Bug 868841

Summary: Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
Product: Red Hat Enterprise Linux 6 Reporter: Sankar Ramalingam <sramling>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Sankar Ramalingam <sramling>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: jgalipea, nhosoi, nkinder, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-4.el6 Doc Type: Bug Fix
Doc Text:
Cause: Even if an entry in AD does not have all the required attributes for the posix account entry, the entry is being synchronized to the directory server as an posix account entry. Consequence: The synchronization fails due to the missing attribute error. Fix: If the entry does not have all the required attributes, the posix account related attributes are dropped and the entry is synchronized as an ordinary entry. Result: Even if there are missing posix account related attributes, the entry is successfully synchronized.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:21:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Sankar Ramalingam 2012-10-22 09:26:12 UTC 
Description of problem: Synchronization of newly created users from AD to DS fails with missing attribute "uidNumber" required by object class "posixAccount". The user is created with organizationalPerson objectClass in AD. 

Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-2

How reproducible: Consistently

Steps to Reproduce:
1. Install the latest build of 389-ds-base-1.2.11 on RHEL64.
2. Create an instance and configure winsync.
3. Enable Posix Winsync plugin - "cn=Posix Winsync API,cn=plugins,cn=config"
4. Run full sync to create the existing users from DS to AD and vice versa.
5. Create few posix users on AD with posixAccount objectClass, uidNumber and gidNumber attribute.
6. Check whether the users synced to DS. Successfully created user on DS.
7. Create a normal user without posixAccount(with organizationalPerson) objectClass from AD.
8. Check whether users synced to DS. Failed to create user on DS.
  
Actual results: 
[22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "uidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "gidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] NSMMReplicationPlugin - add operation of entry uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com returned: 65

Expected results:
Winsync should support the normal user synchronization as well.


Additional info: This looks like a regression.
Comment 2 Noriko Hosoi 2012-10-29 23:37:46 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/500
Comment 3 Noriko Hosoi 2012-11-13 19:49:45 UTC 
These are the verification steps.  Please note that this change is included in 389-ds-base-1.2.11.15-4.el6 or after.

Verification steps:
test case 1) add a user entry to AD, which contains required attributes: unixHomeDirectory, uidNumber, gidNumber. The entry is supposed to be synchronized to the DS as a posix entry which includes:

objectclass: posixaccount
homeDirectory: <home directory>
uidNumber: <uid number>
gidNumber: <gid number>

test case 2) add a user entry to AD, which contains no required attributes, but an allowed attribute, loginShell. The entry is supposed to be synchronized to the DS as an ordinary entry which does not include any posix account related attributes.

test case 3) modify an ordinary entry on AD to add required attributes unixHomeDirectory, uidNumber, gidNumber. The entry on the DS is supposed to become a posix account entry with the above attributes.

test case 4) modify an ordinary entry on AD to add no required attributes, but an allowed attribute loginShell. The modification is supposed to be ignored.
Comment 5 Sankar Ramalingam 2012-11-27 13:14:14 UTC 
The above mentioned tests successfully passed after upgrading the 389-ds-base package to 1.2.11.15-4. Hence marking the bug as Verified.
Comment 6 errata-xmlrpc 2013-02-21 08:21:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html