Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47507 Trying to test out the automember rebuild membership task, for the purpose of integrating it into freeipa (see ticket https://fedorahosted.org/freeipa/ticket/3752), but I can't get it to work. I am testing on F19, with the following packages: {{{ freeipa-admintools-3.3.0-2.fc19.x86_64 freeipa-client-3.3.0-2.fc19.x86_64 freeipa-server-3.3.0-2.fc19.x86_64 freeipa-python-3.3.0-2.fc19.x86_64 389-ds-base-devel-1.3.1.7-1.fc19.x86_64 389-ds-base-1.3.1.7-1.fc19.x86_64 389-ds-base-libs-1.3.1.7-1.fc19.x86_64 }}} Reproduction: {{{ 1. Install FreeIPA server: # ipa-server-install 2. Authenticate as admin: # kinit admin 3. Add a hostgroup: # ipa hostgroup-add --desc="Web Servers" webservers 4. Add a host: # ipa host-add web1.example.com --force 5. Add an automember rule: # ipa automember-add --type=hostgroup webservers # ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers 6. Verify that automember rule works by adding a new host: # ipa host-add web2.example.com --force # ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.example.com 7. Try to rebuild membership: # cat rebuild.ldif dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: rt basedn: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com filter: (fqdn=*) scope: sub # ldapmodify -x -D 'cn=directory manager' -w blablabla -f rebuild.ldif adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config" 8. Host web1.example.com is still not a member of hostgroup webservers: # ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.example.com }}} Expected: {{{ 8. After rebuilding memberships, host web1.example.com should become a member of hostgroup webservers. }}}
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA.
[root@rhel7ui ~]# ipa hostgroup-add --desc="Web Servers" webservers ---------------------------- Added hostgroup "webservers" ---------------------------- Host-group: webservers Description: Web Servers [root@rhel7ui ~]# ipa host-add web1.example.com --force ----------------------------- Added host "web1.example.com" ----------------------------- Host name: web1.example.com Principal name: host/web1.example.com Password: False Keytab: False Managed by: web1.example.com [root@rhel7ui ~]# ipa automember-add --type=hostgroup webservers ---------------------------------- Added automember rule "webservers" ---------------------------------- Automember Rule: webservers [root@rhel7ui ~]# ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers ---------------------------------- Added condition(s) to "webservers" ---------------------------------- Automember Rule: webservers Inclusive Regex: fqdn=^web[1-9]+.example.com ---------------------------- Number of conditions added 1 ---------------------------- [root@rhel7ui ~]# ipa host-add web2.example.com --force ----------------------------- Added host "web2.example.com" ----------------------------- Host name: web2.example.com Principal name: host/web2.example.com Password: False Member of host-groups: webservers Indirect Member of netgroup: webservers Keytab: False Managed by: web2.example.com [root@rhel7ui ~]# ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.example.com [root@rhel7ui ~]# cat rebuild.ldif dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: rt basedn: dc=rhel7ui,dc=testrelm,dc=com filter: (fqdn=*) scope: sub [root@rhel7ui ~]# hostname rhel7ui.testrelm.com [root@rhel7ui ~]# ldapmodify -x -D 'cn=directory manager' -w Secret123 -f rebuild.ldif adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config" [root@rhel7ui ~]# ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.example.com Rebuilding of membership is expected to add host "web1.example.com" as a member of hostgroup webservers, but its not. Build tested: [root@rhel7ui ~]# rpm -qa |grep -i 389-ds-base 389-ds-base-libs-1.3.1.6-14.el7.x86_64 389-ds-base-1.3.1.6-14.el7.x86_64 [root@rhel7ui ~]# rpm -qa |grep -i ipa-server ipa-server-3.3.3-12.el7.x86_64
(In reply to Sankar Ramalingam from comment #3) > [root@rhel7ui ~]# ipa hostgroup-add --desc="Web Servers" webservers > ---------------------------- > Added hostgroup "webservers" > ---------------------------- > Host-group: webservers > Description: Web Servers > [root@rhel7ui ~]# ipa host-add web1.example.com --force > ----------------------------- > Added host "web1.example.com" > ----------------------------- > Host name: web1.example.com > Principal name: host/web1.example.com > Password: False > Keytab: False > Managed by: web1.example.com > [root@rhel7ui ~]# ipa automember-add --type=hostgroup webservers > ---------------------------------- > Added automember rule "webservers" > ---------------------------------- > Automember Rule: webservers > [root@rhel7ui ~]# ipa automember-add-condition --key=fqdn --type=hostgroup > --inclusive-regex=^web[1-9]+\.example\.com webservers > ---------------------------------- > Added condition(s) to "webservers" > ---------------------------------- > Automember Rule: webservers > Inclusive Regex: fqdn=^web[1-9]+.example.com > ---------------------------- > Number of conditions added 1 > ---------------------------- > [root@rhel7ui ~]# ipa host-add web2.example.com --force > ----------------------------- > Added host "web2.example.com" > ----------------------------- > Host name: web2.example.com > Principal name: host/web2.example.com > Password: False > Member of host-groups: webservers > Indirect Member of netgroup: webservers > Keytab: False > Managed by: web2.example.com > [root@rhel7ui ~]# ipa hostgroup-show webservers > Host-group: webservers > Description: Web Servers > Member hosts: web2.example.com > > [root@rhel7ui ~]# cat rebuild.ldif > dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config > changetype: add > objectClass: top > objectClass: extensibleObject > cn: rt > basedn: dc=rhel7ui,dc=testrelm,dc=com > filter: (fqdn=*) > scope: sub > [root@rhel7ui ~]# hostname > rhel7ui.testrelm.com > > [root@rhel7ui ~]# ldapmodify -x -D 'cn=directory manager' -w Secret123 -f > rebuild.ldif > adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config" > > [root@rhel7ui ~]# ipa hostgroup-show webservers > Host-group: webservers > Description: Web Servers > Member hosts: web2.example.com > > > Rebuilding of membership is expected to add host "web1.example.com" as a > member of hostgroup webservers, but its not. > > > Build tested: > > [root@rhel7ui ~]# rpm -qa |grep -i 389-ds-base > 389-ds-base-libs-1.3.1.6-14.el7.x86_64 > 389-ds-base-1.3.1.6-14.el7.x86_64 > [root@rhel7ui ~]# rpm -qa |grep -i ipa-server > ipa-server-3.3.3-12.el7.x86_64 It looks like you might be testing this backwards, but I can not say for sure. Can you please provide the automember plugin configuration? And the actual DN's of the groups and hostgroups? Or can you provide the machine info so I can take a look? So the bug should be reproduced like this: automember scope: ou=people,dc=example,dc=com But if you run a task using a basedn (dc=example,dc=com), it will not work, as it expects (ou=people,dc=example,dc=com) - even though "dc=example,dc=com" should cover "ou=people,dc=example,dc=com". So with this fix, using "dc=example,dc=com" in the task now works - even though the plugin config is at a lower branch.
Verified using ipa-server-3.3.3-18.el7.x86_64, 389-ds-base-1.3.1.6-18.el7.x86_64 Steps taken: 3. Add a hostgroup: # ipa hostgroup-add --desc="Web Servers" webservers ---------------------------- Added hostgroup "webservers" ---------------------------- Host-group: webservers Description: Web Servers 4. Add a host: # ipa host-add web1.testrelm.test --force ------------------------------- Added host "web1.testrelm.test" ------------------------------- Host name: web1.testrelm.test Principal name: host/web1.testrelm.test Password: False Keytab: False Managed by: web1.testrelm.test 5. Add an automember rule: # ipa automember-add --type=hostgroup webservers ---------------------------------- Added automember rule "webservers" ---------------------------------- Automember Rule: webservers # ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.testrelm\.test webservers ---------------------------------- Added condition(s) to "webservers" ---------------------------------- Automember Rule: webservers Inclusive Regex: fqdn=^web[1-9]+.testrelm.test ---------------------------- Number of conditions added 1 ---------------------------- 6. Verify that automember rule works by adding a new host: # ipa host-add web2.testrelm.test --force ------------------------------- Added host "web2.testrelm.test" ------------------------------- Host name: web2.testrelm.test Principal name: host/web2.testrelm.test Password: False Member of host-groups: webservers Indirect Member of netgroup: webservers Keytab: False Managed by: web2.testrelm.test # ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.testrelm.test 7. Try to rebuild membership: # cat rebuild.ldif dn: cn=rt,cn=automember rebuild membership,cn=tasks,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: rt basedn: dc=testrelm,dc=test filter: (fqdn=*) scope: sub # ldapmodify -x -D 'cn=directory manager' -w Secret123 -f rebuild.ldif adding new entry "cn=rt,cn=automember rebuild membership,cn=tasks,cn=config" 8. Host web1.testrelm.test is a member of hostgroup webservers: # ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web2.testrelm.test, web1.testrelm.test
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.