Bug 1304682
Summary: | "stale" automember rule (associated to a removed group) causes discrepancies in the database | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michele Casaburo <mcasabur> |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | high | Docs Contact: | Petr Bokoc <pbokoc> |
Priority: | unspecified | ||
Version: | 7.3 | CC: | aglotov, gparente, mreynolds, nkinder, pbokoc, pvoborni, rcritten, rmeggins, spichugi, tbordaz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.5.9-1.el7 | Doc Type: | Bug Fix |
Doc Text: |
Entries rejected by multiple plug-ins no longer show up in searches
Previously, when an entry was rejected by multiple back end transaction plug-ins (for example, *Auto Membership* or *Managed Entry*) at the same time, the entry cache was left in an inconsistent state. This allowed a search to return the entry even though it was not added. With this update, the entry cache which stores the Distinguished Name (DN) of the entry is properly cleaned up when an "add" operation fails, and rejected entries are no longer returned by "ldapsearch".
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-03 20:39:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michele Casaburo
2016-02-04 10:53:22 UTC
- The following entry can be found be found with a search base or subtree but only with filter 'objectclass=*' dn: uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com nscpentrywsi: dn: uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com nscpentrywsi: displayName: test test nscpentrywsi: uid: test5_auto nscpentrywsi: objectClass: ipaobject nscpentrywsi: objectClass: person nscpentrywsi: objectClass: top nscpentrywsi: objectClass: ipasshuser nscpentrywsi: objectClass: inetorgperson nscpentrywsi: objectClass: organizationalperson nscpentrywsi: objectClass: krbticketpolicyaux nscpentrywsi: objectClass: krbprincipalaux nscpentrywsi: objectClass: inetuser nscpentrywsi: objectClass: posixaccount nscpentrywsi: objectClass: ipaSshGroupOfPubKeys nscpentrywsi: objectClass: mepOriginEntry nscpentrywsi: loginShell: /bin/sh nscpentrywsi: initials: tt nscpentrywsi: gecos: test test nscpentrywsi: sn: test nscpentrywsi: homeDirectory: /home/test5_auto nscpentrywsi: mail: test5_auto nscpentrywsi: krbPrincipalName: test5_auto nscpentrywsi: givenName: test nscpentrywsi: cn: test test nscpentrywsi: creatorsName: uid=admin,cn=users,cn=accounts,dc=example1,dc=com nscpentrywsi: modifiersName: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp: 20160204085642Z nscpentrywsi: modifyTimestamp: 20160204085642Z nscpentrywsi: nsUniqueId: 2b8fc285-cb1d11e5-99a8a95a-3981a25f nscpentrywsi: ipaUniqueID: 3645a73a-cb1d-11e5-ae9b-525400930e50 nscpentrywsi: parentid: 3 nscpentrywsi: entryid: 426 nscpentrywsi: uidNumber: 1826600008 nscpentrywsi: gidNumber: 1826600008 nscpentrywsi: entryusn: 9483 nscpentrywsi: mepManagedEntry: cn=test5_auto,cn=groups,cn=accounts,dc=example1 ,dc=com - The entry does not exist in the id2entry database and none of its attribute has been indexed - The updates that created that entry was [04/Feb/2016:09:56:42 +0100] conn=6 op=8 ADD dn="uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com" [04/Feb/2016:09:56:42 +0100] conn=6 op=8 RESULT err=53 tag=105 nentries=0 etime=0 err=53 LDAP_NO_OBJECT_CLASS_MODS Along with automember/mep logs [04/Feb/2016:09:56:42 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com" as a "member" value to group "cn=aumember_group,cn=groups,cn=accounts,dc=example1,dc=com" (No such object). [04/Feb/2016:09:56:42 +0100] auto-membership-plugin - automember_add_member_value: Unable to add "uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com" as a "member" value to group "cn=aumember_group,cn=groups,cn=accounts,dc=example1,dc=com" (No such object). [04/Feb/2016:09:56:42 +0100] managed-entries-plugin - mep_add_managed_entry: Unable to add managed entry "cn=test5_auto,cn=groups,cn=accounts,dc=example1,dc=com" for origin entry "uid=test5_auto,cn=users,cn=accounts,dc=example1,dc=com" (Already exists). In conclusion: It is looking like the entry failed to be added in the DB/index but was not flush from the entry cache. The possible reasons of the failure to ADD are - configuration issue of automember because "cn=aumember_group,cn=groups,cn=accounts,dc=example1,dc=com" does not exist - a schema issue where automember seems to be unable to add "member" attribute The fact that the entry is in the entry cache but not store is a bug Upstream ticket: https://fedorahosted.org/389/ticket/48637 automember plugin is behaving as expected, but the issue with the entry being returned by a search after it was NOT added has been fixed upstream. Build tested: 389-ds-base-1.3.5.10-3.el7.x86_64 ============================= test session starts ============================= platform linux2 -- Python 2.7.5, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python cachedir: dirsrvtests/tests/tickets/.cache rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/tickets, inifile: plugins: html-1.9.0, cov-2.3.0 collected 1 items dirsrvtests/tests/tickets/ticket48637_test.py::test_ticket48637 PASSED ========================== 1 passed in 25.56 seconds ========================== Marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html |