https://bugzilla.redhat.com/show_bug.cgi?id=602456
https://bugzilla.redhat.com/attachment.cgi?id=453261&action=diff https://bugzilla.redhat.com/attachment.cgi?id=453261&action=editThanks to Nathan for his review on the first proposal. I'm adding this change following Rich's suggestion.
Following the suggestion by Rich, adding "nsslapd-securelistenhost" to the default nsslapd-allowed-to-delete-attrs list. diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 6b58dde..a7cc1bc 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1013,6 +1013,8 @@ FrontendConfig_init () { cfg->entryusn_global = LDAP_OFF; slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), slapi_ch_strdup("nsslapd-listenhost")); + slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), + slapi_ch_strdup("nsslapd-securelistenhost")); #ifdef MEMPOOL_EXPERIMENTAL cfg->mempool_switch = LDAP_ON;
By default, the list contains "nsslapd-listenhost" and "nsslapd-securelistenhost".Description: 1. Originally, configuration attributes are designed not to allow adding or deleting, but to allow just replacing. Due to a defect in checking the add operation, adding (LDAP_MOD_ADD) is not rejected. Instead of fixing the add checking to disallow adding, this patch logs the operation in the error log. 2. On the other hand, deleting configuration attributes is rejected by LDAP_UNWILLING_TO_PERFORM. We have a request that some attributes need to allow to delete. This patch introduces a config attribute nsslapd-allowed-to-delete-attrs, which value is configuration attributes separated by a space ' '. If an attribute is in the list, the attribute is allowed to delete. The delete operation is also logged in the error log.
Files: ldap/servers/slapd/configdse.c ldap/servers/slapd/libglobs.c ldap/servers/slapd/proto-slap.h ldap/servers/slapd/slap.h Thanks, --noriko -- 389-devel mailing list 389-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
smime.p7s
Description: S/MIME Cryptographic Signature
-- 389-devel mailing list 389-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel