Full_Name: Konstantin Menshikov Version: 2.4.33 OS: FreeBSD 8.2-RELEASE-p4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.116.101.94) Overlay unique and constraint use list attributes for check. If we use restriction by rdn (attribute cn for example), and don`t add attribute cn in ldif-file, we can bypass restriction. Overlay unique look list attributes in op->ora_e->e_attrs, if this list not contain attribute cn, checks isn`t running. IMHO: problem not in overlays, but in slapd code, that allow add object without explicit set rdn. Example configuration: [root@rdn.problem openldap]# cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/sudo.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/spamassassin.schema include /usr/local/etc/openldap/schema/openssh-lpk.schema include /usr/local/etc/openldap/schema/vega-base.schema include /usr/local/etc/openldap/schema/vega-corp.schema include /usr/local/etc/openldap/schema/vega-net.schema include /usr/local/etc/openldap/schema/oversun-base.schema include /usr/local/etc/openldap/schema/oversun-corp.schema include /usr/local/etc/openldap/schema/oversun-mail.schema include /usr/local/etc/openldap/schema/oversun-net.schema include /usr/local/etc/openldap/schema/asterisk.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel config stats sync trace # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_hdb database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw password directory /var/db/openldap-data/o=company overlay unique unique_uri ldap:///ou=groups,o=company?cn?sub How to repeat: [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H ldap://127.0.0.5:389 -f /root/add.ldif.false adding new entry "cn=test,ou=system,ou=groups,o=company" ldap_add: Constraint violation (19) additional info: some attributes not unique [root@rdn.problem openldap]# cat /root/add.ldif.false dn: cn=test,ou=system,ou=groups,o=company changetype: add objectClass: posixGroup description: test cn: test gidNumber: 1000 [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H ldap://127.0.0.5:389 -f /root/add.ldif.true adding new entry "cn=test,ou=system,ou=groups,o=company" [root@rdn.problem openldap]# cat /root/add.ldif.true dn: cn=test,ou=system,ou=groups,o=company changetype: add objectClass: posixGroup description: test gidNumber: 1000 [root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true --- /root/add.ldif.false 2012-10-23 06:22:16.000000000 +0000 +++ /root/add.ldif.true 2012-10-23 06:22:25.000000000 +0000 @@ -2,5 +2,4 @@ changetype: add objectClass: posixGroup description: test -cn: test gidNumber: 1000 Log file records: Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6): Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://) Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098 (IP=0.0.0.0:389) Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on id=1006 Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401 Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, <cn=ldapadm,o=company> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" method=128 Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" method=128 Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" mech=SIMPLE ssf=0 Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to "cn=ldapadm,o=company" Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3 Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text= Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on id=1006 Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401 Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring operation: binding Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=test,ou=system,ou=groups,o=company>, <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD dn="cn=test,ou=system,ou=groups,o=company" Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2id("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104 target="cn=test,ou=system,ou=groups,o=company" matched="ou=system,ou=groups,o=company" Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test)) Oct 23 06:23:21 rdn slapd[44326]: => hdb_search Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company") Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company" (0x00000002) scope=2 Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company") Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass) Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not indexed Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn) Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5 Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb <cn=test,ou=personal,ou=groups,o=company> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19 Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some attributes not unique Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on id=1006 Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401 Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 (Undefined error: 0) Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10 Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6): Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://) Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738 (IP=0.0.0.0:389) Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on id=1007 Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432 Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, <cn=ldapadm,o=company> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" method=128 Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" method=128 Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" mech=SIMPLE ssf=0 Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to "cn=ldapadm,o=company" Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3 Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text= Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on id=1007 Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432 Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring operation: binding Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=test,ou=system,ou=groups,o=company>, <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD dn="cn=test,ou=system,ou=groups,o=company" Oct 23 06:23:52 rdn slapd[44326]: bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104 target="cn=test,ou=system,ou=groups,o=company" matched="ou=system,ou=groups,o=company" Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add <cn=test,ou=system,ou=groups,o=company> Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry (cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup" Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass" Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description" Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber" Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass" Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn" Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160 20121023062352.127471Z#000000#000#000000 Oct 23 06:23:52 rdn slapd[44326]: bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id("cn=test,ou=system,ou=groups,o=company") Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6: "cn=test,ou=system,ou=groups,o=company" Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0 Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6, "cn=test,ou=system,ou=groups,o=company" ) Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6, "cn=test,ou=system,ou=groups,o=company" ) success Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006): Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006): Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006 dn="cn=test,ou=system,ou=groups,o=company" Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3 Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0 Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text= Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0 20121023062352.127471Z#000000#000#000000 Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on id=1007 Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432 Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 (Undefined error: 0) Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10 Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed
kmenshikov@hostcomm.ru wrote: > Full_Name: Konstantin Menshikov > Version: 2.4.33 > OS: FreeBSD 8.2-RELEASE-p4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (212.116.101.94) > > > Overlay unique and constraint use list attributes for check. > If we use restriction by rdn (attribute cn for example), and don`t add attribute > cn in ldif-file, we can bypass restriction. > > Overlay unique look list attributes in op->ora_e->e_attrs, > if this list not contain attribute cn, checks isn`t running. > > IMHO: problem not in overlays, but in slapd code, that allow add object without > explicit set rdn. The slapd behavior was discussed long ago, in ITS#2243. The current slapd behavior is consistent with RFC4511 (though this differs from older releases and the now obsoleted RFC2251). It seems that because of this behavior, the fix will have to be made to each overlay accordingly. It would be nice if we had a more centralized approach though. > > Example configuration: > [root@rdn.problem openldap]# cat slapd.conf > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/corba.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/dyngroup.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/java.schema > include /usr/local/etc/openldap/schema/misc.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/openldap.schema > include /usr/local/etc/openldap/schema/ppolicy.schema > include /usr/local/etc/openldap/schema/sudo.schema > include /usr/local/etc/openldap/schema/samba.schema > include /usr/local/etc/openldap/schema/spamassassin.schema > include /usr/local/etc/openldap/schema/openssh-lpk.schema > include /usr/local/etc/openldap/schema/vega-base.schema > include /usr/local/etc/openldap/schema/vega-corp.schema > include /usr/local/etc/openldap/schema/vega-net.schema > include /usr/local/etc/openldap/schema/oversun-base.schema > include /usr/local/etc/openldap/schema/oversun-corp.schema > include /usr/local/etc/openldap/schema/oversun-mail.schema > include /usr/local/etc/openldap/schema/oversun-net.schema > include /usr/local/etc/openldap/schema/asterisk.schema > > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > loglevel config stats sync trace > > # Load dynamic backend modules: > modulepath /usr/local/libexec/openldap > moduleload back_hdb > > database hdb > suffix "o=company" > rootdn "cn=ldapadm,o=company" > rootpw password > directory /var/db/openldap-data/o=company > > overlay unique > unique_uri ldap:///ou=groups,o=company?cn?sub > > How to repeat: > > [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H > ldap://127.0.0.5:389 -f /root/add.ldif.false > adding new entry "cn=test,ou=system,ou=groups,o=company" > ldap_add: Constraint violation (19) > additional info: some attributes not unique > > [root@rdn.problem openldap]# cat /root/add.ldif.false > dn: cn=test,ou=system,ou=groups,o=company > changetype: add > objectClass: posixGroup > description: test > cn: test > gidNumber: 1000 > [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H > ldap://127.0.0.5:389 -f /root/add.ldif.true > adding new entry "cn=test,ou=system,ou=groups,o=company" > > [root@rdn.problem openldap]# cat /root/add.ldif.true > dn: cn=test,ou=system,ou=groups,o=company > changetype: add > objectClass: posixGroup > description: test > gidNumber: 1000 > [root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true > > --- /root/add.ldif.false 2012-10-23 06:22:16.000000000 +0000 > +++ /root/add.ldif.true 2012-10-23 06:22:25.000000000 +0000 > @@ -2,5 +2,4 @@ > changetype: add > objectClass: posixGroup > description: test > -cn: test > gidNumber: 1000 > > > Log file records: > > Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6): > Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://) > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098 > (IP=0.0.0.0:389) > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind > Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> > Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, > <cn=ldapadm,o=company> > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" > mech=SIMPLE ssf=0 > Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to > "cn=ldapadm,o=company" > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3 > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text= > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring > operation: binding > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add > Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company>, > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:21 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104 > target="cn=test,ou=system,ou=groups,o=company" > matched="ou=system,ou=groups,o=company" > Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test)) > Oct 23 06:23:21 rdn slapd[44326]: => hdb_search > Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company" > (0x00000002) scope=2 > Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass) > Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not > indexed > Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn) > Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed > Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5 > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb > <cn=test,ou=personal,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 > Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some > attributes not unique > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 > (Undefined error: 0) > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND > Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed > > Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6): > Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://) > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738 > (IP=0.0.0.0:389) > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind > Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> > Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, > <cn=ldapadm,o=company> > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" > mech=SIMPLE ssf=0 > Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to > "cn=ldapadm,o=company" > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3 > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text= > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring > operation: binding > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add > Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company>, > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104 > target="cn=test,ou=system,ou=groups,o=company" > matched="ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry > (cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn" > Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160 > 20121023062352.127471Z#000000#000#000000 > Oct 23 06:23:52 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6: > "cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0 > Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6, > "cn=test,ou=system,ou=groups,o=company" ) > Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6, > "cn=test,ou=system,ou=groups,o=company" ) success > Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006): > Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006): > Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006 > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3 > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text= > Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0 > 20121023062352.127471Z#000000#000#000000 > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 > (Undefined error: 0) > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND > Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi Howard, Just wanted to inquire about this comment: >It seems that because of this behavior, the fix will have to be made to each >overlay accordingly. It would be nice if we had a more centralized approach >though. What are your current thoughts on this? Would you be open to adding an explicit check for the RDN attribute in the constraint and unique overlays? Or do you want to hold off on that until you have a chance to investigate a more centralized approach? Thanks, -Kartik
moved from Incoming to Software Bugs
*** Issue 8242 has been marked as a duplicate of this issue. ***
If the RDN is missing in the entry, we should add it is the probably fix.
Implicitly add RDN attribute to ops where applicable. What happens with modrdn?
Fix in https://git.openldap.org/openldap/openldap/-/merge_requests/665 please test
The patch in MR!665 (now in master) has introduced a regression in slapadd not filling in the implicit RDN attributes. Try removing line 7 (olcDatabase: {0}config) in tests/data/slapd-dynamic.ldif and run test062.
(In reply to Ondřej Kuzník from comment #8) > The patch in MR!665 (now in master) has introduced a regression in slapadd > not filling in the implicit RDN attributes. Try removing line 7 > (olcDatabase: {0}config) in tests/data/slapd-dynamic.ldif and run test062. I see, the naming check needed to happen before the schema check. Fixed now in master.
• f5c96f44 by Howard Chu at 2024-01-10T17:05:13+00:00 ITS#7420 move entry_naming_check earlier in Add • 7debe76f by Howard Chu at 2024-01-15T16:43:56+00:00 ITS#7420 re-fix slapcommon.c
commit d56dcccb6f6cfd590eb20628eec39ab815a65f5a Author: Howard Chu <hyc@openldap.org> Date: Sun Jan 28 04:43:44 2024 +0000 ITS#7420 clarify prev commit commit 03338946b3e165e3c703c57cede266c42418cc1f Author: Howard Chu <hyc@openldap.org> Date: Sun Jan 28 04:00:34 2024 +0000 ITS#7420 more for prev commit On naming error, don't free modvals