Full_Name: Ondrej Kuznik Version: master OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2a02:c7f:221f:c00:a3e:8eff:fe52:dac5) With cn=config the ConfigLDAPadd function might have to allocate resources that are needed by the time the attributes/config directives are being processed since there is no indication which directives there are and what order they come in. If any of the config values fail validation, the configuration code has to react and clean up - which is possible using ca->cleanup. While Modify handling (config_modify_internal) already calls ca->cleanup in each case, this is not true for config_add_internal, there it is only run on success.
okuznik@symas.com wrote: > Full_Name: Ondrej Kuznik > Version: master > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2a02:c7f:221f:c00:a3e:8eff:fe52:dac5) > > > With cn=config the ConfigLDAPadd function might have to allocate resources that > are needed by the time the attributes/config directives are being processed > since there is no indication which directives there are and what order they come > in. When using LDAPAdd, attributes are processed in the order of their schema definitions. > If any of the config values fail validation, the configuration code has to react > and clean up - which is possible using ca->cleanup. No, that's not its purpose. If anything fails, the entire config entry must be wiped out. LDAPAdd is all-or-nothing. > While Modify handling (config_modify_internal) already calls ca->cleanup in each > case, this is not true for config_add_internal, there it is only run on success. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Wed, Jun 08, 2016 at 10:15:13PM +0000, hyc@symas.com wrote: > okuznik@symas.com wrote: >> With cn=config the ConfigLDAPadd function might have to allocate resources that >> are needed by the time the attributes/config directives are being processed >> since there is no indication which directives there are and what order they come >> in. > > When using LDAPAdd, attributes are processed in the order of their schema > definitions. > >> If any of the config values fail validation, the configuration code has to react >> and clean up - which is possible using ca->cleanup. > > No, that's not its purpose. If anything fails, the entire config entry must be > wiped out. LDAPAdd is all-or-nothing. Yes, but the resource usually has to be allocated before the any of the attributes are processed. In case of failure, the overlay does not have a chance to react and free it since it has no idea when the reversal of all of the attributes has finished.
Code to implement this is in a merge request here: https://git.openldap.org/openldap/openldap/-/merge_requests/79
• 57b0ed90 by Ondřej Kuzník at 2020-06-21T18:55:09+00:00 ITS#8434 Allow cleanup at the end of a failed back-config add