Bug 1145374
Summary: | WinSync - manual replica refresh removes AD-only member values from DS and AD in groups | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Noriko Hosoi <nhosoi> |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | jgalipea, nkinder, rmeggins |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.2.11.15-51.el6 | Doc Type: | Bug Fix |
Doc Text: |
There was a logic bug in the windows sync update code which confused to handle local and remote entry.
The logic bug was fixed and AD-only member values are not accidentally removed by the sync operation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 06:35:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Noriko Hosoi
2014-09-23 00:54:50 UTC
Build tested: 389-ds-base-1.2.11.15-53.el6.x86_64 [1] Add groups grp0, grp1, users AD_ONLY and AD_AND_DS to AD: $ ldapadd -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF > dn: CN=AD_ONLY,cn=users,dc=adrelm,dc=com > objectClass: top > objectClass: user > cn: AD_ONLY > uid: AD_ONLY > sAMAccountName: AD_ONLY > distinguishedName: CN=AD_ONLY,cn=users,dc=adrelm,dc=com > > dn: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com > objectClass: top > objectClass: user > cn: AD_AND_DS > sn: AD_AND_DS > uid: AD_AND_DS > sAMAccountName: AD_AND_DS > distinguishedName: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com > > dn: CN=grp0,cn=users,dc=adrelm,dc=com > objectClass: top > objectClass: Group > cn: grp0 > distinguishedName: CN=grp0,cn=users,dc=adrelm,dc=com > name: grp0 > sAMAccountName: grp0 > > dn: CN=grp1,cn=users,dc=adrelm,dc=com > objectClass: top > objectClass: Group > cn: grp1 > distinguishedName: CN=grp1,cn=users,dc=adrelm,dc=com > name: grp1 > sAMAccountName: grp1 > EOF adding new entry "CN=AD_ONLY,cn=users,dc=adrelm,dc=com" adding new entry "CN=AD_AND_DS,cn=users,dc=adrelm,dc=com" adding new entry "CN=grp0,cn=users,dc=adrelm,dc=com" adding new entry "CN=grp1,cn=users,dc=adrelm,dc=com" [2] Wait for them to appear in DS [3] Add new AD_ONLY member to grp0, AD_ONLY and AD_AND_DS member to grp1 $ ldapmodify -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF > dn: CN=grp0,cn=users,DC=adrelm,DC=com > changetype: modify > add: member > member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com > > dn: CN=grp1,cn=users,DC=adrelm,DC=com > changetype: modify > add: member > member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com > member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com > EOF modifying entry "CN=grp0,cn=users,DC=adrelm,DC=com" modifying entry "CN=grp1,cn=users,DC=adrelm,DC=com" [4] Wait for sync [5] grp0 contains AD_ONLY member, grp1 contains both AD_ONLY and AD_AND_DS members both on DS and AD. on DS: $ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember dn: cn=grp0,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com dn: cn=grp1,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_AND_DS,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com on AD: $ ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member dn: CN=grp0,CN=Users,DC=adrelm,DC=com member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com dn: CN=grp1,CN=Users,DC=adrelm,DC=com member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com [6] Do manual replica refresh [7] All members are in place: On DS: $ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember dn: cn=grp0,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com dn: cn=grp1,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_AND_DS,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com On AD: $ ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member dn: CN=grp0,CN=Users,DC=adrelm,DC=com member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com dn: CN=grp1,CN=Users,DC=adrelm,DC=com member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com Marking as VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html |