Issue 6077 - Spurious uniqueness errors with filters in unique overlays
Summary: Spurious uniqueness errors with filters in unique overlays
Status: RESOLVED PARTIAL
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.16
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-25 01:01 UTC by andres@anarazel.de
Modified: 2020-03-19 22:27 UTC (History)
0 users

See Also:

Attachments
slapd-unique-overlay-spurious-failure-fix-add.patch (949 bytes, patch)
2009-04-26 00:21 UTC, andres@anarazel.de 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description andres@anarazel.de 2009-04-25 01:01:51 UTC 
Full_Name: Andres Freund
Version: 2.4.16
OS: Linux
URL: 
Submission from: (NULL) (85.178.193.10)


If I read the code correctly the unique overlay does not check if the current
operation matches the filter of a domain before doing a uniqeness check.
This leads to wrongly reported errors.

I noticed this after adding a uniqueness constraint on gidNumber on all
posixGroup objects (i.e. ldap:///?gidNumber?sub?(objectClass=posixGroup)) - it
was not possible anymore to add posixAccounts with that gidNumber. 

Thanks,

Andres

Here a modification of the testscript to reproduce the issue:
--- openldap-2.4.16.saved/tests/scripts/test024-unique	2009-04-23
23:51:37.942051631 +0200
+++ openldap-2.4.16/tests/scripts/test024-unique	2009-04-25 02:50:40.975257488
+0200
@@ -425,6 +425,7 @@
 changetype: modify
 add: olcUniqueURI
 olcUniqueURI: ldap:///?sn?sub?(cn=e*)
+olcUniqueURI: ldap:///?uid?sub?(cn=edgar)
 -
 delete: olcUniqueURI
 olcUniqueURI: ldap:///?description?one
@@ -445,6 +446,7 @@
 olcOverlay: {0}unique
 olcUniqueURI: ldap:///?employeeNumber,displayName?sub
 olcUniqueURI: ldap:///?sn?sub?(cn=e*)
+olcUniqueURI: ldap:///?uid?sub?(cn=edgar)
 
 EOF
 diff $TESTDIR/third-config.ldif $TESTDIR/third-reference.ldif > /dev/null 2>&1
@@ -473,6 +475,27 @@
 	exit -1
 fi
 
+
+echo "Adding a record unique in all domains because of filter conditions "
+
+$LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	 $TESTOUT 2>&1 << EOF
+dn: uid=empty,ou=users,o=unique
+objectClass: inetOrgPerson
+uid: edgar
+cn: empty
+sn: empty
+EOF
+
+RC=$?
+if test $RC != 0 ; then
+	echo "spurious unique error ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit -1
+fi
+
+
+
 echo "Adding a record unique in one domain, non-unique in the filtered
domain..."
 
 $LDAPADD -D "$UNIQUEDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
Comment 1 andres@anarazel.de 2009-04-26 00:21:38 UTC 
Fixing this for unique_add seams easy enough (see preliminary attached 
patch) - fixing it for modrdn/modify seems to be another difficulty 
level as in order to properly apply the filter I think the full 
modifications have to be applied...

If wanted I can produce a patch for this as well, but I would like to 
know if that is appreciated and if my plan for fixing looks sensible:
- Pull the "modification simulation" code out of constraint.c (line 
959:1040 and some more in 2.4.16) into constraints.c
- Add a overlay-int.h
- Make constraint.c and unique.c use that

As I dont really know the openldap codebase my analysis could be 
completely wrong - I would appreciate some feedback.

Andres
Comment 2 ando@openldap.org 2009-05-05 10:14:47 UTC 
andres@anarazel.de wrote:
> This is a multi-part message in MIME format.
> --------------080405020304060402030808
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit

Your analysis looks correct.  In fact, the uniqueness check for add 
seems to assume that the current entry will implicitly match the 
uniqueness filter, which may not be the case if an additional filter is 
provided within the URI.

> Fixing this for unique_add seams easy enough (see preliminary attached 
> patch) - fixing it for modrdn/modify seems to be another difficulty 
> level as in order to properly apply the filter I think the full 
> modifications have to be applied...
> 
> If wanted I can produce a patch for this as well, but I would like to 
> know if that is appreciated and if my plan for fixing looks sensible:
> - Pull the "modification simulation" code out of constraint.c (line 
> 959:1040 and some more in 2.4.16) into constraints.c
> - Add a overlay-int.h
> - Make constraint.c and unique.c use that
> 
> As I dont really know the openldap codebase my analysis could be 
> completely wrong - I would appreciate some feedback.

Yes, the code provided in the constraint overlay is exactly intended to 
simulate the modification in order to be able to assess the consistency 
of the resulting entry with the constraint.

What you suggest sounds reasonable; a patch would definitely be welcome. 
  The code extracted from constraint.c should probably be placed in 
slapd, and always built since other portions of slapd might need it in 
the future.  Please note that overlays can be selectively built, or even 
built as modules, so creating cross-dependences is not a good idea IMHO.

p.
Comment 3 ando@openldap.org 2009-05-05 13:15:39 UTC 
changed notes
changed state Open to Feedback
moved from Incoming to Software Bugs
Comment 4 ando@openldap.org 2009-07-24 20:03:29 UTC 
changed notes
changed state Feedback to Test
Comment 5 Quanah Gibson-Mount 2009-07-27 18:42:55 UTC 
changed notes
Comment 6 Quanah Gibson-Mount 2009-07-27 19:57:47 UTC 
changed notes
changed state Test to Partial
Comment 7 Simon Bin 2015-04-12 21:18:36 UTC 
Should I be having this issue on OpenLDAP 2.4.40? I have the filter

    ldap:///?gidNumber?sub?(objectClass=posixGroup)

and cannot use gidNumber in posixAccount's. This was working in 2.4.31
if I recall correctly.

    #!RESULT ERROR
    #!ERROR [LDAP: error code 19 - some attributes not unique]
    dn: cn=User Name,ou=People,dc=...
    changetype: modify
    replace: gidNumber
    gidNumber: 10000
    -
Comment 8 Quanah Gibson-Mount 2015-04-12 22:14:36 UTC 
I would suggest testing current RE24, somes fixes to slapo-unique went in 
last week.

--Quanah

--On Sunday, April 12, 2015 10:19 PM +0000 sbin@informatik.uni-leipzig.de 
wrote:

> Should I be having this issue on OpenLDAP 2.4.40? I have the filter
>
>     ldap:///?gidNumber?sub?(objectClass=posixGroup)
>
> and cannot use gidNumber in posixAccount's. This was working in 2.4.31
> if I recall correctly.
>
>     #!RESULT ERROR
>     #!ERROR [LDAP: error code 19 - some attributes not unique]
>     dn: cn=User Name,ou=People,dc=...
>     changetype: modify
>     replace: gidNumber
>     gidNumber: 10000
>     -
>
>
>
>
>
>



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration
Comment 9 Yann Soubeyrand 2017-01-10 15:38:39 UTC 
Hi,

It seems to be the same bug as bug #6825. If so, this bug is still
present in 2.4.44.

Regards

Yann Soubeyrand
Comment 10 wferi@niif.hu 2017-06-19 11:53:58 UTC 
I guess e338789d is supposed to fix this, and it's present in 2.4.40,
but still I'm affected on that version:

olcUniqueURI: ldap:///o=niifi,o=niif,c=hu?gidNumber?sub?objectClass=posixGroup

rejects setting the gidNumber of a posixAccount to that of an existing
posixGroup.

The usual workaround of using more specific base DNs doesn't work well
for me, because there are multiple branches containing groups.
Specifying multiple URIs on the above light might work (man slapd-unique
doesn't tell precisely), but requires extra maintenance.
-- 
Feri
Comment 11 OpenLDAP project 2019-04-17 21:43:20 UTC 
modify fixed in HEAD; modrdn needs work
modify fixed in RE24; modrdn needs work
See also ITS#6825
Comment 12 Quanah Gibson-Mount 2019-04-17 21:43:20 UTC 
changed notes