Bug 715112

Summary: Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry
Product: Red Hat Enterprise Linux 6 Reporter: Nathan Kinder <nkinder>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, mkosek, nkinder, rmeggins, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Renaming users may return a Not Found error. Consequence: Renaming the user is successful but their user-private group is not. Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user. Result: Renaming a user will also rename the user-private group.
Story Points: ---
Clone Of: 661102 Environment:
Last Closed: 2011-12-06 18:36:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 661102    
Bug Blocks:    

Comment 1 Dmitri Pal 2011-06-21 21:49:08 UTC
This bug triggered the following ticket: https://fedorahosted.org/freeipa/ticket/1370

Comment 2 Rob Crittenden 2011-08-01 20:04:23 UTC
master: a48a84a5ead90898630a23fc0de1c978d1e0b810

ipa-2-0: c58b351f285a879ffc1b095696f47a64042febe4

Comment 5 Rob Crittenden 2011-09-02 21:09:39 UTC
The ds team determined that the precedence is getting set in the wrong entry. It should be getting set in cn=IPA MODRDN,cn=plugins,cn=config instead

Comment 8 Rob Crittenden 2011-10-31 20:30:31 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Renaming users may return a Not Found error.
Consequence: Renaming the user is successful but their user-private group is not.
Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user.
Result: Renaming a user will also rename the user-private group.

Comment 9 Gowrishankar Rajaiyan 2011-11-08 13:19:38 UTC
[root@ipaqavmc ~]# ipa user-add --first=test --last=test test
-----------------
Added user "test"
-----------------
  User login: test
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/test
  GECOS field: test test
  Login shell: /bin/sh
  Kerberos principal: test@IDM.LAB.BOS.REDHAT.COM
  UID: 1266400003
  GID: 1266400003
  Keytab: False
  Password: False
[root@ipaqavmc ~]# 

[root@ipaqavmc ~]# ipa user-mod --setattr uid=new test
--------------------
Modified user "test"
--------------------
  User login: new
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  UID: 1266400003
  GID: 1266400003
  Account disabled: False
  Keytab: False
  Password: False
  Member of groups: ipausers
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, users, accounts, idm.lab.bos.redhat.com
dn: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: test test
cn: test test
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: test
gecos: test test
homeDirectory: /home/test
krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
 dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
krbPrincipalName: new@IDM.LAB.BOS.REDHAT.COM
givenName: test
initials: tt
uidNumber: 1266400003
gidNumber: 1266400003
ipaUniqueID: 5b74793e-0a09-11e1-a015-021016980180
mepManagedEntry: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,d
 c=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
 com
uid: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, groups, accounts, idm.lab.bos.redhat.com
dn: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
gidNumber: 1266400003
description: User private group for new
mepManagedBy: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om <<<<<<<<<<<<<
ipaUniqueID: 5b8a6afa-0a09-11e1-a015-021016980180
cn: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]#

Also, checked "cn=IPA MODRDN,cn=plugins,cn=config":

[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=IPA MODRDN,cn=plugins,cn=config" objectClass=nsSlapdPlugin nsslapd-pluginprecedence
# extended LDIF
#
# LDAPv3
# base <cn=IPA MODRDN,cn=plugins,cn=config> with scope subtree
# filter: objectClass=nsSlapdPlugin
# requesting: nsslapd-pluginprecedence 
#

# IPA MODRDN, plugins, config
dn: cn=IPA MODRDN,cn=plugins,cn=config
nsslapd-pluginprecedence: 60

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]# 


Verified.

[root@ipaqavmc ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Mon 07 Nov 2011 03:00:54 PM EST
Install Date: Tue 08 Nov 2011 01:51:10 AM EST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@ipaqavmc ~]#

Comment 10 errata-xmlrpc 2011-12-06 18:36:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html