Bug 1006563 - automember rebuild membership not working as expected
automember rebuild membership not working as expected
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-10 16:14 EDT by Nathan Kinder
Modified: 2014-06-17 22:59 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.1.6-4.el7
Doc Type: Bug Fix
Doc Text:
Cause: Misconfiguration of the "basedn" value in the automember rebuild task. E.g. the base dn is the parent of the configuration scope DN. Consequence: If the base DN specified is not under the automember plugin scope, then it fails to rebuild any entry. Fix: Regardless of what the base dn, still follow the automember configuration scope. Result: The automember rebuild task works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:05:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2013-09-10 16:14:11 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47507

Trying to test out the automember rebuild membership task, for the purpose of integrating it into freeipa (see ticket https://fedorahosted.org/freeipa/ticket/3752), but I can't get it to work.

I am testing on F19, with the following packages:
{{{
freeipa-admintools-3.3.0-2.fc19.x86_64
freeipa-client-3.3.0-2.fc19.x86_64
freeipa-server-3.3.0-2.fc19.x86_64
freeipa-python-3.3.0-2.fc19.x86_64
389-ds-base-devel-1.3.1.7-1.fc19.x86_64
389-ds-base-1.3.1.7-1.fc19.x86_64
389-ds-base-libs-1.3.1.7-1.fc19.x86_64
}}}

Reproduction:
{{{
1. Install FreeIPA server:
# ipa-server-install

2. Authenticate as admin:
# kinit admin

3. Add a hostgroup:
# ipa hostgroup-add --desc="Web Servers" webservers

4. Add a host:
# ipa host-add web1.example.com --force

5. Add an automember rule:
# ipa automember-add --type=hostgroup webservers
# ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers

6. Verify that automember rule works by adding a new host:
# ipa host-add web2.example.com --force
# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.example.com

7. Try to rebuild membership:
# cat rebuild.ldif 
dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: rt
basedn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
filter: (fqdn=*)
scope: sub

# ldapmodify -x -D 'cn=directory manager' -w blablabla -f rebuild.ldif
adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config"

8. Host web1.example.com is still not a member of hostgroup webservers:
# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.example.com
}}}

Expected:
{{{
8. After rebuilding memberships, host web1.example.com should become a member of hostgroup webservers.
}}}
Comment 1 Rich Megginson 2013-10-01 19:25:53 EDT
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 3 Sankar Ramalingam 2014-02-20 11:07:08 EST
[root@rhel7ui ~]# ipa hostgroup-add --desc="Web Servers" webservers
----------------------------
Added hostgroup "webservers"
----------------------------
  Host-group: webservers
  Description: Web Servers
[root@rhel7ui ~]# ipa host-add web1.example.com --force
-----------------------------
Added host "web1.example.com"
-----------------------------
  Host name: web1.example.com
  Principal name: host/web1.example.com@TESTRELM.COM
  Password: False
  Keytab: False
  Managed by: web1.example.com
[root@rhel7ui ~]# ipa automember-add --type=hostgroup webservers
----------------------------------
Added automember rule "webservers"
----------------------------------
  Automember Rule: webservers
[root@rhel7ui ~]# ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
----------------------------------
Added condition(s) to "webservers"
----------------------------------
  Automember Rule: webservers
  Inclusive Regex: fqdn=^web[1-9]+.example.com
----------------------------
Number of conditions added 1
----------------------------
[root@rhel7ui ~]# ipa host-add web2.example.com --force
-----------------------------
Added host "web2.example.com"
-----------------------------
  Host name: web2.example.com
  Principal name: host/web2.example.com@TESTRELM.COM
  Password: False
  Member of host-groups: webservers
  Indirect Member of netgroup: webservers
  Keytab: False
  Managed by: web2.example.com
[root@rhel7ui ~]# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.example.com

[root@rhel7ui ~]# cat rebuild.ldif 
dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: rt
basedn: dc=rhel7ui,dc=testrelm,dc=com
filter: (fqdn=*)
scope: sub
[root@rhel7ui ~]# hostname
rhel7ui.testrelm.com

[root@rhel7ui ~]# ldapmodify -x -D 'cn=directory manager' -w Secret123 -f rebuild.ldif
adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config"

[root@rhel7ui ~]# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.example.com


Rebuilding of membership is expected to add host "web1.example.com" as a member of hostgroup webservers, but its not. 


Build tested:

[root@rhel7ui ~]# rpm -qa |grep -i 389-ds-base
389-ds-base-libs-1.3.1.6-14.el7.x86_64
389-ds-base-1.3.1.6-14.el7.x86_64
[root@rhel7ui ~]# rpm -qa |grep -i ipa-server
ipa-server-3.3.3-12.el7.x86_64
Comment 4 mreynolds 2014-02-20 11:30:50 EST
(In reply to Sankar Ramalingam from comment #3)
> [root@rhel7ui ~]# ipa hostgroup-add --desc="Web Servers" webservers
> ----------------------------
> Added hostgroup "webservers"
> ----------------------------
>   Host-group: webservers
>   Description: Web Servers
> [root@rhel7ui ~]# ipa host-add web1.example.com --force
> -----------------------------
> Added host "web1.example.com"
> -----------------------------
>   Host name: web1.example.com
>   Principal name: host/web1.example.com@TESTRELM.COM
>   Password: False
>   Keytab: False
>   Managed by: web1.example.com
> [root@rhel7ui ~]# ipa automember-add --type=hostgroup webservers
> ----------------------------------
> Added automember rule "webservers"
> ----------------------------------
>   Automember Rule: webservers
> [root@rhel7ui ~]# ipa automember-add-condition --key=fqdn --type=hostgroup
> --inclusive-regex=^web[1-9]+\.example\.com webservers
> ----------------------------------
> Added condition(s) to "webservers"
> ----------------------------------
>   Automember Rule: webservers
>   Inclusive Regex: fqdn=^web[1-9]+.example.com
> ----------------------------
> Number of conditions added 1
> ----------------------------
> [root@rhel7ui ~]# ipa host-add web2.example.com --force
> -----------------------------
> Added host "web2.example.com"
> -----------------------------
>   Host name: web2.example.com
>   Principal name: host/web2.example.com@TESTRELM.COM
>   Password: False
>   Member of host-groups: webservers
>   Indirect Member of netgroup: webservers
>   Keytab: False
>   Managed by: web2.example.com
> [root@rhel7ui ~]# ipa hostgroup-show webservers
>   Host-group: webservers
>   Description: Web Servers
>   Member hosts: web2.example.com
> 
> [root@rhel7ui ~]# cat rebuild.ldif 
> dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config
> changetype: add
> objectClass: top
> objectClass: extensibleObject
> cn: rt
> basedn: dc=rhel7ui,dc=testrelm,dc=com
> filter: (fqdn=*)
> scope: sub
> [root@rhel7ui ~]# hostname
> rhel7ui.testrelm.com
> 
> [root@rhel7ui ~]# ldapmodify -x -D 'cn=directory manager' -w Secret123 -f
> rebuild.ldif
> adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config"
> 
> [root@rhel7ui ~]# ipa hostgroup-show webservers
>   Host-group: webservers
>   Description: Web Servers
>   Member hosts: web2.example.com
> 
> 
> Rebuilding of membership is expected to add host "web1.example.com" as a
> member of hostgroup webservers, but its not. 
> 
> 
> Build tested:
> 
> [root@rhel7ui ~]# rpm -qa |grep -i 389-ds-base
> 389-ds-base-libs-1.3.1.6-14.el7.x86_64
> 389-ds-base-1.3.1.6-14.el7.x86_64
> [root@rhel7ui ~]# rpm -qa |grep -i ipa-server
> ipa-server-3.3.3-12.el7.x86_64

It looks like you might be testing this backwards, but I can not say for sure.  Can you please provide the automember plugin configuration?  And the actual DN's of the groups and hostgroups?  Or can you provide the machine info so I can take a look?

So the bug should be reproduced like this:

automember scope:  ou=people,dc=example,dc=com

But if you run a task using a basedn (dc=example,dc=com), it will not work, as it expects (ou=people,dc=example,dc=com) - even though "dc=example,dc=com" should cover "ou=people,dc=example,dc=com".  So with this fix, using "dc=example,dc=com" in the task now works - even though the plugin config is at a lower branch.
Comment 5 Namita Soman 2014-02-20 14:54:04 EST
Verified using ipa-server-3.3.3-18.el7.x86_64, 389-ds-base-1.3.1.6-18.el7.x86_64

Steps taken:
3. Add a hostgroup:
# ipa hostgroup-add --desc="Web Servers" webservers
----------------------------
Added hostgroup "webservers"
----------------------------
  Host-group: webservers
  Description: Web Servers

4. Add a host:
# ipa host-add web1.testrelm.test --force
-------------------------------
Added host "web1.testrelm.test"
-------------------------------
  Host name: web1.testrelm.test
  Principal name: host/web1.testrelm.test@TESTRELM.TEST
  Password: False
  Keytab: False
  Managed by: web1.testrelm.test

5. Add an automember rule:
# ipa automember-add --type=hostgroup webservers
----------------------------------
Added automember rule "webservers"
----------------------------------
  Automember Rule: webservers

# ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.testrelm\.test webservers
----------------------------------
Added condition(s) to "webservers"
----------------------------------
  Automember Rule: webservers
  Inclusive Regex: fqdn=^web[1-9]+.testrelm.test
----------------------------
Number of conditions added 1
----------------------------

6. Verify that automember rule works by adding a new host:
# ipa host-add web2.testrelm.test --force
-------------------------------
Added host "web2.testrelm.test"
-------------------------------
  Host name: web2.testrelm.test
  Principal name: host/web2.testrelm.test@TESTRELM.TEST
  Password: False
  Member of host-groups: webservers
  Indirect Member of netgroup: webservers
  Keytab: False
  Managed by: web2.testrelm.test

# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.testrelm.test

7. Try to rebuild membership:
# cat rebuild.ldif 
dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: rt
basedn: dc=testrelm,dc=test
filter: (fqdn=*)
scope: sub

# ldapmodify -x -D 'cn=directory manager' -w Secret123 -f rebuild.ldif 
adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config"


8. Host web1.testrelm.test is a member of hostgroup webservers:
# ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web2.testrelm.test, web1.testrelm.test
Comment 6 Ludek Smid 2014-06-13 07:05:37 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.