Bug 1044196

Summary: Automember plug-in should treat MODRDN operations as ADD operations
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: mreynolds, nhosoi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:33:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Nathan Kinder 2013-12-17 21:52:08 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47529

When a MODRDN operation moves an entry into the configured scope of the automember plug-in, we should process the automember rules just as we do for an ADD operation.  If the entry is already within the automember scope and is being moved elsewhere, the automember should just ignore it as it does today.

This functionality is needed by FreeIPA for a user provisioning feature that is being proposed.

Comment 2 Sankar Ramalingam 2014-11-20 13:33:44 UTC
Created two suffixes as...
dc=testsuff,dc=com - for automembers configuration

dc=testsuff2,dc=com - for automember scope and default group

Configured automember plugin as...
[root@vm-idm-035 MMR_WINSYNC]# ldapmodify -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn:cn=Auto Membership Plugin,cn=plugins,cn=config
changetype: modify
add: nsslapd-pluginConfigArea
nsslapd-pluginConfigArea: dc=testsuff,dc=com
EOF

[root@vm-idm-035 MMR_WINSYNC]# ldapmodify -a -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=People2,dc=testsuff,dc=com
objectclass: autoMemberDefinition
autoMemberScope: ou=Groups,dc=testsuff2,dc=com
autoMemberFilter: uid=newusr*
autoMemberDefaultGroup: cn=newgrp1,ou=People,dc=testsuff2,dc=com
autoMemberGroupingAttr: member:dn


Added a new group - cn=newgrp1,ou=People,dc=testsuff2,dc=com
Added few users to ou=groups and ou=people. Then ran modrdn to check whether this issue is fixed.
Users moved from automemberscope to outside, is still keeping the member attribute in groups.
Where as, the entries moved from outside to automemberscope, is creating member attributes to the groups as a new user is added.

Users newusr1, newusr2 and newusr3 added to ou=groups.
User newusr4 added to oou=people.

# newgrp1, People, testsuff2.com
dn: cn=newgrp1,ou=People,dc=testsuff2,dc=com
objectClass: top
objectClass: groupOfNames
cn: newgrp1
member: uid=newusr3,ou=groups,dc=testsuff2,dc=com
member: uid=newusr1,ou=groups,dc=testsuff2,dc=com
member: uid=newusr2,ou=groups,dc=testsuff2,dc=com

Then, completed modrdn for users in ou=people and ou=groups.

[root@vm-idm-035 MMR_WINSYNC]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=newusr4,ou=People,dc=testsuff2,dc=com
changetype: modrdn
newrdn: uid=newusr5
deleteoldrdn: 1
newsuperior: ou=groups,dc=testsuff2,dc=com
EOF

[root@vm-idm-035 MMR_WINSYNC]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: uid=newusr2,ou=groups,dc=testsuff2,dc=com
changetype: modrdn
newrdn: uid=newusr6
deleteoldrdn: 1
newsuperior: ou=people,dc=testsuff2,dc=com
EOF


The end result is ...
# newgrp1, People, testsuff2.com
dn: cn=newgrp1,ou=People,dc=testsuff2,dc=com
objectClass: top
objectClass: groupOfNames
cn: newgrp1
member: uid=newusr3,ou=groups,dc=testsuff2,dc=com
member: uid=newusr1,ou=groups,dc=testsuff2,dc=com
member: uid=newusr2,ou=groups,dc=testsuff2,dc=com
member: uid=newusr5,ou=groups,dc=testsuff2,dc=com


Hence, marking the bug as Verified.

Comment 3 Sankar Ramalingam 2014-11-20 14:11:55 UTC
Automember plugin fails to add user entries if the DefaultGroup not present.

I manually removed the group entry which was added in the automember definition as "autoMemberDefaultGroup:", then the user add fails.

[root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com" "localhost" ou=groups 1189
adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com
ldap_add: DSA is unwilling to perform
ldap_add: additional info: Automember Plugin update unexpectedly failed.


==> /var/log/dirsrv/slapd-M1/errors <==
[20/Nov/2014:19:04:25 +051800] auto-membership-plugin - automember_add_member_value: Unable to add "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).
[20/Nov/2014:19:04:25 +051800] auto-membership-plugin - automember_add_member_value: Unable to add "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).

Comment 4 mreynolds 2014-11-20 15:04:41 UTC
(In reply to Sankar Ramalingam from comment #3)
> Automember plugin fails to add user entries if the DefaultGroup not present.
> 
> I manually removed the group entry which was added in the automember
> definition as "autoMemberDefaultGroup:", then the user add fails.
> 
> [root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com"
> "localhost" ou=groups 1189
> adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com
> ldap_add: DSA is unwilling to perform
> ldap_add: additional info: Automember Plugin update unexpectedly failed.
> 
> 
> ==> /var/log/dirsrv/slapd-M1/errors <==
> [20/Nov/2014:19:04:25 +051800] auto-membership-plugin -
> automember_add_member_value: Unable to add
> "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group
> "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).
> [20/Nov/2014:19:04:25 +051800] auto-membership-plugin -
> automember_add_member_value: Unable to add
> "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group
> "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).

What is the concern? This seems like the correct result to me.  If there is no group, how can we add members to it?

Comment 5 Sankar Ramalingam 2014-11-24 14:29:55 UTC
(In reply to mreynolds from comment #4)
> (In reply to Sankar Ramalingam from comment #3)
> > Automember plugin fails to add user entries if the DefaultGroup not present.
> > 
> > I manually removed the group entry which was added in the automember
> > definition as "autoMemberDefaultGroup:", then the user add fails.
> > 
> > [root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com"
> > "localhost" ou=groups 1189
> > adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com
> > ldap_add: DSA is unwilling to perform
> > ldap_add: additional info: Automember Plugin update unexpectedly failed.
> > 
> > 
> > ==> /var/log/dirsrv/slapd-M1/errors <==
> > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin -
> > automember_add_member_value: Unable to add
> > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group
> > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).
> > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin -
> > automember_add_member_value: Unable to add
> > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group
> > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).
> 
> What is the concern? This seems like the correct result to me.  If there is
> no group, how can we add members to it?
I learnt that, with the backend transaction plug-in, the  automembership plugin is expected to reject the add operation. This working as per design.

Comment 7 errata-xmlrpc 2015-03-05 09:33:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html