(ITS#3622) slapacl leaves active transactions in back-bdb when ACLs by clauses require internal operations on the databases

[ando@sys-net.it]

Full_Name: Pierangelo Masarati
Version: HEAD,2.3
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


It appears that clauses (like sets) that perform internal searches to collect
info leave active transactions behind, creating problems at backend destruction.
I think this is an issue related to the different behavior internal searches may
take when acting in tool rather than server mode, but I haven't been able to
trace it yet.

To trigger the problem, run test003; then, configure a (silly) ACL like


access to *
   by set="user/uid & [foo]" write


and run slapacl like


slapacl -D "cn=Ursula Hampster,ou=Alumni
Association,ou=People,dc=example,dc=com" -b "dc=example,dc=com"

This triggers a backend_attribute() call that looks up the user's uid and leaves
a transaction active:

Backend ACL: access to *
    by set="user/uid & [foo]" write


testrun/slapd.1.conf: line 45: warning: cannot assess the validity of the ACL
scope within backend naming context
DN: "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com"
=> access_allowed: auth access to "dc=example,dc=com" "entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
=> acl_mask: to all values by "cn=ursula hampster,ou=alumni
association,ou=people,dc=example,dc=com", (=n)
=> bdb_entry_get: found entry: "cn=ursula hampster,ou=alumni
association,ou=people,dc=example,dc=com"
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
entry: =n
bdb(dc=example,dc=com): Error: closing the transaction region with active
transactions
bdb_db_destroy: close failed: Invalid argument (22) 

See also <http://www.openldap.org/lists/openldap-devel/200503/msg00153.html>