Bug 1258611
Summary: | dna plugin needs to handle binddn groups for authorization | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | nkinder, pkundal, rmeggins |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.5.2-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-03 20:35:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Noriko Hosoi
2015-08-31 18:36:34 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions RHEL: RHEL 7.3 x86_64 Server DS builds: [root@ds ~]# rpm -qa | grep 389-ds-base 389-ds-base-libs-1.3.5.10-5.el7.x86_64 389-ds-base-debuginfo-1.3.5.8-1.el7.x86_64 389-ds-base-1.3.5.10-5.el7.x86_64 389-ds-base-snmp-1.3.5.10-5.el7.x86_64 Steps Performed: 1. Created two standalone DS instances as master1 and master2 2. Created a user for replication and added that user as a uniquemember of QA managers group [root@ds ~]# ldapsearch -xLLL -b 'uid=dnaAdmin,ou=People,dc=example,dc=com' -h localhost -p 389 dn: uid=dnaAdmin,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson uid: dnaAdmin cn: dnaAdmin sn: dnaAdmin [root@ds ~]# ldapsearch -xLLL -b 'cn=QA Managers,ou=Groups,dc=example,dc=com' -h localhost -p 389 dn: cn=QA Managers,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager uniqueMember: uid=dnaAdmin,ou=People,dc=example,dc=com 3. Configured DNA plugin on both instances Below is the DNA plugin configuration entry added on master1 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 1 dnaMaxValue: 20 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 5 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic dnaNextRange: 41-50 Below is the DNA plugin configuration entry added on master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' -s base dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 31 dnaMaxValue: 40 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 2 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic 4. Configured a 2x MMR setup by adding the required replication configuration entries on both masters Below is the replica entry added on master1 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 47 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com nsds5replicabinddngroupcheckinterval: 0 nsState:: LwAAAAAAAADhGo9XAAAAAAEAAAAAAAAAAQAAAAAAAAAGAAAAAAAAAA== nsDS5ReplicaName: 56f33903-4e4111e6-9916cf1e-79691512 nsds5ReplicaChangeCount: 29 nsds5replicareapactive: 0 Below is the replica entry added on master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 48 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com nsds5replicabinddngroupcheckinterval: 0 nsState:: MAAAAAAAAADiGo9XAAAAAAAAAAAAAAAAAQAAAAAAAAAFAAAAAAAAAA== nsDS5ReplicaName: 1f38c102-4e4211e6-9434fc5d-05a4a07c nsds5ReplicaChangeCount: 28 nsds5replicareapactive: 0 5. Added 10 users on master2 to exhaust its available range [root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -f dnaUsers.ldif adding new entry "uid=testuser1,ou=People,dc=example,dc=com" adding new entry "uid=testuser2,ou=People,dc=example,dc=com" adding new entry "uid=testuser3,ou=People,dc=example,dc=com" adding new entry "uid=testuser4,ou=People,dc=example,dc=com" adding new entry "uid=testuser5,ou=People,dc=example,dc=com" adding new entry "uid=testuser6,ou=People,dc=example,dc=com" adding new entry "uid=testuser7,ou=People,dc=example,dc=com" adding new entry "uid=testuser8,ou=People,dc=example,dc=com" adding new entry "uid=testuser9,ou=People,dc=example,dc=com" adding new entry "uid=testuser10,ou=People,dc=example,dc=com" 6. Verified the working of replication and DNA plugin by running an ldapsearch on master1 as below [root@ds ~]# ldapsearch -xLLL -b 'uid=testuser1,ou=People,dc=example,dc=com' -h localhost -p 389 dn: uid=testuser1,ou=People,dc=example,dc=com cn: test user1 homeDirectory: /home/testuser1 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: organizationalPerson sn: user1 uid: testuser1 uidNumber: 31 gidNumber: 31 As can be seen above, the user has been replicated and uidNumber and gidNumber attributes have been set properly by DNA plugin [root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 dn: uid=testuser11,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount uid: testuser11 cn: test user11 sn: user11 uidNumber: magic gidNumber: magic homeDirectory: /home/testuser11 adding new entry "uid=testuser11,ou=People,dc=example,dc=com" As can be seen above, the entry was added successfully 8. Verified whether new range was transferred properly to master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' -s base dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 47 dnaMaxValue: 50 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 2 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic As can be seen above, master2 now has new range of numbers to assign Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html |