Bug 715112

This bug triggered the following ticket: https://fedorahosted.org/freeipa/ticket/1370

master: a48a84a5ead90898630a23fc0de1c978d1e0b810

ipa-2-0: c58b351f285a879ffc1b095696f47a64042febe4

The ds team determined that the precedence is getting set in the wrong entry. It should be getting set in cn=IPA MODRDN,cn=plugins,cn=config instead

Precedence is now put to the right entry:
master: https://fedorahosted.org/freeipa/changeset/5371c03c93ddc73ebafc4107e7340ac911e27ed5
ipa-2-1: https://fedorahosted.org/freeipa/changeset/613bd3ee6a657080a0c35db9472d7e51a8399805

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Renaming users may return a Not Found error.
Consequence: Renaming the user is successful but their user-private group is not.
Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user.
Result: Renaming a user will also rename the user-private group.

[root@ipaqavmc ~]# ipa user-add --first=test --last=test test
-----------------
Added user "test"
-----------------
  User login: test
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/test
  GECOS field: test test
  Login shell: /bin/sh
  Kerberos principal: test.BOS.REDHAT.COM
  UID: 1266400003
  GID: 1266400003
  Keytab: False
  Password: False
[root@ipaqavmc ~]# 

[root@ipaqavmc ~]# ipa user-mod --setattr uid=new test
--------------------
Modified user "test"
--------------------
  User login: new
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  UID: 1266400003
  GID: 1266400003
  Account disabled: False
  Keytab: False
  Password: False
  Member of groups: ipausers
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, users, accounts, idm.lab.bos.redhat.com
dn: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: test test
cn: test test
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: test
gecos: test test
homeDirectory: /home/test
krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
 dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
krbPrincipalName: new.BOS.REDHAT.COM
givenName: test
initials: tt
uidNumber: 1266400003
gidNumber: 1266400003
ipaUniqueID: 5b74793e-0a09-11e1-a015-021016980180
mepManagedEntry: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,d
 c=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
 com
uid: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, groups, accounts, idm.lab.bos.redhat.com
dn: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
gidNumber: 1266400003
description: User private group for new
mepManagedBy: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om <<<<<<<<<<<<<
ipaUniqueID: 5b8a6afa-0a09-11e1-a015-021016980180
cn: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]#

Also, checked "cn=IPA MODRDN,cn=plugins,cn=config":

[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=IPA MODRDN,cn=plugins,cn=config" objectClass=nsSlapdPlugin nsslapd-pluginprecedence
# extended LDIF
#
# LDAPv3
# base <cn=IPA MODRDN,cn=plugins,cn=config> with scope subtree
# filter: objectClass=nsSlapdPlugin
# requesting: nsslapd-pluginprecedence 
#

# IPA MODRDN, plugins, config
dn: cn=IPA MODRDN,cn=plugins,cn=config
nsslapd-pluginprecedence: 60

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]# 


Verified.

[root@ipaqavmc ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Mon 07 Nov 2011 03:00:54 PM EST
Install Date: Tue 08 Nov 2011 01:51:10 AM EST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@ipaqavmc ~]#

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html