Bug 1202062

Summary:	Non tombstone entry which dn starting with "nsuniqueid=...," cannot be deleted
Product:	Red Hat Enterprise Linux 6	Reporter:	Noriko Hosoi <nhosoi>
Component:	389-ds-base	Assignee:	Noriko Hosoi <nhosoi>
Status:	CLOSED ERRATA	QA Contact:	Viktor Ashirov <vashirov>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.0	CC:	amsharma, gparente, jgalipea, msauton, nhosoi, nkinder, rmeggins
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	389-ds-base-1.2.11.15-53.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-07-22 06:37:02 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2015-03-14 22:22:10 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48133

Comment 1 Noriko Hosoi 2015-03-14 22:23:57 UTC

Unfortunately, without rebuilding the server with the code change, there is no easy way to verify.

https://fedorahosted.org/389/ticket/48133#comment:1

Dev would verify this bug.

Comment 6 Amita Sharma 2015-06-18 09:54:36 UTC

Thanks Noriko and Rich for steps.

0) [root@dhcp201-138 export]# rpm -qa | grep 389
389-ds-base-1.2.11.15-60.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-60.el6.x86_64
389-admin-1.1.41-1.el6dsrv.x86_64
389-admin-console-doc-1.1.10-2.el6dsrv.noarch
389-console-1.1.8-1.el6dsrv.noarch
389-adminutil-1.1.22-1.el6dsrv.x86_64
389-admin-console-1.1.10-2.el6dsrv.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-base-libs-1.2.11.15-60.el6.x86_64
389-ds-console-1.2.12-1.el6dsrv.noarch
389-ds-base-devel-1.2.11.15-60.el6.x86_64
389-ds-console-doc-1.2.12-1.el6dsrv.noarch

1) set up 2 servers with MMR between them

2) disable the replication agreements

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
dn: cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsds5replicaenabled
nsds5replicaenabled: off
EOF
modifying entry "cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 3892 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5replicaenabled
> nsds5replicaenabled: off
> EOF
modifying entry "cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@dhcp201-138 export]# service dirsrv restart
Shutting down dirsrv: 
    dhcp201-138...                                         [  OK  ]
    dhcp201-1382...                                        [  OK  ]
Starting dirsrv: 
    dhcp201-138...                                         [  OK  ]
    dhcp201-1382...                                        [  OK  ]
================================================================================

3) add an entry with the same DN to both servers

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: uid=amita,ou=people,dc=example,dc=com
> changetype: add
> objectClass: top
> objectClass: person
> objectClass: inetorgperson
> sn: sharma
> cn: amita
> userPassword: redhat
> EOF
adding new entry "uid=amita,ou=people,dc=example,dc=com"

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 3892 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: uid=amita,ou=people,dc=example,dc=com
> changetype: add
> objectClass: top
> objectClass: person
> objectClass: inetorgperson
> sn: sharma
> cn: amita
> userPassword: redhat
> EOF
adding new entry "uid=amita,ou=people,dc=example,dc=com"

================================================================================
4) enable replication

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5replicaenabled
> nsds5replicaenabled: on
> EOF
modifying entry "cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

[root@dhcp201-138 export]# ldapmodify -x -h localhost -p 3892 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> changetype: modify
> replace: nsds5replicaenabled
> nsds5replicaenabled: on
> EOF
modifying entry "cn=mmr,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config"

server restarted
================================================================================

You will then see a "nsuniqueid=...+..." entry on both servers, as soon as replication happens, which should be instantaneous - PASSED as below ::

[root@dhcp201-138 export]# ldapsearch -x -h localhost -p 3892 -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=example,dc=com"

# 7ca67281-159d11e5-a8d5ef8c-37b4b5c0 + amita, People, example.com
dn: nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,dc=exam
 ple,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9UVRyOU5LaXh3YzZUN0Nad0YwUHNvUStqUVpYcHNneGlPVUZrVUE9PQ=
 =

# amita, People, example.com
dn: uid=amita,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9NmdWcDJxd1BDa001SFVHalFWaUxCVVVVSjBXWXY5VFFqbnBNRWc9PQ=
 =

[root@dhcp201-138 export]# ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=example,dc=com"

# amita, People, example.com
dn: uid=amita,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9NmdWcDJxd1BDa001SFVHalFWaUxCVVVVSjBXWXY5VFFqbnBNRWc9PQ=
 =

# 7ca67281-159d11e5-a8d5ef8c-37b4b5c0 + amita, People, example.com
dn: nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,dc=exam
 ple,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9UVRyOU5LaXh3YzZUN0Nad0YwUHNvUStqUVpYcHNneGlPVUZrVUE9PQ=
 =

Hence marking as VERIFIED.

Comment 7 Rich Megginson 2015-06-18 13:19:54 UTC

Were you able to successfully delete the entry

dn: nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,dc=example,dc=com

On both servers?

ldapdelete -x -D "cn=directory manager" -w "password" "nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,dc=example,dc=com"

Comment 8 Amita Sharma 2015-06-18 13:33:20 UTC

(In reply to Rich Megginson from comment #7)
> Were you able to successfully delete the entry
> 
> dn:
> nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,
> dc=example,dc=com
> 
> On both servers?
> 
> ldapdelete -x -D "cn=directory manager" -w "password"
> "nsuniqueid=7ca67281-159d11e5-a8d5ef8c-37b4b5c0+uid=amita,ou=People,
> dc=example,dc=com"

yes... This is after deletion ::
[root@dhcp201-138 export]# ldapsearch -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalunit

# amita, People, example.com
dn: uid=amita,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9NmdWcDJxd1BDa001SFVHalFWaUxCVVVVSjBXWXY5VFFqbnBNRWc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@dhcp201-138 export]# ldapsearch -x -h localhost -p 3892 -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

# amita, People, example.com
dn: uid=amita,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
sn: sharma
cn: amita
uid: amita
userPassword:: e1NTSEF9NmdWcDJxd1BDa001SFVHalFWaUxCVVVVSjBXWXY5VFFqbnBNRWc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Comment 9 errata-xmlrpc 2015-07-22 06:37:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html