Bug 726273

Summary: Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: urgent    
Version: 6.2CC: amsharma, dpal, edewata, jgalipea, jwest, nhosoi, nkinder, rmeggins, shaines, sramling
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.9.11-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 725953 Environment:
Last Closed: 2011-12-06 17:55:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 725953    
Bug Blocks: 727467    

Description Rich Megginson 2011-07-28 02:44:52 UTC 
+++ This bug was initially created as a clone of Bug #725953 +++

Description of problem: Users created at DS with a comma in the CN entry fails to sync to AD. 


Version-Release number of selected component (if applicable): DS90


How reproducible: Consistently


Steps to Reproduce:
1. Setup windows sync with win2008 AD server.
2. Create few entries at DS and AD before running "Initiate Full Re-synchronization".
3. Create entries in DS as this ldif file.

dn: uid=testwinsyncsplDN\2C1,dc=pass_sync,dc=com
telephoneNumber: 989898191
mail: testwinsyncsplDN1
givenName: testwinsyncsplDN1
objectClass: top
objectClass: person
objectClass: inetorgperson
objectclass: ntUser
sn: testwinsyncsplDN,1
cn: testwinsyncsplDN,1
ntUserCreateNewAccount: true
ntUserDomainId: testwinsyncsplDN1
ntUserDeleteAccount: true
userPassword: Secret1234

4. User successfully added to DS.
5. Run ldapsearch to check whether the entries are created at AD.
6. Check the error logs.  

Actual results:
Entries fail to Sync to AD and this affects the other entries valid entries to be synced.

Error log says, its a DN syntax error.

[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - agmt="cn=WinPassSyncPAMAD" (win2k8rhvd64:636): process_replay_add: failed to create mapped entry dn="cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com"
[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com] scope [0] filter [(objectclass=*)]: error 34:Invalid DN syntax



Expected results:
The entry should be synced to AD as comma is allowed in the CN's entry.

Additional info:

I tried adding a new user at AD as this ldif, and it fails with DN syntax error.

dn: CN=testADUsr,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

If the comma in the CN(of the dn entry) is escaped, then it successfully creates the user at AD.

dn: CN=testADUsr\,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

--- Additional comment from rmeggins on 2011-07-27 21:00:33 EDT ---

Created attachment 515610 [details]
0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch

--- Additional comment from rmeggins on 2011-07-27 22:43:53 EDT ---

To ssh://git.fedorahosted.org/git/389/ds.git
   238b74d..7a0548b  master -> master
commit 7a0548ba3df54de5883c3a16a1c1951af9327dfc
Author: Rich Megginson <rmeggins>
Date:   Wed Jul 27 18:54:03 2011 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: When we construct a new AD DN, usually from the value of the
    "cn" attribute in the entry, we need to escape the , and any other special
    characters in the value used in the DN.  We do this by putting double
    quotes around the value, and let slapi_create_dn_string remove the quotes
    and use \ escapes instead.
    Platforms tested: RHEL6 x86_64, Windows 2008 x86_64
    Flag Day: no
    Doc impact: no
Comment 3 Chandrasekar Kannan 2011-09-16 21:33:35 UTC 
ds-replication is no longer a component of rhel. folding back to 389-ds-base.
Comment 5 Amita Sharma 2011-09-21 17:19:23 UTC 
Clone https://bugzilla.redhat.com/show_bug.cgi?id=725953 is already Verified, so marking this as Verified.
Comment 6 errata-xmlrpc 2011-12-06 17:55:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1711.html