Bug 1996662

Summary:	Deleted user accounts with --preserved parameter is listed on groups on 'ldapsearch'
Product:	Red Hat Enterprise Linux 7	Reporter:	Aleksandr Sharov <asharov>
Component:	389-ds-base	Assignee:	LDAP Maintainers <ldap-maint>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:	RHDS QE <ds-qe-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.9	CC:	dcamilof, ldap-maint, rcritten, tscherf
Target Milestone:	rc	Flags:	asharov: needinfo? dcamilof: needinfo?
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-10-26 15:01:53 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Aleksandr Sharov 2021-08-23 12:31:35 UTC

Description of problem:
User accounts, deleted with --preserved key, still show up in the ldapsearch groups.


Version-Release number of selected component (if applicable):
RHEL 7.9, IPA 4.6.8

How reproducible:
-



Actual results:
*** PRESERVED USER
  dn: uid=lhellebusch,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
  User login: lhellebusch
  First name: Luke
  Last name: Hellebusch
  Full name: Luke Hellebusch
  Display name: Luke Hellebusch
  Initials: LH
  Home directory: /home/lhellebusch
  GECOS: Luke Hellebusch
  Login shell: /bin/bash
  Principal name: lhellebusch.NET
  Principal alias: lhellebusch.NET
  Email address: lhellebusch.net
  UID: 1515800792
  GID: 1515800792
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False
  ipauniqueid: 6e7f4bb0-b18b-11eb-8141-005056b18f36
  krbextradata: AAKo5qNga2FkbWluZEBJUEEuQ0JPRS5ORVQA
  krblastfailedauth: 20210727185335Z
  krbloginfailedcount: 0
  krbticketflags: 128
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys


$ ldapsearch -D "cn=Directory Manager" -W -H "ldap://ipa7101-master.ipa.cboe.net" "cn=us"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=cboe,dc=net> (default) with scope subtree
# filter: cn=us
# requesting: ALL
#

# us, groups, accounts, ipa.cboe.net
dn: cn=us,cn=groups,cn=accounts,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=515fcc96-68cb-11e8-8c2f-005056b18f36,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=adec2fc4-68c9-11e8-97e1-005056b18f36,cn=sudorules,cn=sudo,dc=ipa,dc=cboe,dc=net
memberOf: cn=users,cn=groups,cn=accounts,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=a51aba6c-5c6d-11e9-96a0-005056a0b427,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=b0d51902-d817-11ea-80bf-005056b18f36,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=6df44b8c-e6f2-11ea-b849-005056913c6d,cn=hbac,dc=ipa,dc=cboe,dc=net
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: us
description: Bulk Import
ipaUniqueID: 0bfb767e-68bb-11e8-90fe-005056b18f36
member: uid=ldoogs,cn=users,cn=accounts,dc=ipa,dc=cboe,dc=net
member: uid=zpan,cn=users,cn=accounts,dc=ipa,dc=cboe,dc=net
..snip..
member: uid=jlunceford,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
member: uid=cbaumert,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
member: uid=lhellebusch,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Expected results:
deleted users shouldn't be listed in groups listings

Additional info:

Comment 4 Florence Blanc-Renaud 2021-08-23 13:37:31 UTC

Hi,

I was not able to reproduce the behavior described in this BZ.
$ rpm -qa ipa-server 389-ds-base
389-ds-base-1.3.10.2-12.el7_9.x86_64
ipa-server-4.6.8-5.el7_9.5.x86_64

Scenario:
- create 2 users u1 and u2
--------------------------
$ ipa user-add u1 --first u1 --last u1
$ ipa user-add u2 --first u2 --last u2

- create a posix group g1, create a nonposix group nonposix1
------------------------------------------------------------
$ ipa group-add nonposix1
$ ipa group-add nonposix1 --nonposix

- add u1 and u2 to both groups
------------------------------
$ ipa group-add-member g1 --users u1 --users u2
$ ipa group-add-member nonposix1 --users u1 --users u2


- check the group membership: both groups contain u1 and u2
-----------------------------------------------------------
$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: g1
ipaUniqueID: e5d6f240-040f-11ec-8109-fa163ef9aedd
gidNumber: 593600010
member: uid=u1,cn=users,cn=accounts,dc=ipa,dc=test
member: uid=u2,cn=users,cn=accounts,dc=ipa,dc=test

$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: nonposix1
ipaUniqueID: f1fde858-040f-11ec-b8ae-fa163ef9aedd
member: uid=u1,cn=users,cn=accounts,dc=ipa,dc=test
member: uid=u2,cn=users,cn=accounts,dc=ipa,dc=test

- delete u1 (not preserved), delete u2 (preserved)
--------------------------------------------------
$ ipa user-del u1 
$ ipa user-del u2 --preserve


- check the group membership: both groups are now empty
-------------------------------------------------------
$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: g1
ipaUniqueID: e5d6f240-040f-11ec-8109-fa163ef9aedd
gidNumber: 593600010

$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: nonposix1
ipaUniqueID: f1fde858-040f-11ec-b8ae-fa163ef9aedd


In order to progress further, can you check if there are any automember rules defined on the group?
# ipa automember-find --type hostgroup
# ipa automember-find --type group
With automember groups I wasn't able to reproduce the issue either but I would like to make sure we can eliminate this possible path of investigation.

I would also check if there are replication conflicts or replication issues. According to the sos report shared in the case, I can see a few errors in slapd error log:
[09/Aug/2021:08:17:11.566795995 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
[09/Aug/2021:08:21:30.689795892 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
[09/Aug/2021:08:23:52.935071195 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
and they correspond to the preserved users that display the issue.

Comment 11 Florence Blanc-Renaud 2021-08-25 16:32:50 UTC

Moving the issue to 389-ds component, the team has better knowledge of how the plugins should be triggered on this ipa user-del --preserve operation.