Bug 592397

Summary: Upgrade tool dn2rdn: it does not clean up the entrydn in id2entry
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: MigrationAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.6CC: amsharma, jgalipea, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:30:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 576869, 639035    
Attachments:
Description Flags
git patch file (master) nhosoi: review?, rmeggins: review+

Description Noriko Hosoi 2010-05-14 19:00:10 UTC
Description of problem:
If you upgrade an old version using entrydn (389 v1.2.5 and older) to the newer one v.1.2.6, entrydn index is converted to entryrdn index.  But the upgrade tool does not touch the attribute in the entries upgraded from the older version.

For instance, searching an upgraded entry with the attribute list containing entrydn shows the old value:
ldapsearch -b "o=ace industry,c=us" '(seeAlso=cn="a=abc0,x=xyz",o=ace industry,c=us)' cn seeAlso entrydn
dn: cn=a\3Dabc\2Cx\3Dxyz,o=ace industry,c=us
cn: a=abc,x=xyz
cn: "a=abc,x=xyz"
seeAlso: cn=a\3Dabc0\2Cx\3Dxyz,o=ace industry,c=us
seeAlso: cn=a\3DABC1\2Cx\3DXYZ,o=ace industry,c=US
seeAlso: cn=NORMAL RDN,o=ace industry,c=us
entrydn: cn=a=abc\2Cx=xyz,o=ace industry,c=us <=== LEFTOVER

If you add a new entry, it does not have such an attribute any more.  That gives us an inconsistent experience.
ldapsearch -b "o=ace industry,c=us" '(cn="p=pqr,x=xyz")' cn seeAlso entrydn
dn: cn=p\3Dpqr\2Cx\3Dxyz,o=ace industry,c=us
cn: p=pqr,x=xyz
cn: "p=pqr,x=xyz"
seeAlso: cn=p\3D123\2Cp\3Dpqr\2Cx\3Dxyz,o=ace industry,c=us
seeAlso: cn=pqr \22456\22,o=ace industry,c=us
seeAlso: cn=NORMAL RDN,o=ace industry,c=us

Side note: There is a bug opened related to this issue.
Bug 578296 - Attribute type entrydn needs to be added when subtree rename switch is on.

Comment 3 Noriko Hosoi 2010-10-19 01:18:59 UTC
Created attachment 454233 [details]
git patch file (master)

Description: If entries created by the 389 v1.2.5 or older,
the primary db (id2entry.db4) contains "entrydn: <normalized dn>".
Upgrading from the old version to v1.2.6 keeps the entrydn
attribute type and its value even though v1.2.6 is not supposed
to store the entrydn in the database.
1) This patch drops the entrydn attribute and value in upgrading
   the db.
2) If an ldif file contains entrydn attribute type and value,
   import (ldif2db[.pl]) ignores it.
3) A leak was found in the export (db2ldif[.pl]) which is fixed.
4) When nsslapd-subtree-rename-switch configuration attribute has
   the value "on", entrydn is not used nor created.  But the
   server accepted reindexing entrydn request and generated an
   entrydn index file.  This patch rejects it.
5) Entry and dn cache clear calls (cache_clear) are added to
   dblayer_instance_close in "#if defined(_USE_VALGRIND)", which
   is not defined.  To enable the code, the server needs to be
   rebuilt with defining the macro.  This is purely for debugging.

Files:
 ldap/servers/slapd/back-ldbm/dblayer.c
 ldap/servers/slapd/back-ldbm/id2entry.c
 ldap/servers/slapd/back-ldbm/import-threads.c
 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c
 ldap/servers/slapd/entry.c
 ldap/servers/slapd/slapi-plugin.h

Comment 4 Noriko Hosoi 2010-10-19 16:59:10 UTC
Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge 592397
Updating 6160200..f0e4ce1
Fast-forward
 ldap/servers/slapd/back-ldbm/dblayer.c        |   11 ++++
 ldap/servers/slapd/back-ldbm/id2entry.c       |   20 +++++---
 ldap/servers/slapd/back-ldbm/import-threads.c |    9 ++--
 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c  |    2 +-
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c      |   62 ++++++++++++++++++------
 ldap/servers/slapd/entry.c                    |   13 +++++
 ldap/servers/slapd/slapi-plugin.h             |   12 +++++
 7 files changed, 101 insertions(+), 28 deletions(-)

$ git push
Counting objects: 25, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.94 KiB, done.
Total 13 (delta 11), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   6160200..f0e4ce1  master -> master

Comment 5 Noriko Hosoi 2011-07-27 00:31:59 UTC
This bug is supposed to verify in the upgrade test.
Once upgraded, run "dbscan -f /var/lib/dirsrv/slapd-ID/db/userRoot/id2entry.db4".
The output entries should not include an attribute value pair "entrydn: ..."
If they are not seen in the output, this bug is verified.

Comment 6 Amita Sharma 2011-08-16 08:00:19 UTC
Followed the verification steps in Comment#5 :

[root@aminew ~]# dbscan -f /var/lib/dirsrv/slapd-aminew/db/userRoot/id2entry.db4
id 1
	rdn: dc=pnq,dc=redhat,dc=com
	nsUniqueId: 2a098224-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: domain
	dc: pnq
	aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; 
	 allow (read, search, compare) userdn="ldap:///anyone";)
	aci: (targetattr="carLicense || description || displayName || facsimileTelepho
	 neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele
	 dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress ||
	  postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr
	 ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber 
	 || telexNumber || title || userCertificate || userPassword || userSMIMECertif
	 icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo
	 n attributes"; allow (write) userdn="ldap:///self";)
	aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow 
	 (all) (groupdn = "ldap:///cn=Directory Administrators, dc=pnq,dc=redhat,dc=co
	 m");)
	aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
	 llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
	 logyManagement,o=NetscapeRoot";)
	aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
	 ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
	 apeRoot";)
	aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
	 dap:///cn=slapd-aminew,cn=Red Hat Directory Server,cn=Server Group,cn=aminew.
	 pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot";)
	creatorsName:
	modifiersName: cn=directory manager
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112926Z
	entryid: 1
	numSubordinates: 4
	
id 2
	rdn: cn=Directory Administrators
	nsUniqueId: 2a098225-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: groupofuniquenames
	cn: Directory Administrators
	uniqueMember: cn=Directory Manager
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 1
	entryid: 2
	
id 3
	rdn: ou=Groups
	nsUniqueId: 2a098226-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: organizationalunit
	ou: Groups
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 1
	entryid: 3
	numSubordinates: 4
	
id 4
	rdn: ou=People
	nsUniqueId: 2a098227-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: organizationalunit
	ou: People
	aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber
	 ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ld
	 ap:///self");)
	aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version
	  3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "lda
	 p:///cn=Accounting Managers,ou=groups,dc=pnq,dc=redhat,dc=com");)
	aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(ve
	 rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR M
	 anagers,ou=groups,dc=pnq,dc=redhat,dc=com");)
	aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(ver
	 sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Ma
	 nagers,ou=groups,dc=pnq,dc=redhat,dc=com");)
	aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)"
	 )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ld
	 ap:///cn=PD Managers,ou=groups,dc=pnq,dc=redhat,dc=com");)
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 1
	entryid: 4
	
id 5
	rdn: ou=Special Users
	nsUniqueId: 2a098228-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: organizationalUnit
	ou: Special Users
	description: Special Administrative Accounts
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 1
	entryid: 5
	
id 6
	rdn: cn=Accounting Managers
	nsUniqueId: 2a098229-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: groupOfUniqueNames
	cn: Accounting Managers
	ou: groups
	description: People who can manage accounting entries
	uniqueMember: cn=Directory Manager
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 3
	entryid: 6
	
id 7
	rdn: cn=HR Managers
	nsUniqueId: 2a09822a-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: groupOfUniqueNames
	cn: HR Managers
	ou: groups
	description: People who can manage HR entries
	uniqueMember: cn=Directory Manager
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 3
	entryid: 7
	
id 8
	rdn: cn=QA Managers
	nsUniqueId: 2a09822b-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: groupOfUniqueNames
	cn: QA Managers
	ou: groups
	description: People who can manage QA entries
	uniqueMember: cn=Directory Manager
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 3
	entryid: 8
	
id 9
	rdn: cn=PD Managers
	nsUniqueId: 2a09822c-c40d11e0-8cae874c-b7bb5e9e
	objectClass: top
	objectClass: groupOfUniqueNames
	cn: PD Managers
	ou: groups
	description: People who can manage engineer entries
	uniqueMember: cn=Directory Manager
	creatorsName:
	modifiersName:
	createTimestamp: 20110811112924Z
	modifyTimestamp: 20110811112924Z
	parentid: 3
	entryid: 9
	
[root@aminew ~]# dbscan -f /var/lib/dirsrv/slapd-aminew/db/userRoot/id2entry.db4 | grep entrydn
[root@aminew ~]# 

The output entries do not include an attribute value pair "entrydn: ..."
Hence the bug is verified.