Bug 1822287
Summary: | syncrepl_entry callback does not contain attributes added by postoperation plugins | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Florence Blanc-Renaud <frenaud> | ||||
Component: | 389-ds-base | Assignee: | mreynolds | ||||
Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.1 | CC: | mreynolds, pasik, sgouvern, spichugi, tbordaz, vashirov | ||||
Target Milestone: | rc | ||||||
Target Release: | 8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-11-04 03:07:52 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Florence Blanc-Renaud
2020-04-08 16:47:48 UTC
Created attachment 1677303 [details]
python test script
I'm trying to reproduce this, but I miss the sid attribute, if I do ipa group-mod group3 --desc descciptiong3 ----------------------- Modified group "group3" ----------------------- Group name: group3 Description: descciptiong3 GID: 131600004 I don't see any ntsec attributedn: cn=group3,cn=groups,cn=accounts,dc=dom,dc=ludwig cn: group3 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup creatorsName: uid=admin,cn=users,cn=accounts,dc=dom,dc=ludwig modifiersName: uid=admin,cn=users,cn=accounts,dc=dom,dc=ludwig createTimestamp: 20200414093625Z modifyTimestamp: 20200414103818Z nsUniqueId: 599b4001-7e3311ea-bc5ef573-49389224 ipaUniqueID: 68f5149a-7e33-11ea-8ac2-fa163e0f27a1 parentid: 4 entryid: 475 gidNumber: 131600004 entryusn: 1550 description: descciptiong3 entrydn: cn=group3,cn=groups,cn=accounts,dc=dom,dc=ludwig so what am I missing ? Hi Ludwig, sorry, I forgot to mention that ipaNTSecurityIdentifier is an attribute added by the sidgen plugin, and that plugin is enabled when ipa-adtrust-install is run with the option to add sids (ipa-adtrust-install --add-sids). thanks, after installing this I now see: syncrepl_entry dn cn=g7,cn=groups,cn=accounts,dc=dom,dc=ludwig syncrepl_entry attrs {'cn': [b'g7'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup'], 'ipaUniqueID': [b'468d2492-7e51-11ea-88ff-fa163e0f27a1'], 'gidNumber': [b'131600017']} syncrepl_entry uuid 3ed7c401-7e51-11ea-bc5e-f57349389224 Set cookie: ci-vm-10-0-138-95.hosted.upshift.rdu2.redhat.com:389#cn=Directory Manager:dc=dom,dc=ludwig:(objectClass=groupofnames)#91 syncrepl_entry dn cn=g7,cn=groups,cn=accounts,dc=dom,dc=ludwig syncrepl_entry attrs {'cn': [b'g7'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs'], 'ipaUniqueID': [b'468d2492-7e51-11ea-88ff-fa163e0f27a1'], 'gidNumber': [b'131600017'], 'ipaNTSecurityIdentifier': [b'S-1-5-21-479504941-1711748825-203617853-1017'], 'description': [b'7777777']} syncrepl_entry uuid 3ed7c401-7e51-11ea-bc5e-f57349389224 Set cookie: ci-vm-10-0-138-95.hosted.upshift.rdu2.redhat.com:389#cn=Directory Manager:dc=dom,dc=ludwig:(objectClass=groupofnames)#93 and if you look at the cookies you see that the change with changenumber #92 is missing, looking at the changelog: ldapsearch -x -LLL -h 10.0.138.95 -p 389 -D "cn=directory manager" -w Secret123 -b "cn=changelog" -o ldif-wrap=no changenumber=92 dn: changenumber=92,cn=changelog objectClass: top objectClass: changelogentry objectClass: extensibleObject targetuniqueid: 3ed7c401-7e5111ea-bc5ef573-49389224 changeNumber: 92 targetDn: cn=g7,cn=groups,cn=accounts,dc=dom,dc=ludwig changeTime: 20200414131012Z changeType: modify changes:: YWRkOiBvYmplY3RjbGFzcwpvYmplY3RjbGFzczogaXBhbnRncm91cGF0dHJzCi0KcmVwbGFjZTogaXBhbnRzZWN1cml0eWlkZW50aWZpZXIKaXBhbnRzZWN1cml0eWlkZW50aWZpZXI6IFMtMS01LTIxLTQ3OTUwNDk0MS0xNzExNzQ4ODI1LTIwMzYxNzg1My0xMDE3Ci0KcmVwbGFjZTogbW9kaWZpZXJzbmFtZQptb2RpZmllcnNuYW1lOiBjbj1JUEEgU0lER0VOLGNuPXBsdWdpbnMsY249Y29uZmlnCi0KcmVwbGFjZTogbW9kaWZ5dGltZXN0YW1wCm1vZGlmeXRpbWVzdGFtcDogMjAyMDA0MTQxMzEwMTJaCi0KcmVwbGFjZTogZW50cnl1c24KZW50cnl1c246IDE2ODQKLQoA [lkrispen@lucy1 upstream-tests]$ echo YWRkOiBvYmplY3RjbGFzcwpvYmplY3RjbGFzczogaXBhbnRncm91cGF0dHJzCi0KcmVwbGFjZTogaXBhbnRzZWN1cml0eWlkZW50aWZpZXIKaXBhbnRzZWN1cml0eWlkZW50aWZpZXI6IFMtMS01LTIxLTQ3OTUwNDk0MS0xNzExNzQ4ODI1LTIwMzYxNzg1My0xMDE3Ci0KcmVwbGFjZTogbW9kaWZpZXJzbmFtZQptb2RpZmllcnNuYW1lOiBjbj1JUEEgU0lER0VOLGNuPXBsdWdpbnMsY249Y29uZmlnCi0KcmVwbGFjZTogbW9kaWZ5dGltZXN0YW1wCm1vZGlmeXRpbWVzdGFtcDogMjAyMDA0MTQxMzEwMTJaCi0KcmVwbGFjZTogZW50cnl1c24KZW50cnl1c246IDE2ODQKLQoA | base64 -d add: objectclass objectclass: ipantgroupattrs - replace: ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-479504941-1711748825-203617853-1017 - replace: modifiersname modifiersname: cn=IPA SIDGEN,cn=plugins,cn=config - replace: modifytimestamp modifytimestamp: 20200414131012Z - replace: entryusn entryusn: 1684 I think the reason is that the sync repl plugin is only triggered for external ldap operations, not for separate internal ones. I will work on a fix, but you must be aware that you never will get the sid attribute with sync repl already for the ADD operation, the add is completed and logged before the sid plugin does its modification. So when it is fixed there will be two responses to the sync repl client, one for the ADD and the one for the MOD When registering the sync repl postop functions for INTERNAL ops I do get two responses to the client listening in the refresh phase: syncrepl_entry dn cn=group10,cn=groups,cn=accounts,dc=dom,dc=ludwig syncrepl_entry attrs {'cn': [b'group10'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup'], 'ipaUniqueID': [b'c5a4ec18-7efd-11ea-84b8-fa163e8f2435'], 'gidNumber': [b'1619800005']} syncrepl_entry uuid a21f3002-7efd-11ea-a16b-da00c0f2fc1a Set cookie: ci-vm-10-0-136-216.hosted.upshift.rdu2.redhat.com:389#cn=Directory Manager:dc=dom,dc=ludwig:(objectClass=groupofnames)#71 syncrepl_entry dn cn=group10,cn=groups,cn=accounts,dc=dom,dc=ludwig syncrepl_entry attrs {'cn': [b'group10'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs'], 'ipaUniqueID': [b'c5a4ec18-7efd-11ea-84b8-fa163e8f2435'], 'gidNumber': [b'1619800005'], 'ipaNTSecurityIdentifier': [b'S-1-5-21-2972882822-2259052430-535341937-1005']} syncrepl_entry uuid a21f3002-7efd-11ea-a16b-da00c0f2fc1a Set cookie: ci-vm-10-0-136-216.hosted.upshift.rdu2.redhat.com:389#cn=Directory Manager:dc=dom,dc=ludwig:(objectClass=groupofnames)#72 I will create a 389 ticket and a PR. Maybe you can then run some further tests Fix pushed upstream => POST More info re. the reproducing steps (how to install and configure IPA server): dnf module enable idm:DL1 dnf module install idm:DL1/{dns,adtrust} hostnamectl set-hostname master.ipa.test ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarder --auto-reverse -a Secret123 -p Secret123 -U echo Secret123 | kinit admin ipa-adtrust-install --add-sids -a Secret123 -U ldapmodify -D cn=directory\ manager -w Secret123 dn: cn=Retro Changelog Plugin,cn=plugins,cn=config changetype: modify add: nsslapd-include-suffix nsslapd-include-suffix: cn=accounts,dc=ipa,dc=test systemctl restart dirsrv After that, you can use the attached script as described in #c0 With build 389-ds-base-1.4.3.8-5.module+el8.3.0+7569+08175a8a.x86_64 Executing manually the steps described in #c10 then #c0, I can see that the 'ipaNTSecurityIdentifier' is present in the callback from the 1st operation (add), visible in the 2nd part of the response, as mentionned by Ludwig in #c4: # kinit admin; ipa group-add group3 Password for admin: syncrepl_entry dn cn=group3,cn=groups,cn=accounts,dc=ipa,dc=test syncrepl_entry attrs {'cn': [b'group3'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup'], 'ipaUniqueID': [b'253aaa42-dd3f-11ea-b47d-fa163e31c225'], 'gidNumber': [b'656000003']} syncrepl_entry uuid 097bae01-dd3f-11ea-9a77-fb960b26b882 Set cookie: master.ipa.test:389#cn=Directory Manager:dc=ipa,dc=test:(objectClass=groupofnames)#74 syncrepl_entry dn cn=group3,cn=groups,cn=accounts,dc=ipa,dc=test syncrepl_entry attrs {'cn': [b'group3'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs'], 'ipaUniqueID': [b'253aaa42-dd3f-11ea-b47d-fa163e31c225'], 'gidNumber': [b'656000003'], 'ipaNTSecurityIdentifier': [b'S-1-5-21-376742429-686204184-2997162927-1003']} syncrepl_entry uuid 097bae01-dd3f-11ea-9a77-fb960b26b882 Set cookie: master.ipa.test:389#cn=Directory Manager:dc=ipa,dc=test:(objectClass=groupofnames)#74 -------------------- Added group "group3" -------------------- Group name: group3 GID: 656000003 # ipa group-mod group3 --desc descriptiong3 syncrepl_entry dn cn=group3,cn=groups,cn=accounts,dc=ipa,dc=test syncrepl_entry attrs {'cn': [b'group3'], 'objectClass': [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs'], 'ipaUniqueID': [b'253aaa42-dd3f-11ea-b47d-fa163e31c225'], 'gidNumber': [b'656000003'], 'ipaNTSecurityIdentifier': [b'S-1-5-21-376742429-686204184-2997162927-1003'], 'description': [b'descriptiong3']} syncrepl_entry uuid 097bae01-dd3f-11ea-9a77-fb960b26b882 Set cookie: master.ipa.test:389#cn=Directory Manager:dc=ipa,dc=test:(objectClass=groupofnames)#75 ----------------------- Modified group "group3" ----------------------- Group name: group3 Description: descriptiong3 GID: 656000003 Marking as verified, waiting for an automated test to come. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4695 |