The ipa_uuid plugin was blocking mods to referral objects due to the way it was retrieving the LDAP entry. It would retrieve the entry and if the result was non-zero, such as LDAP_REFERRAL, it would raise it as an error, short-circuiting the mod process.

Instead check to see if we got a referral and if so, exit more gracefully.

Testing information is in the associated BZ.

>From 6553ca9dea869206eacd5d35051e72516c5c3aa0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Thu, 10 May 2012 10:27:50 -0400
Subject: [PATCH] Return LDAP_SUCCESS on mods on a referral entry.

We currently return LDAP_REFERRAL which causes the mod to fail meaning
that referral entries cannot be changed.

All we really want to do is escape when we don't hvae an entry to modify.
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 5430de4..2b07de4 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -817,6 +817,15 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
             ret = slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID());
+            if (ret == LDAP_REFERRAL) {
+                /* we have a referral so nothing for us to do, but return
+                 * success so we allow the MOD to proceed.
+                 */
+                ret = LDAP_SUCCESS;
+                free_entry = true;
+                goto done;
+            }
             if (ret) {
                 /* ok a client tried to modify an entry that doesn't exist.
                  * Nothing to see here, move along ... */

Freeipa-devel mailing list

Reply via email to