Bug 602456 - Allow to add any cn=config attributes;389-ds-base-1.2.7.a1

allow to delete some cn=config attributes

https://bugzilla.redhat.com/show_bug.cgi?id=602456

Description:
1. Originally, configuration attributes are designed not to allow
adding or deleting, but to allow just replacing.  Due to a defect
in checking the add operation, adding (LDAP_MOD_ADD) is not rejected.
Instead of fixing the add checking to disallow adding, this patch
logs the operation in the error log.
2. On the other hand, deleting configuration attributes is rejected
by LDAP_UNWILLING_TO_PERFORM.  We have a request that some attributes
need to allow to delete.  This patch introduces a config attribute
nsslapd-allowed-to-delete-attrs, which value is configuration
attributes separated by a space ' '.  If an attribute is in the list,
the attribute is allowed to delete.  The delete operation is also
logged in the error log.  By default, the list contains "nsslapd-
listenhost" and "nsslapd-securelistenhost".

4 files changed, 84 insertions, 9 deletions

diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index 91b85800..3b87cb67 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -123,6 +123,22 @@ ignore_attr_type(const char *attr_type)
 	return 0;
 }
 
+/* these attr types are allowed to delete */
+static int
+allowed_to_delete_attrs(const char *attr_type)
+{
+	if (attr_type) {
+		char **ap = config_get_allowed_to_delete_attrs();
+		for ( ; ap && *ap; ap++) {
+			if (strcasecmp (attr_type, *ap) == 0) {
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
+
 int 
 read_config_dse (Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *returncode, char *returntext, void *arg)
 {
@@ -395,14 +411,32 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
 			config_attr = (char *)mods[i]->mod_type;
 			if (ignore_attr_type(config_attr))
 				continue;
-
-			if ((mods[i]->mod_op & LDAP_MOD_DELETE) ||
-				(mods[i]->mod_op & LDAP_MOD_ADD)) {
-				rc= LDAP_UNWILLING_TO_PERFORM;
-				PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "%s attributes is not allowed",
-						(mods[i]->mod_op & LDAP_MOD_DELETE) ? "Deleting" : "Adding");
-			} else if (mods[i]->mod_op & LDAP_MOD_REPLACE) {
-				if (  (checked_all_maxdiskspace_and_mlogsize == 0 ) && 
+ 
+			if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) {
+				if (apply_mods) { /* log warning once */
+					slapi_log_error (SLAPI_LOG_FATAL, NULL, 
+						"Warning: Adding configuration attribute \"%s\"\n",
+						config_attr);
+				}
+				rc = config_set(config_attr, mods[i]->mod_bvalues, 
+								returntext, apply_mods);
+			} else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) {
+				/* Need to allow deleting some configuration attrs */
+			    if (allowed_to_delete_attrs(config_attr)) {
+					rc = config_set(config_attr, mods[i]->mod_bvalues, 
+									returntext, apply_mods);
+					if (apply_mods) { /* log warning once */
+						slapi_log_error (SLAPI_LOG_FATAL, NULL, 
+						  "Warning: Deleting configuration attribute \"%s\"\n",
+						  config_attr);
+					}
+				} else {
+					rc= LDAP_UNWILLING_TO_PERFORM;
+					PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+								"Deleting attributes is not allowed");
+				}
+			} else if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) {
+				if (( checked_all_maxdiskspace_and_mlogsize == 0 ) && 
 					((strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) ||
 					(strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE) == 0) ||
 					(strcasecmp( mods[i]->mod_type, CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) ||
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b88a69a8..a7cc1bc2 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -628,7 +628,11 @@ static struct config_get_and_set {
 	{CONFIG_ENTRYUSN_GLOBAL, config_set_entryusn_global,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.entryusn_global, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_entryusn_global}
+		(ConfigGetFunc)config_get_entryusn_global},
+	{CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE, config_set_allowed_to_delete_attrs,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allowed_to_delete_attrs,
+		CONFIG_STRING, (ConfigGetFunc)config_get_allowed_to_delete_attrs}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -1007,6 +1011,10 @@ FrontendConfig_init () {
   cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
 
   cfg->entryusn_global = LDAP_OFF; 
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-listenhost"));
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-securelistenhost"));
 
 #ifdef MEMPOOL_EXPERIMENTAL
   cfg->mempool_switch = LDAP_ON;
@@ -5557,6 +5565,35 @@ config_set_entryusn_global( const char *attrname, char *value,
     return retVal;
 }
 
+char **
+config_get_allowed_to_delete_attrs(void)
+{
+    char **retVal;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = slapdFrontendConfig->allowed_to_delete_attrs;
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
+int
+config_set_allowed_to_delete_attrs( const char *attrname, char *value,
+                                    char *errorbuf, int apply )
+{
+    int retVal = LDAP_SUCCESS;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    if (apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+        slapi_ch_array_free(slapdFrontendConfig->allowed_to_delete_attrs);
+        slapdFrontendConfig->allowed_to_delete_attrs = 
+                                           slapi_str2charray_ext(value, " ", 0);
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
+    }
+    return retVal;
+}
+
 /*
  * This function is intended to be used from the dse code modify callback.  It
  * is "optimized" for that case because it takes a berval** of values, which is
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 6f5ae54d..089c1746 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -372,6 +372,7 @@ int config_set_accesslogbuffering(const char *attrname, char *value, char *error
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_entryusn_global( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_allowed_to_delete_attrs( const char *attrname, char *value, char *errorbuf, int apply );
 
 
 #if !defined(_WIN32) && !defined(AIX)
@@ -512,6 +513,7 @@ int config_get_system_page_bits();
 #endif
 int config_get_force_sasl_external();
 int config_get_entryusn_global(void);
+char **config_get_allowed_to_delete_attrs(void);
 
 int is_abspath(const char *);
 char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 1f4afd91..cac60eb2 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1906,6 +1906,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
 #define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 #define CONFIG_ENTRYUSN_GLOBAL	"nsslapd-entryusn-global"
+#define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE	"nsslapd-allowed-to-delete-attrs"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2123,6 +2124,7 @@ typedef struct _slapdFrontendConfig {
 #endif /* MEMPOOL_EXPERIMENTAL */
   int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
   int entryusn_global;          /* Entry USN: Use global counter */
+  char **allowed_to_delete_attrs;/* charray of config attrs allowed to delete */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */