4 files changed, 84 insertions, 9 deletions

diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index 91b85800..3b87cb67 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -123,6 +123,22 @@ ignore_attr_type(const char *attr_type)
 	return 0;
 }
 
+/* these attr types are allowed to delete */
+static int
+allowed_to_delete_attrs(const char *attr_type)
+{
+	if (attr_type) {
+		char **ap = config_get_allowed_to_delete_attrs();
+		for ( ; ap && *ap; ap++) {
+			if (strcasecmp (attr_type, *ap) == 0) {
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
+
 int 
 read_config_dse (Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *returncode, char *returntext, void *arg)
 {
@@ -395,14 +411,32 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
 			config_attr = (char *)mods[i]->mod_type;
 			if (ignore_attr_type(config_attr))
 				continue;
-
-			if ((mods[i]->mod_op & LDAP_MOD_DELETE) ||
-				(mods[i]->mod_op & LDAP_MOD_ADD)) {
-				rc= LDAP_UNWILLING_TO_PERFORM;
-				PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "%s attributes is not allowed",
-						(mods[i]->mod_op & LDAP_MOD_DELETE) ? "Deleting" : "Adding");
-			} else if (mods[i]->mod_op & LDAP_MOD_REPLACE) {
-				if (  (checked_all_maxdiskspace_and_mlogsize == 0 ) && 
+ 
+			if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) {
+				if (apply_mods) { /* log warning once */
+					slapi_log_error (SLAPI_LOG_FATAL, NULL, 
+						"Warning: Adding configuration attribute \"%s\"\n",
+						config_attr);
+				}
+				rc = config_set(config_attr, mods[i]->mod_bvalues, 
+								returntext, apply_mods);
+			} else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) {
+				/* Need to allow deleting some configuration attrs */
+			    if (allowed_to_delete_attrs(config_attr)) {
+					rc = config_set(config_attr, mods[i]->mod_bvalues, 
+									returntext, apply_mods);
+					if (apply_mods) { /* log warning once */
+						slapi_log_error (SLAPI_LOG_FATAL, NULL, 
+						  "Warning: Deleting configuration attribute \"%s\"\n",
+						  config_attr);
+					}
+				} else {
+					rc= LDAP_UNWILLING_TO_PERFORM;
+					PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+								"Deleting attributes is not allowed");
+				}
+			} else if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) {
+				if (( checked_all_maxdiskspace_and_mlogsize == 0 ) && 
 					((strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) ||
 					(strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE) == 0) ||
 					(strcasecmp( mods[i]->mod_type, CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) ||
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b88a69a8..a7cc1bc2 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -628,7 +628,11 @@ static struct config_get_and_set {
 	{CONFIG_ENTRYUSN_GLOBAL, config_set_entryusn_global,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.entryusn_global, CONFIG_ON_OFF,
-		(ConfigGetFunc)config_get_entryusn_global}
+		(ConfigGetFunc)config_get_entryusn_global},
+	{CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE, config_set_allowed_to_delete_attrs,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allowed_to_delete_attrs,
+		CONFIG_STRING, (ConfigGetFunc)config_get_allowed_to_delete_attrs}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -1007,6 +1011,10 @@ FrontendConfig_init () {
   cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
 
   cfg->entryusn_global = LDAP_OFF; 
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-listenhost"));
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-securelistenhost"));
 
 #ifdef MEMPOOL_EXPERIMENTAL
   cfg->mempool_switch = LDAP_ON;
@@ -5557,6 +5565,35 @@ config_set_entryusn_global( const char *attrname, char *value,
     return retVal;
 }
 
+char **
+config_get_allowed_to_delete_attrs(void)
+{
+    char **retVal;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = slapdFrontendConfig->allowed_to_delete_attrs;
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
+int
+config_set_allowed_to_delete_attrs( const char *attrname, char *value,
+                                    char *errorbuf, int apply )
+{
+    int retVal = LDAP_SUCCESS;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    if (apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+        slapi_ch_array_free(slapdFrontendConfig->allowed_to_delete_attrs);
+        slapdFrontendConfig->allowed_to_delete_attrs = 
+                                           slapi_str2charray_ext(value, " ", 0);
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
+    }
+    return retVal;
+}
+
 /*
  * This function is intended to be used from the dse code modify callback.  It
  * is "optimized" for that case because it takes a berval** of values, which is
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 6f5ae54d..089c1746 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -372,6 +372,7 @@ int config_set_accesslogbuffering(const char *attrname, char *value, char *error
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_entryusn_global( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_allowed_to_delete_attrs( const char *attrname, char *value, char *errorbuf, int apply );
 
 
 #if !defined(_WIN32) && !defined(AIX)
@@ -512,6 +513,7 @@ int config_get_system_page_bits();
 #endif
 int config_get_force_sasl_external();
 int config_get_entryusn_global(void);
+char **config_get_allowed_to_delete_attrs(void);
 
 int is_abspath(const char *);
 char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 1f4afd91..cac60eb2 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1906,6 +1906,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
 #define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 #define CONFIG_ENTRYUSN_GLOBAL	"nsslapd-entryusn-global"
+#define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE	"nsslapd-allowed-to-delete-attrs"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2123,6 +2124,7 @@ typedef struct _slapdFrontendConfig {
 #endif /* MEMPOOL_EXPERIMENTAL */
   int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
   int entryusn_global;          /* Entry USN: Use global counter */
+  char **allowed_to_delete_attrs;/* charray of config attrs allowed to delete */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */