Bug 1689313

Summary: OPERATIONS ERROR when trying to delete a group with automember members
Product: Red Hat Enterprise Linux 7 Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: aadhikar, lkrispen, mreynolds, nkinder, pasik, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rc   
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Cause: automember can select a rule even when the target group does not exist Consequence: If memberof and automember are enabled then deletion of a target group, of an automember rule, fails Fix: Before selecting an automember rule, checks that the target group exist Result: deletion of a target group, of an automember rule, succeeds
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:59:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description thierry bordaz 2019-03-15 16:06:14 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/50282

#### Issue Description

When trying to delete a group that contains members added through an automember rule, the delete operation fails with OPERATIONS ERROR.


#### Package Version and Platform
Fedora 28
389-ds-base-1.4.0.21-1.fc28.x86_64

#### Steps to reproduce
1. Create a group with ipa group-add devel
2. Create an automember rule: all users named developerXX will be added
ipa automember-add --type=group developers
ipa automember-add-condition --key=uid --type=group --inclusive-regex=^developer[1-9]+ developers
3. Create a user that will be added to the group
ipa user-add developer1 --first developer1 --last developer1
4. Check that the group contains the user:
ipa group-show developers
  Group name: developers
  GID: 796000014
  Member users: developer1
5. delete the group:
ipa group-del developers
ipa: ERROR: Operations error: 

#### Actual results
ipa group-del fails with OPERATIONS ERROR

#### Expected results
ipa group-del should succeed.

Note that if the group is empty, delete succeeds.

logs:
in `/var/log/dirsrv/slapd-DOMAIN-COM/errors`
```
[14/Mar/2019:10:46:25.258731651 +0100] - ERR - auto-membership-plugin - automember_update_member_value - Unable to add "uid=developer1,cn=users,cn=accounts,dc=domain,dc=com" as a "member" value to group "cn=developers,cn=groups,cn=accounts,dc=domain,dc=com" (No such object).
[14/Mar/2019:10:46:25.261125413 +0100] - ERR - memberof-plugin - memberof_postop_del - Error deleting attr list - dn (cn=developers,cn=groups,cn=accounts,dc=domain,dc=com). Error (1)
```

In `/var/log/dirsrv/slapd-DOMAIN-COM/access`:
```
[14/Mar/2019:10:46:25.249524963 +0100] conn=320 op=7 DEL dn="cn=developers,cn=groups,cn=accounts,dc=domain,dc=com"
[14/Mar/2019:10:46:25.263777768 +0100] conn=320 op=7 RESULT err=1 tag=107 nentries=0 etime=0.0014377961
```
Comment 3 Akshay Adhikari 2019-05-15 11:39:09 UTC 
Build Tested: 389-ds-base-1.3.9.1-6.el7.x86_64
              ipa-server-4.6.5-8.el7.x86_64

Steps:

1) Create a group

[root@kvm-01-guest11 ~]# ipa group-add devel

-------------------
Added group "devel"
-------------------
  Group name: devel
  GID: 1081800001

2) Create an automember rule: all users named developerXX will be added

[root@kvm-01-guest11 ~]# ipa automember-add --type=group devel
-----------------------------
Added automember rule "devel"
-----------------------------
  Automember Rule: devel
[root@kvm-01-guest11 ~]# ipa automember-add-condition --key=uid --type=group --inclusive-regex=^developer[1-9]+ devel
-----------------------------
Added condition(s) to "devel"
-----------------------------
  Automember Rule: devel
  Inclusive Regex: uid=^developer[1-9]+
----------------------------
Number of conditions added 1
----------------------------

3) Create a user that will be added to the group

[root@kvm-01-guest11 ~]# ipa user-add developer1 --first developer1 --last developer1
-----------------------
Added user "developer1"
-----------------------
  User login: developer1
  First name: developer1
  Last name: developer1


4) Check that the group contains the user

[root@kvm-01-guest11 ~]# ipa group-show devel
  Group name: devel
  GID: 1081800001
  Member users: developer1

5) Delete the group
[root@kvm-01-guest11 ~]# ipa group-del devel
---------------------
Deleted group "devel"
---------------------

Marking it as VERIFIED.
Comment 5 errata-xmlrpc 2019-08-06 12:59:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152