Blob Blame Raw
From 17aada4feb87407e004a890225700e730778d692 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 20 Jun 2019 15:50:08 -0400
Subject: [PATCH 1/2] BZ1518320 - entry cache crash fix

Description: THis patch is combination of all the entry cache fixes.

             If these fixes are not enough, there is an experimental
             "fix" that should prevent the crash.  A message will be
             logged that reports the crash was averted:

                  "(avoided crash, but cache was corrupted)"

             The customer should monitor the errors log for this text,
             and let GSS know if they see it.
---
 configure.ac                                  |   3 -
 dirsrvtests/tests/suites/betxns/betxn_test.py |  57 ++++++
 ldap/servers/slapd/back-ldbm/back-ldbm.h      |  68 ++++----
 ldap/servers/slapd/back-ldbm/backentry.c      |   2 +-
 ldap/servers/slapd/back-ldbm/cache.c          | 163 ++++++++++++++++--
 ldap/servers/slapd/back-ldbm/ldbm_add.c       |  13 ++
 ldap/servers/slapd/back-ldbm/ldbm_delete.c    |  12 ++
 ldap/servers/slapd/back-ldbm/ldbm_modify.c    |  12 ++
 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c    |  22 ++-
 .../servers/slapd/back-ldbm/proto-back-ldbm.h |   1 +
 ldap/servers/slapd/slapi-plugin.h             |  15 ++
 ldap/servers/slapd/time.c                     |  26 +++
 12 files changed, 341 insertions(+), 53 deletions(-)

diff --git a/configure.ac b/configure.ac
index 91d6d398b..ea528ff2b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -72,9 +72,6 @@ AC_FUNC_STRFTIME
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([endpwent ftruncate getcwd gethostbyname inet_ntoa localtime_r memmove memset mkdir munmap putenv rmdir setrlimit socket strcasecmp strchr strcspn strdup strerror strncasecmp strpbrk strrchr strstr strtol tzset])
 
-# These functions are *required* without option.
-AC_CHECK_FUNCS([clock_gettime], [], AC_MSG_ERROR([unable to locate required symbol clock_gettime]))
-
 # This will detect if we need to add the LIBADD_DL value for us.
 LT_LIB_DLLOAD
 
diff --git a/dirsrvtests/tests/suites/betxns/betxn_test.py b/dirsrvtests/tests/suites/betxns/betxn_test.py
index 175496495..48181a9ea 100644
--- a/dirsrvtests/tests/suites/betxns/betxn_test.py
+++ b/dirsrvtests/tests/suites/betxns/betxn_test.py
@@ -8,6 +8,7 @@
 #
 import pytest
 import six
+import ldap
 from lib389.tasks import *
 from lib389.utils import *
 from lib389.topologies import topology_st
@@ -248,6 +249,62 @@ def test_betxn_memberof(topology_st, dynamic_plugins):
     log.info('test_betxn_memberof: PASSED')
 
 
+def test_betxn_modrdn_memberof(topology_st):
+    """Test modrdn operartions and memberOf
+
+    :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5994
+
+    :setup: Standalone instance
+
+    :steps: 1. Enable and configure memberOf plugin
+            2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer"
+            3. Create group and user outside of memberOf plugin scope
+            4. Do modrdn to move group into scope
+            5. Do modrdn to move group into scope (again)
+
+    :expectedresults:
+            1. memberOf plugin plugin should be ON
+            2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" should PASS
+            3. Creating group and user should PASS
+            4. Modrdn should fail with objectclass violation
+            5. Second modrdn should also fail with objectclass violation
+    """
+
+    peoplebase = 'ou=people,%s' % DEFAULT_SUFFIX
+    memberof = MemberOfPlugin(topology_st.standalone)
+    memberof.enable()
+    memberof.set_autoaddoc('nsContainer')  # Bad OC
+    memberof.set('memberOfEntryScope', peoplebase)
+    memberof.set('memberOfAllBackends', 'on')
+    topology_st.standalone.restart()
+
+    groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
+    group = groups.create(properties={
+        'cn': 'group',
+    })
+
+    # Create user and add it to group
+    users = UserAccounts(topology_st.standalone, basedn=DEFAULT_SUFFIX)
+    user = users.create(properties=TEST_USER_PROPERTIES)
+    if not ds_is_older('1.3.7'):
+        user.remove('objectClass', 'nsMemberOf')
+
+    group.add_member(user.dn)
+
+    # Attempt modrdn that should fail, but the original entry should stay in the cache
+    with pytest.raises(ldap.OBJECTCLASS_VIOLATION):
+        group.rename('cn=group_to_people', newsuperior=peoplebase)
+
+    # Should fail, but not with NO_SUCH_OBJECT as the original entry should still be in the cache
+    with pytest.raises(ldap.OBJECTCLASS_VIOLATION):
+        group.rename('cn=group_to_people', newsuperior=peoplebase)
+
+    #
+    # Done
+    #
+    log.info('test_betxn_modrdn_memberof: PASSED')
+
+
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode
diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
index 4727961a9..399508561 100644
--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
@@ -310,36 +310,37 @@ typedef struct
 #define CACHE_TYPE_ENTRY 0
 #define CACHE_TYPE_DN    1
 
-struct backcommon
-{
-    int ep_type;                   /* to distinguish backdn from backentry */
-    struct backcommon *ep_lrunext; /* for the cache */
-    struct backcommon *ep_lruprev; /* for the cache */
-    ID ep_id;                      /* entry id */
-    char ep_state;                 /* state in the cache */
-#define ENTRY_STATE_DELETED    0x1 /* entry is marked as deleted */
-#define ENTRY_STATE_CREATING   0x2 /* entry is being created; don't touch it */
-#define ENTRY_STATE_NOTINCACHE 0x4 /* cache_add failed; not in the cache */
-    int ep_refcnt;                 /* entry reference cnt */
-    size_t ep_size;                /* for cache tracking */
+struct backcommon {
+    int               ep_type;      /* to distinguish backdn from backentry */
+    struct backcommon *ep_lrunext;  /* for the cache */
+    struct backcommon *ep_lruprev;  /* for the cache */
+    ID                ep_id;        /* entry id */
+    char              ep_state;     /* state in the cache */
+#define ENTRY_STATE_DELETED     0x1 /* entry is marked as deleted */
+#define ENTRY_STATE_CREATING    0x2 /* entry is being created; don't touch it */
+#define ENTRY_STATE_NOTINCACHE  0x4 /* cache_add failed; not in the cache */
+#define ENTRY_STATE_INVALID     0x8 /* cache entry is invalid and needs to be removed */
+    int               ep_refcnt;    /* entry reference cnt */
+    size_t            ep_size;      /* for cache tracking */
+    struct timespec ep_create_time; /* the time the entry was added to the cache */
 };
 
 /* From ep_type through ep_size MUST be identical to backcommon */
-struct backentry
-{
-    int ep_type;                   /* to distinguish backdn from backentry */
-    struct backcommon *ep_lrunext; /* for the cache */
-    struct backcommon *ep_lruprev; /* for the cache */
-    ID ep_id;                      /* entry id */
-    char ep_state;                 /* state in the cache */
-    int ep_refcnt;                 /* entry reference cnt */
-    size_t ep_size;                /* for cache tracking */
-    Slapi_Entry *ep_entry;         /* real entry */
-    Slapi_Entry *ep_vlventry;
-    void *ep_dn_link;     /* linkage for the 3 hash */
-    void *ep_id_link;     /*     tables used for */
-    void *ep_uuid_link;   /*     looking up entries */
-    PRMonitor *ep_mutexp; /* protection for mods; make it reentrant */
+struct backentry {
+    int               ep_type;      /* to distinguish backdn from backentry */
+    struct backcommon *ep_lrunext;  /* for the cache */
+    struct backcommon *ep_lruprev;  /* for the cache */
+    ID                ep_id;        /* entry id */
+    char              ep_state;     /* state in the cache */
+    int               ep_refcnt;    /* entry reference cnt */
+    size_t            ep_size;      /* for cache tracking */
+    struct timespec ep_create_time; /* the time the entry was added to the cache */
+    Slapi_Entry       *ep_entry;    /* real entry */
+    Slapi_Entry       *ep_vlventry;
+    void *            ep_dn_link;   /* linkage for the 3 hash */
+    void *            ep_id_link;   /*     tables used for */
+    void *            ep_uuid_link; /*     looking up entries */
+    PRMonitor         *ep_mutexp;   /* protection for mods; make it reentrant */
 };
 
 /* From ep_type through ep_size MUST be identical to backcommon */
@@ -348,12 +349,13 @@ struct backdn
     int ep_type;                   /* to distinguish backdn from backentry */
     struct backcommon *ep_lrunext; /* for the cache */
     struct backcommon *ep_lruprev; /* for the cache */
-    ID ep_id;                      /* entry id */
-    char ep_state;                 /* state in the cache; share ENTRY_STATE_* */
-    int ep_refcnt;                 /* entry reference cnt */
-    size_t ep_size;                /* for cache tracking */
-    Slapi_DN *dn_sdn;
-    void *dn_id_link; /* for hash table */
+    ID                ep_id;       /* entry id */
+    char              ep_state;    /* state in the cache; share ENTRY_STATE_* */
+    int               ep_refcnt;   /* entry reference cnt */
+    size_t            ep_size;      /* for cache tracking */
+    struct timespec ep_create_time; /* the time the entry was added to the cache */
+    Slapi_DN          *dn_sdn;
+    void              *dn_id_link; /* for hash table */
 };
 
 /* for the in-core cache of entries */
diff --git a/ldap/servers/slapd/back-ldbm/backentry.c b/ldap/servers/slapd/back-ldbm/backentry.c
index f2fe780db..a1f3ca1bb 100644
--- a/ldap/servers/slapd/back-ldbm/backentry.c
+++ b/ldap/servers/slapd/back-ldbm/backentry.c
@@ -23,7 +23,7 @@ backentry_free(struct backentry **bep)
         return;
     }
     ep = *bep;
-    PR_ASSERT(ep->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_NOTINCACHE));
+    PR_ASSERT(ep->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_NOTINCACHE | ENTRY_STATE_INVALID));
     if (ep->ep_entry != NULL) {
         slapi_entry_free(ep->ep_entry);
     }
diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c
index 86e1f7b39..054766df2 100644
--- a/ldap/servers/slapd/back-ldbm/cache.c
+++ b/ldap/servers/slapd/back-ldbm/cache.c
@@ -56,6 +56,11 @@
 #define LOG(...)
 #endif
 
+typedef enum {
+    ENTRY_CACHE,
+    DN_CACHE,
+} CacheType;
+
 #define LRU_DETACH(cache, e) lru_detach((cache), (void *)(e))
 
 #define CACHE_LRU_HEAD(cache, type) ((type)((cache)->c_lruhead))
@@ -185,6 +190,7 @@ new_hash(u_long size, u_long offset, HashFn hfn, HashTestFn tfn)
 int
 add_hash(Hashtable *ht, void *key, uint32_t keylen, void *entry, void **alt)
 {
+    struct backcommon *back_entry = (struct backcommon *)entry;
     u_long val, slot;
     void *e;
 
@@ -202,6 +208,7 @@ add_hash(Hashtable *ht, void *key, uint32_t keylen, void *entry, void **alt)
         e = HASH_NEXT(ht, e);
     }
     /* ok, it's not already there, so add it */
+    back_entry->ep_create_time = slapi_current_rel_time_hr();
     HASH_NEXT(ht, entry) = ht->slot[slot];
     ht->slot[slot] = entry;
     return 1;
@@ -492,6 +499,126 @@ cache_make_hashes(struct cache *cache, int type)
     }
 }
 
+/*
+ * Helper function for flush_hash() to calculate if the entry should be
+ * removed from the cache.
+ */
+static int32_t
+flush_remove_entry(struct timespec *entry_time, struct timespec *start_time)
+{
+    struct timespec diff;
+
+    slapi_timespec_diff(entry_time, start_time, &diff);
+    if (diff.tv_sec >= 0) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+/*
+ * Flush all the cache entries that were added after the "start time"
+ * This is called when a backend transaction plugin fails, and we need
+ * to remove all the possible invalid entries in the cache.
+ *
+ * If the ref count is 0, we can straight up remove it from the cache, but
+ * if the ref count is greater than 1, then the entry is currently in use.
+ * In the later case we set the entry state to ENTRY_STATE_INVALID, and
+ * when the owning thread cache_returns() the cache entry is automatically
+ * removed so another thread can not use/lock the invalid cache entry.
+ */
+static void
+flush_hash(struct cache *cache, struct timespec *start_time, int32_t type)
+{
+    Hashtable *ht = cache->c_idtable; /* start with the ID table as it's in both ENTRY and DN caches */
+    void *e, *laste = NULL;
+
+    cache_lock(cache);
+
+    for (size_t i = 0; i < ht->size; i++) {
+        e = ht->slot[i];
+        while (e) {
+            struct backcommon *entry = (struct backcommon *)e;
+            uint64_t remove_it = 0;
+            if (flush_remove_entry(&entry->ep_create_time, start_time)) {
+                /* Mark the entry to be removed */
+                slapi_log_err(SLAPI_LOG_CACHE, "flush_hash", "[%s] Removing entry id (%d)\n",
+                        type ? "DN CACHE" : "ENTRY CACHE", entry->ep_id);
+                remove_it = 1;
+            }
+            laste = e;
+            e = HASH_NEXT(ht, e);
+
+            if (remove_it) {
+                /* since we have the cache lock we know we can trust refcnt */
+                entry->ep_state |= ENTRY_STATE_INVALID;
+                if (entry->ep_refcnt == 0) {
+                    entry->ep_refcnt++;
+                    lru_delete(cache, laste);
+                    if (type == ENTRY_CACHE) {
+                        entrycache_remove_int(cache, laste);
+                        entrycache_return(cache, (struct backentry **)&laste);
+                    } else {
+                        dncache_remove_int(cache, laste);
+                        dncache_return(cache, (struct backdn **)&laste);
+                    }
+                } else {
+                    /* Entry flagged for removal */
+                    slapi_log_err(SLAPI_LOG_CACHE, "flush_hash",
+                            "[%s] Flagging entry to be removed later: id (%d) refcnt: %d\n",
+                            type ? "DN CACHE" : "ENTRY CACHE", entry->ep_id, entry->ep_refcnt);
+                }
+            }
+        }
+    }
+
+    if (type == ENTRY_CACHE) {
+        /* Also check the DN hashtable */
+        ht = cache->c_dntable;
+
+        for (size_t i = 0; i < ht->size; i++) {
+            e = ht->slot[i];
+            while (e) {
+                struct backcommon *entry = (struct backcommon *)e;
+                uint64_t remove_it = 0;
+                if (flush_remove_entry(&entry->ep_create_time, start_time)) {
+                    /* Mark the entry to be removed */
+                    slapi_log_err(SLAPI_LOG_CACHE, "flush_hash", "[ENTRY CACHE] Removing entry id (%d)\n",
+                            entry->ep_id);
+                    remove_it = 1;
+                }
+                laste = e;
+                e = HASH_NEXT(ht, e);
+
+                if (remove_it) {
+                    /* since we have the cache lock we know we can trust refcnt */
+                    entry->ep_state |= ENTRY_STATE_INVALID;
+                    if (entry->ep_refcnt == 0) {
+                        entry->ep_refcnt++;
+                        lru_delete(cache, laste);
+                        entrycache_remove_int(cache, laste);
+                        entrycache_return(cache, (struct backentry **)&laste);
+                    } else {
+                        /* Entry flagged for removal */
+                        slapi_log_err(SLAPI_LOG_CACHE, "flush_hash",
+                                "[ENTRY CACHE] Flagging entry to be removed later: id (%d) refcnt: %d\n",
+                                entry->ep_id, entry->ep_refcnt);
+                    }
+                }
+            }
+        }
+    }
+
+    cache_unlock(cache);
+}
+
+void
+revert_cache(ldbm_instance *inst, struct timespec *start_time)
+{
+    flush_hash(&inst->inst_cache, start_time, ENTRY_CACHE);
+    flush_hash(&inst->inst_dncache, start_time, DN_CACHE);
+}
+
 /* initialize the cache */
 int
 cache_init(struct cache *cache, uint64_t maxsize, long maxentries, int type)
@@ -1141,10 +1268,10 @@ entrycache_return(struct cache *cache, struct backentry **bep)
         backentry_free(bep);
     } else {
         ASSERT(e->ep_refcnt > 0);
-        if (!--e->ep_refcnt) {
-            if (e->ep_state & ENTRY_STATE_DELETED) {
-                const char *ndn = slapi_sdn_get_ndn(backentry_get_sdn(e));
-                if (ndn) {
+        if (! --e->ep_refcnt) {
+            if (e->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_INVALID)) {
+                const char* ndn = slapi_sdn_get_ndn(backentry_get_sdn(e));
+                if (ndn){
                     /*
                      * State is "deleted" and there are no more references,
                      * so we need to remove the entry from the DN cache because
@@ -1154,6 +1281,13 @@ entrycache_return(struct cache *cache, struct backentry **bep)
                         LOG("entrycache_return -Failed to remove %s from dn table\n", ndn);
                     }
                 }
+                if (e->ep_state & ENTRY_STATE_INVALID) {
+                    /* Remove it from the hash table before we free the back entry */
+                    slapi_log_err(SLAPI_LOG_CACHE, "entrycache_return",
+                            "Finally flushing invalid entry: %d (%s)\n",
+                            e->ep_id, backentry_get_ndn(e));
+                    entrycache_remove_int(cache, e);
+                }
                 backentry_free(bep);
             } else {
                 lru_add(cache, e);
@@ -1535,11 +1669,11 @@ cache_lock_entry(struct cache *cache, struct backentry *e)
 
     /* make sure entry hasn't been deleted now */
     cache_lock(cache);
-    if (e->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_NOTINCACHE)) {
-        cache_unlock(cache);
-        PR_ExitMonitor(e->ep_mutexp);
-        LOG("<= cache_lock_entry (DELETED)\n");
-        return RETRY_CACHE_LOCK;
+    if (e->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_NOTINCACHE | ENTRY_STATE_INVALID)) {
+       cache_unlock(cache);
+       PR_ExitMonitor(e->ep_mutexp);
+       LOG("<= cache_lock_entry (DELETED)\n");
+       return RETRY_CACHE_LOCK;
     }
     cache_unlock(cache);
 
@@ -1695,8 +1829,15 @@ dncache_return(struct cache *cache, struct backdn **bdn)
         backdn_free(bdn);
     } else {
         ASSERT((*bdn)->ep_refcnt > 0);
-        if (!--(*bdn)->ep_refcnt) {
-            if ((*bdn)->ep_state & ENTRY_STATE_DELETED) {
+        if (! --(*bdn)->ep_refcnt) {
+            if ((*bdn)->ep_state & (ENTRY_STATE_DELETED | ENTRY_STATE_INVALID)) {
+                if ((*bdn)->ep_state & ENTRY_STATE_INVALID) {
+                    /* Remove it from the hash table before we free the back dn */
+                    slapi_log_err(SLAPI_LOG_CACHE, "dncache_return",
+                            "Finally flushing invalid entry: %d (%s)\n",
+                            (*bdn)->ep_id, slapi_sdn_get_dn((*bdn)->dn_sdn));
+                    dncache_remove_int(cache, (*bdn));
+                }
                 backdn_free(bdn);
             } else {
                 lru_add(cache, (void *)*bdn);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index 32c8e71ff..d3c8cdab2 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -97,6 +97,8 @@ ldbm_back_add(Slapi_PBlock *pb)
     PRUint64 conn_id;
     int op_id;
     int result_sent = 0;
+    int32_t parent_op = 0;
+    struct timespec parent_time;
 
     if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {
         conn_id = 0; /* connection is NULL */
@@ -147,6 +149,13 @@ ldbm_back_add(Slapi_PBlock *pb)
     slapi_entry_delete_values(e, numsubordinates, NULL);
 
     dblayer_txn_init(li, &txn);
+
+    if (txn.back_txn_txn == NULL) {
+        /* This is the parent operation, get the time */
+        parent_op = 1;
+        parent_time = slapi_current_rel_time_hr();
+    }
+
     /* the calls to perform searches require the parent txn if any
        so set txn to the parent_txn until we begin the child transaction */
     if (parent_txn) {
@@ -1239,6 +1248,10 @@ ldbm_back_add(Slapi_PBlock *pb)
     goto common_return;
 
 error_return:
+    if (parent_op) {
+        revert_cache(inst, &parent_time);
+    }
+
     if (addingentry_id_assigned) {
         next_id_return(be, addingentry->ep_id);
     }
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index f5f6c1e3a..80c53a3e0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -79,6 +79,8 @@ ldbm_back_delete(Slapi_PBlock *pb)
     ID tomb_ep_id = 0;
     int result_sent = 0;
     Connection *pb_conn;
+    int32_t parent_op = 0;
+    struct timespec parent_time;
 
     if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {
         conn_id = 0; /* connection is NULL */
@@ -98,6 +100,13 @@ ldbm_back_delete(Slapi_PBlock *pb)
 
     /* dblayer_txn_init needs to be called before "goto error_return" */
     dblayer_txn_init(li, &txn);
+
+    if (txn.back_txn_txn == NULL) {
+        /* This is the parent operation, get the time */
+        parent_op = 1;
+        parent_time = slapi_current_rel_time_hr();
+    }
+
     /* the calls to perform searches require the parent txn if any
        so set txn to the parent_txn until we begin the child transaction */
     if (parent_txn) {
@@ -1356,6 +1365,9 @@ commit_return:
     goto common_return;
 
 error_return:
+    if (parent_op) {
+        revert_cache(inst, &parent_time);
+    }
     if (tombstone) {
         if (cache_is_in_cache(&inst->inst_cache, tombstone)) {
             tomb_ep_id = tombstone->ep_id; /* Otherwise, tombstone might have been freed. */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index cc4319e5f..93ab0a9e8 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -412,6 +412,8 @@ ldbm_back_modify(Slapi_PBlock *pb)
     int fixup_tombstone = 0;
     int ec_locked = 0;
     int result_sent = 0;
+    int32_t parent_op = 0;
+    struct timespec parent_time;
 
     slapi_pblock_get(pb, SLAPI_BACKEND, &be);
     slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &li);
@@ -424,6 +426,13 @@ ldbm_back_modify(Slapi_PBlock *pb)
     fixup_tombstone = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_FIXUP);
 
     dblayer_txn_init(li, &txn); /* must do this before first goto error_return */
+
+    if (txn.back_txn_txn == NULL) {
+        /* This is the parent operation, get the time */
+        parent_op = 1;
+        parent_time = slapi_current_rel_time_hr();
+    }
+
     /* the calls to perform searches require the parent txn if any
        so set txn to the parent_txn until we begin the child transaction */
     if (parent_txn) {
@@ -887,6 +896,9 @@ ldbm_back_modify(Slapi_PBlock *pb)
     goto common_return;
 
 error_return:
+    if (parent_op) {
+        revert_cache(inst, &parent_time);
+    }
     if (postentry != NULL) {
         slapi_entry_free(postentry);
         postentry = NULL;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index e2e9d1b46..1ca1bdb28 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -97,6 +97,8 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
     int op_id;
     int result_sent = 0;
     Connection *pb_conn = NULL;
+    int32_t parent_op = 0;
+    struct timespec parent_time;
 
     if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {
         conn_id = 0; /* connection is NULL */
@@ -134,6 +136,13 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
 
     /* dblayer_txn_init needs to be called before "goto error_return" */
     dblayer_txn_init(li, &txn);
+
+    if (txn.back_txn_txn == NULL) {
+        /* This is the parent operation, get the time */
+        parent_op = 1;
+        parent_time = slapi_current_rel_time_hr();
+    }
+
     /* the calls to perform searches require the parent txn if any
        so set txn to the parent_txn until we begin the child transaction */
     if (parent_txn) {
@@ -1276,6 +1285,10 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
     goto common_return;
 
 error_return:
+    /* Revert the caches if this is the parent operation */
+    if (parent_op) {
+       revert_cache(inst, &parent_time);
+    }
     /* result already sent above - just free stuff */
     if (postentry) {
         slapi_entry_free(postentry);
@@ -1353,6 +1366,10 @@ error_return:
                     slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
                 }
                 slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+                /* Revert the caches if this is the parent operation */
+                if (parent_op) {
+                    revert_cache(inst, &parent_time);
+                }
             }
 	retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN);
 
@@ -1413,12 +1430,7 @@ common_return:
             CACHE_RETURN(&inst->inst_dncache, &bdn);
         }
 
-        /* remove the new entry from the cache if the op failed -
-           otherwise, leave it in */
         if (ec && inst) {
-            if (retval && cache_is_in_cache(&inst->inst_cache, ec)) {
-                CACHE_REMOVE(&inst->inst_cache, ec);
-            }
             CACHE_RETURN(&inst->inst_cache, &ec);
         }
         ec = NULL;
diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
index 61c3313c5..510d38f57 100644
--- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
@@ -55,6 +55,7 @@ void cache_unlock_entry(struct cache *cache, struct backentry *e);
 int cache_replace(struct cache *cache, void *oldptr, void *newptr);
 int cache_has_otherref(struct cache *cache, void *bep);
 int cache_is_in_cache(struct cache *cache, void *ptr);
+void revert_cache(ldbm_instance *inst, struct timespec *start_time);
 
 #ifdef CACHE_DEBUG
 void check_entry_cache(struct cache *cache, struct backentry *e);
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index bdad4e59e..eefe88724 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6853,6 +6853,12 @@ void slapi_operation_time_expiry(Slapi_Operation *o, time_t timeout, struct time
  */
 slapi_timer_result slapi_timespec_expire_check(struct timespec *expire);
 
+/**
+ * Returns the current system time as a hr clock
+ *
+ * \return timespec of the current monotonic time.
+ */
+struct timespec slapi_current_rel_time_hr(void);
 
 /*
  * Plugin and parameter block related macros (remainder of this file).
@@ -8296,6 +8302,15 @@ uint64_t slapi_atomic_decr_64(uint64_t *ptr, int memorder);
 
 /* helper function */
 const char * fetch_attr(Slapi_Entry *e, const char *attrname, char *default_val);
+/**
+ * Diffs two timespects a - b into *diff. This is useful with
+ * clock_monotonic to find time taken to perform operations.
+ *
+ * \param struct timespec a the "end" time.
+ * \param struct timespec b the "start" time.
+ * \param struct timespec c the difference.
+ */
+void slapi_timespec_diff(struct timespec *a, struct timespec *b, struct timespec *diff);
 
 #ifdef __cplusplus
 }
diff --git a/ldap/servers/slapd/time.c b/ldap/servers/slapd/time.c
index 584bd1e63..2a3865858 100644
--- a/ldap/servers/slapd/time.c
+++ b/ldap/servers/slapd/time.c
@@ -96,6 +96,32 @@ slapi_current_utc_time_hr(void)
     return ltnow;
 }
 
+struct timespec
+slapi_current_rel_time_hr(void)
+{
+    struct timespec now;
+    clock_gettime(CLOCK_MONOTONIC, &now);
+    return now;
+}
+
+void
+slapi_timespec_diff(struct timespec *a, struct timespec *b, struct timespec *diff)
+{
+    /* Now diff the two */
+    time_t sec = a->tv_sec - b->tv_sec;
+    int32_t nsec = a->tv_nsec - b->tv_nsec;
+
+    if (nsec < 0) {
+        /* It's negative so take one second */
+        sec -= 1;
+        /* And set nsec to to a whole value */
+        nsec = 1000000000 - nsec;
+    }
+
+    diff->tv_sec = sec;
+    diff->tv_nsec = nsec;
+}
+
 time_t
 slapi_current_utc_time(void)
 {
-- 
2.21.0