Bug 1145374

Summary: WinSync - manual replica refresh removes AD-only member values from DS and AD in groups
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: jgalipea, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-51.el6 Doc Type: Bug Fix
Doc Text:
There was a logic bug in the windows sync update code which confused to handle local and remote entry. The logic bug was fixed and AD-only member values are not accidentally removed by the sync operation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:35:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2014-09-23 00:54:50 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47884

See also tickets #415 and #47464

1. Add groups grp0, grp1, users AD_ONLY and AD_AND_DS to AD:
{{{
ldapadd -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com  << EOF
dn: CN=AD_ONLY,cn=users,dc=adrelm,dc=com
objectClass: top
objectClass: user
cn: AD_ONLY
uid: AD_ONLY
sAMAccountName: AD_ONLY
distinguishedName: CN=AD_ONLY,cn=users,dc=adrelm,dc=com

dn: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com
objectClass: top
objectClass: user
cn: AD_AND_DS
sn: AD_AND_DS
uid: AD_AND_DS
sAMAccountName: AD_AND_DS
distinguishedName: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com

dn: CN=grp0,cn=users,dc=adrelm,dc=com
objectClass: top
objectClass: Group
cn: grp0
distinguishedName: CN=grp0,cn=users,dc=adrelm,dc=com 
name: grp0
sAMAccountName: grp0

dn: CN=grp1,cn=users,dc=adrelm,dc=com
objectClass: top
objectClass: Group
cn: grp1
distinguishedName: CN=grp1,cn=users,dc=adrelm,dc=com 
name: grp1
sAMAccountName: grp1
EOF
}}}
2. Wait for them to appear in DS
3. Add new AD_ONLY member to grp0, AD_ONLY and AD_AND_DS member to grp1
{{{
ldapmodify -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com  << EOF
dn: CN=grp0,cn=users,DC=adrelm,DC=com
changetype: modify
add: member
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,cn=users,DC=adrelm,DC=com
changetype: modify
add: member
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
EOF
}}}
4. Wait for sync

5. grp0 contains AD_ONLY member, grp1 contains both AD_ONLY and AD_AND_DS members both on DS and AD. 
on DS: 
{{{
ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=passsync,dc=com "(cn=grp*)" uniquemember
dn: cn=grp0,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com

dn: cn=grp1,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_AND_DS,ou=People,dc=passsync,dc=com
}}}
on AD: 
{{{
ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
}}}
6. Do manual replica refresh
7. From grp0 AD_ONLY member is removed both from AD and DS.
From grp1 AD_ONLY member is removed only from AD, but it's still present on DS. 

on DS:
{{{
ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=passsync,dc=com "(cn=grp*)" uniquemember
dn: cn=grp0,ou=People,dc=passsync,dc=com

dn: cn=grp1,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_AND_DS,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com
}}}
on AD: 
{{{
ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
}}}

Comment 2 Viktor Ashirov 2015-04-12 15:03:43 UTC
Build tested: 
389-ds-base-1.2.11.15-53.el6.x86_64

[1] Add groups grp0, grp1, users AD_ONLY and AD_AND_DS to AD:
$ ldapadd -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com  << EOF
> dn: CN=AD_ONLY,cn=users,dc=adrelm,dc=com
> objectClass: top
> objectClass: user
> cn: AD_ONLY
> uid: AD_ONLY
> sAMAccountName: AD_ONLY
> distinguishedName: CN=AD_ONLY,cn=users,dc=adrelm,dc=com
> 
> dn: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com
> objectClass: top
> objectClass: user
> cn: AD_AND_DS
> sn: AD_AND_DS
> uid: AD_AND_DS
> sAMAccountName: AD_AND_DS
> distinguishedName: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com
> 
> dn: CN=grp0,cn=users,dc=adrelm,dc=com
> objectClass: top
> objectClass: Group
> cn: grp0
> distinguishedName: CN=grp0,cn=users,dc=adrelm,dc=com 
> name: grp0
> sAMAccountName: grp0
> 
> dn: CN=grp1,cn=users,dc=adrelm,dc=com
> objectClass: top
> objectClass: Group
> cn: grp1
> distinguishedName: CN=grp1,cn=users,dc=adrelm,dc=com 
> name: grp1
> sAMAccountName: grp1
> EOF
adding new entry "CN=AD_ONLY,cn=users,dc=adrelm,dc=com"

adding new entry "CN=AD_AND_DS,cn=users,dc=adrelm,dc=com"

adding new entry "CN=grp0,cn=users,dc=adrelm,dc=com"

adding new entry "CN=grp1,cn=users,dc=adrelm,dc=com"

[2] Wait for them to appear in DS

[3] Add new AD_ONLY member to grp0, AD_ONLY and AD_AND_DS member to grp1
$ ldapmodify -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com  << EOF
> dn: CN=grp0,cn=users,DC=adrelm,DC=com
> changetype: modify
> add: member
> member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
> 
> dn: CN=grp1,cn=users,DC=adrelm,DC=com
> changetype: modify
> add: member
> member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
> member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
> EOF
modifying entry "CN=grp0,cn=users,DC=adrelm,DC=com"

modifying entry "CN=grp1,cn=users,DC=adrelm,DC=com"

[4] Wait for sync

[5] grp0 contains AD_ONLY member, grp1 contains both AD_ONLY and AD_AND_DS members both on DS and AD. 
on DS: 
$ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember
dn: cn=grp0,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com

dn: cn=grp1,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_AND_DS,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com

on AD:
$ ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

[6] Do manual replica refresh

[7] All members are in place: 
On DS:
$ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember
dn: cn=grp0,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com

dn: cn=grp1,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_AND_DS,ou=dswinsync,dc=example,dc=com
uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com

On AD:
$ ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

Marking as VERIFIED

Comment 3 errata-xmlrpc 2015-07-22 06:35:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html