From c088ea0049412cfb216ddadb8f2ee7566fc9075c Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Wed, 14 Sep 2016 11:39:33 +0200
Subject: [PATCH] Ticket 48944 - backport 1.2.11 - on a read only replica
 invalid state info can accumulate

Bug Description: if internal mods are generated on a consumer (eg by Account Policy)
		 and changes for these attributes are als received via replication
		 the state information on the consumer can accumulate

Fix Description: Make sure replace operations are only applied if they
		 are newer than an existing attribute deletion csn.

https://fedorahosted.org/389/ticket/48944

Reviewed by: Noriko, thanks

(cherry picked from commit 2e98b9ecd575d4cf531a92df3bbbe3e4f021b0ca)
(cherry picked from commit 6751a36e8eb1936e3abd0a300fe68341f20bd8a6)
---
 ldap/servers/slapd/entrywsi.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index 663d115..76286a1 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -430,6 +430,8 @@ entry_add_present_values_wsi(Slapi_Entry *e, const char *type, struct berval **b
 		Slapi_Attr *a= NULL;
 		long a_flags_orig;
 		int attr_state= entry_attr_find_wsi(e, type, &a);
+		const CSN *adcsn = NULL;
+
 		if (ATTRIBUTE_NOTFOUND == attr_state)
 		{
 			/* Create a new attribute */
@@ -437,6 +439,17 @@ entry_add_present_values_wsi(Slapi_Entry *e, const char *type, struct berval **b
 			slapi_attr_init(a, type);
 			attrlist_add(&e->e_attrs, a);
 		}
+
+		adcsn = attr_get_deletion_csn(a);
+		if (csn_compare(csn, adcsn) < 0) {
+			/* the attribute was deleted with an adcsn
+			 * newer than the current csn.
+			 * Nothing to do.
+			 */
+			valuearray_free(&valuestoadd);
+			return retVal;
+		}
+
 		a_flags_orig = a->a_flags;
 		a->a_flags |= flags;
 		/* Check if the type of the to-be-added values has DN syntax or not. */
@@ -544,6 +557,14 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type, struct berval
 		{
 			/* delete the entire attribute */
 			LDAPDebug( LDAP_DEBUG_ARGS, "removing entire attribute %s\n", type, 0, 0 );
+			const CSN *adcsn = attr_get_deletion_csn(a);
+			if (csn_compare(csn, adcsn) < 0) {
+				/* the attribute was deleted with an adcsn
+				 * newer than the current csn.
+				 * Nothing to do.
+				 */
+				return retVal;
+			}
 			attr_set_deletion_csn(a,csn);
 			if(urp)
 			{
-- 
2.4.11