post-receive script.
spichugi pushed a commit to branch 389-ds-base-1.4.3
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.3 by this push:
new f7e1b17 Issue 51222 - It should not be allowed to delete Managed Entry manually
f7e1b17 is described below
commit f7e1b175bdf02b77fdf30dd984d0b97e539fe33e
Author: Simon Pichugin <spichugi(a)redhat.com>
AuthorDate: Wed Jul 29 17:13:51 2020 +0200
Issue 51222 - It should not be allowed to delete Managed Entry manually
Bug Description: It is possible to delete a managed entry and no error is raised.
Also, while doing delete or modrdn peration on a managing entry and the managed entry
doesn't exist, we should continue the operation.
Fix Description: We should put an entry struct duplicate to SLAPI_ENTRY_PRE_OP pblock
before we execute plugins PRE_OP. Also, we should allow to continue modrdn and delete
managing entry operations execution even when managed entry doesn't exists.
Allow 'cn=directory manager' to delete managed entry on direct update.
Add a test.
https://pagure.io/389-ds-base/issue/51222
Reviewed by: firstyear, tbordaz (Thanks!)
---
ldap/servers/plugins/mep/mep.c | 53 ++++++++++++++++++++++--------
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 5 +--
2 files changed, 42 insertions(+), 16 deletions(-)
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 401d95e..4f433ce 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -2158,6 +2158,7 @@ mep_pre_op(Slapi_PBlock *pb, int modop)
Slapi_Mod *next_mod = NULL;
char *origin_dn = NULL;
Slapi_DN *origin_sdn = NULL;
+ char *requestor_dn = NULL;
/* Fetch the target entry. */
if (sdn) {
@@ -2249,11 +2250,19 @@ mep_pre_op(Slapi_PBlock *pb, int modop)
slapi_ch_free_string(&origin_dn);
} else {
- errstr = slapi_ch_smprintf("%s a managed entry is not allowed.
"
- "It needs to be manually unlinked
first.",
- modop == LDAP_CHANGETYPE_DELETE ?
"Deleting"
- :
"Renaming");
- ret = LDAP_UNWILLING_TO_PERFORM;
+ slapi_pblock_get(pb, SLAPI_REQUESTOR_DN, &requestor_dn);
+ if (slapi_dn_isroot(requestor_dn)) {
+ slapi_log_err(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
+ "mep_pre_op - %s is %s a managed
entry.",
+ requestor_dn, modop == LDAP_CHANGETYPE_DELETE ?
"deleting"
+ :
"renaming");
+ } else {
+ errstr = slapi_ch_smprintf("%s a managed entry is not
allowed. "
+ "It needs to be manually unlinked
first.",
+ modop == LDAP_CHANGETYPE_DELETE ?
"Deleting"
+ :
"Renaming");
+ ret = LDAP_UNWILLING_TO_PERFORM;
+ }
}
}
}
@@ -2587,10 +2596,18 @@ mep_del_post_op(Slapi_PBlock *pb)
slapi_delete_internal_pb(mep_pb);
slapi_pblock_get(mep_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
if (result) {
- slapi_log_err(SLAPI_LOG_ERR, MEP_PLUGIN_SUBSYSTEM,
- "mep_del_post_op - Failed to delete managed entry
"
- "(%s) - error (%d)\n",
- managed_dn, result);
+ if (result == LDAP_NO_SUCH_OBJECT) {
+ slapi_log_err(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
+ "mep_del_post_op - Failed to delete managed entry
"
+ "(%s) - it doesn't exist already)\n",
+ managed_dn);
+ result = SLAPI_PLUGIN_SUCCESS;
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, MEP_PLUGIN_SUBSYSTEM,
+ "mep_del_post_op - Failed to delete managed entry
"
+ "(%s) - error (%d)\n",
+ managed_dn, result);
+ }
}
slapi_ch_free_string(&managed_dn);
slapi_pblock_destroy(mep_pb);
@@ -2702,11 +2719,19 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
slapi_delete_internal_pb(mep_pb);
slapi_pblock_get(mep_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
if (result) {
- slapi_log_err(SLAPI_LOG_ERR, MEP_PLUGIN_SUBSYSTEM,
- "mep_modrdn_post_op - Failed to delete managed entry
"
- "(%s) - error (%d)\n",
- managed_dn, result);
- goto bailmod;
+ if (result == LDAP_NO_SUCH_OBJECT) {
+ slapi_log_err(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
+ "mep_modrdn_post_op - Failed to delete managed
entry "
+ "(%s) - it doesn't exist already)\n",
+ managed_dn);
+ result = SLAPI_PLUGIN_SUCCESS;
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, MEP_PLUGIN_SUBSYSTEM,
+ "mep_modrdn_post_op - Failed to delete managed
entry "
+ "(%s) - error (%d)\n",
+ managed_dn, result);
+ goto bailmod;
+ }
}
/* Clear out the pblock for reuse. */
slapi_pblock_init(mep_pb);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index fbcb573..c4ed797 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -404,6 +404,9 @@ replace_entry:
delete_tombstone_entry = operation_is_flag_set(operation,
OP_FLAG_TOMBSTONE_ENTRY);
}
+ /* Save away a copy of the entry, before modifications */
+ slapi_pblock_set(pb, SLAPI_ENTRY_PRE_OP, slapi_entry_dup(e->ep_entry));
+
/* call the transaction pre delete plugins just after the
* to-be-deleted entry is prepared. */
/* these should not need to modify the entry to be deleted -
@@ -500,8 +503,6 @@ replace_entry:
"entry: %s - flags: delete %d is_tombstone_entry %d create %d
\n",
dn, delete_tombstone_entry, is_tombstone_entry,
create_tombstone_entry);
#endif
- /* Save away a copy of the entry, before modifications */
- slapi_pblock_set(pb, SLAPI_ENTRY_PRE_OP, slapi_entry_dup(e->ep_entry));
/*
* Get the entry's parent. We do this here because index_read
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.