Bug 1258611

Summary: dna plugin needs to handle binddn groups for authorization
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: nkinder, pkundal, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.5.2-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 20:35:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2015-08-31 18:36:34 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48258

The dna plugin uses the replica bind credentials to check if a connecion is allowed to perform the range request operation. 
It checks the bindn in the replica object, but since the introduction of binddn groups a single bind dn may no longer exist.
DNA plugin also needs to evaluate the bindn groupd
Comment 1 Mike McCune 2016-03-28 23:12:48 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 3 Punit Kundal 2016-07-20 11:12:10 UTC 
RHEL:
RHEL 7.3 x86_64 Server

DS builds:
[root@ds ~]# rpm -qa | grep 389-ds-base
389-ds-base-libs-1.3.5.10-5.el7.x86_64
389-ds-base-debuginfo-1.3.5.8-1.el7.x86_64
389-ds-base-1.3.5.10-5.el7.x86_64
389-ds-base-snmp-1.3.5.10-5.el7.x86_64

Steps Performed:
1. Created two standalone DS instances as master1 and master2
 
2. Created a user for replication and added that user as a uniquemember of QA managers group
[root@ds ~]# ldapsearch -xLLL -b 'uid=dnaAdmin,ou=People,dc=example,dc=com' -h localhost -p 389
dn: uid=dnaAdmin,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
uid: dnaAdmin
cn: dnaAdmin
sn: dnaAdmin
 
[root@ds ~]# ldapsearch -xLLL -b 'cn=QA Managers,ou=Groups,dc=example,dc=com' -h localhost -p 389
dn: cn=QA Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
uniqueMember: uid=dnaAdmin,ou=People,dc=example,dc=com

3. Configured DNA plugin on both instances
 
Below is the DNA plugin configuration entry added on master1
 
[root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment          Plugin,cn=plugins,cn=config'
dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: dnaPluginConfig
cn: Account UIDs
dnaType: uidNumber
dnaType: gidNumber
dnaFilter: (objectclass=posixAccount)
dnaScope: ou=People,dc=example,dc=com
dnaNextValue: 1
dnaMaxValue: 20
dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnaThreshold: 5
dnaRangeRequestTimeout: 60
dnaMagicRegen: magic
dnaNextRange: 41-50
 
Below is the DNA plugin configuration entry added on master2
 
[root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' -s base
dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: dnaPluginConfig
cn: Account UIDs
dnaType: uidNumber
dnaType: gidNumber
dnaFilter: (objectclass=posixAccount)
dnaScope: ou=People,dc=example,dc=com
dnaNextValue: 31
dnaMaxValue: 40
dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnaThreshold: 2
dnaRangeRequestTimeout: 60
dnaMagicRegen: magic

4. Configured a 2x MMR setup by adding the required replication configuration entries on
both masters
 
Below is the replica entry added on master1
 
[root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 47
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com
nsds5replicabinddngroupcheckinterval: 0
nsState:: LwAAAAAAAADhGo9XAAAAAAEAAAAAAAAAAQAAAAAAAAAGAAAAAAAAAA==
nsDS5ReplicaName: 56f33903-4e4111e6-9916cf1e-79691512
nsds5ReplicaChangeCount: 29
nsds5replicareapactive: 0
 
Below is the replica entry added on master2
 
[root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 48
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com
nsds5replicabinddngroupcheckinterval: 0
nsState:: MAAAAAAAAADiGo9XAAAAAAAAAAAAAAAAAQAAAAAAAAAFAAAAAAAAAA==
nsDS5ReplicaName: 1f38c102-4e4211e6-9434fc5d-05a4a07c
nsds5ReplicaChangeCount: 28
nsds5replicareapactive: 0
 
 
5. Added 10 users on master2 to exhaust its available range
 
[root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -f dnaUsers.ldif
adding new entry "uid=testuser1,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser2,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser3,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser4,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser5,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser6,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser7,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser8,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser9,ou=People,dc=example,dc=com"
 
adding new entry "uid=testuser10,ou=People,dc=example,dc=com"
 
6. Verified the working of replication and DNA plugin by running an ldapsearch on
master1 as below
 
[root@ds ~]# ldapsearch -xLLL -b 'uid=testuser1,ou=People,dc=example,dc=com' -h localhost -p 389
dn: uid=testuser1,ou=People,dc=example,dc=com
cn: test user1
homeDirectory: /home/testuser1
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
sn: user1
uid: testuser1
uidNumber: 31
gidNumber: 31
 
As can be seen above, the user has been replicated and uidNumber and gidNumber
attributes have been set properly by DNA plugin
 
[root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389
dn: uid=testuser11,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: testuser11
cn: test user11
sn: user11
uidNumber: magic
gidNumber: magic
homeDirectory: /home/testuser11
adding new entry "uid=testuser11,ou=People,dc=example,dc=com"
 
As can be seen above, the entry was added successfully
 
8. Verified whether new range was transferred properly to master2
 
[root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment    Plugin,cn=plugins,cn=config' -s base
dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: dnaPluginConfig
cn: Account UIDs
dnaType: uidNumber
dnaType: gidNumber
dnaFilter: (objectclass=posixAccount)
dnaScope: ou=People,dc=example,dc=com
dnaNextValue: 47
dnaMaxValue: 50
dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnaThreshold: 2
dnaRangeRequestTimeout: 60
dnaMagicRegen: magic
 
As can be seen above, master2 now has new range of numbers to assign
Comment 5 errata-xmlrpc 2016-11-03 20:35:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html