Bug 1141335

Summary: Update RI config for plugin version shipped in DS 1.3.3.2
Product: [Fedora] Fedora Reporter: Petr Viktorin (pviktori) <pviktori>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, mkosek, pviktori, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.0.3-1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-27 09:56:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Viktorin (pviktori) 2014-09-12 17:54:11 UTC 
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4537


After upgrade to 389-ds-base 1.3.3.2, Referential Integrity plugin no longer works:

# ipa user-add --first=Foo --last=Bar --manager admin fbar

# ipa user-add --first=Foo --last=Bar --manager fbar fbar2
------------------
Added user "fbar2"
------------------
...
  Manager: uid=fbar,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
...

# ipa user-del fbar
-------------------
Deleted user "fbar"
-------------------

# ipa user-show fbar2 --all
  dn: uid=fbar2,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
...
  Manager: fbar   <<<<
...

This is caused by changed RI plugin which no longer expects RI attributes by nsslapd-pluginargX bur rather in referint-membership-attr:

# ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w Secret123 -b
'cn=referential integrity postoperation,cn=plugins,cn=config'
# extended LDIF
#
# LDAPv3
# base <cn=referential integrity postoperation,cn=plugins,cn=config> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# referential integrity postoperation, plugins, config
dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: referential integrity postoperation
nsslapd-pluginPath: libreferint-plugin
nsslapd-pluginInitfunc: referint_postop_init
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginEnabled: on
nsslapd-pluginprecedence: 40
referint-update-delay: 0
referint-logfile: /var/log/dirsrv/slapd-MKOSEK-FEDORA20-TEST/referint
referint-logchanges: 0
referint-membership-attr: member
referint-membership-attr: uniquemember
referint-membership-attr: owner
referint-membership-attr: seeAlso
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: referint
nsslapd-pluginVersion: 1.3.3.2.a1
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: referential integrity plugin
nsslapd-pluginarg7: manager
nsslapd-pluginarg8: secretary
nsslapd-pluginarg9: memberuser
nsslapd-pluginarg10: memberhost
nsslapd-pluginarg11: sourcehost
nsslapd-pluginarg12: memberservice
nsslapd-pluginarg13: managedby
nsslapd-pluginarg14: memberallowcmd
nsslapd-pluginarg15: memberdenycmd
nsslapd-pluginarg16: ipasudorunas
nsslapd-pluginarg17: ipasudorunasgroup
nsslapd-pluginentryscope: dc=mkosek-fedora20,dc=test
nsslapd-plugincontainerscope: dc=mkosek-fedora20,dc=test
nsslapd-pluginarg18: ipatokenradiusconfiglink

# search result
search: 2
result: 0 Success

# numResponses: 2
Comment 1 Petr Viktorin (pviktori) 2014-09-15 07:43:50 UTC 
Fixed in upstream 4.0.3
Comment 2 Martin Kosek 2014-09-15 07:51:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4537
Comment 3 Fedora Update System 2014-09-15 13:25:52 UTC 
python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21
Comment 4 Fedora Update System 2014-09-18 16:12:31 UTC 
Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-09-27 09:56:49 UTC 
freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.