Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/415 Steps: 0) add a cn=Test User1 to AD - see that it is synced over to DS 1) add an entry to AD with a member: DN that only exists in AD - for example member: cn=Administrator,cn=Users,dc=example,dc=com 2) see that the ADD is synced over to DS - the DS will see that member is DN valued and try to map appropriately member: uid=administrator,ou=people,dc=example,dc=com 3) Change the member attribute in AD to a real user that is synced over member: cn=Test User1,cn=Users,dc=example,dc=com DS will not update member because the code in windows_generate_update_mods() attempts to verify the existence of the DN member attribute value in DS in order to generate a mod/delete before doing the mod/add for the new value.
0) Add test entries to AD - see that it is synced over to DS $ ldapmodify -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -a << EOF dn: CN=AD_ONLY,cn=users,dc=adrelm,dc=com objectClass: top objectClass: user cn: AD_ONLY uid: AD_ONLY sAMAccountName: AD_ONLY distinguishedName: CN=AD_ONLY,cn=users,dc=adrelm,dc=com dn: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com objectClass: top objectClass: user cn: AD_AND_DS sn: AD_AND_DS uid: AD_AND_DS sAMAccountName: AD_AND_DS distinguishedName: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com dn: CN=grp0,cn=users,dc=adrelm,dc=com objectClass: top objectClass: Group cn: grp0 distinguishedName: CN=grp0,cn=users,dc=adrelm,dc=com name: grp0 sAMAccountName: grp0 EOF adding new entry "CN=AD_ONLY,cn=users,dc=adrelm,dc=com" adding new entry "CN=AD_AND_DS,cn=users,dc=adrelm,dc=com" adding new entry "CN=grp0,cn=users,dc=adrelm,dc=com" 1) Add an entry to AD with a member: DN that only exists in AD $ ldapmodify -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=grp0,cn=users,DC=adrelm,DC=com changetype: modify add: member member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com EOF modifying entry "CN=grp0,cn=users,DC=adrelm,DC=com" 2) See that the ADD is synced over to DS - the DS will see that member is DN valued and try to map appropriately $ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember dn: cn=grp0,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_ONLY,ou=dswinsync,dc=example,dc=com 3) Change the member attribute in AD to a real user that is synced over $ ldapmodify -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=grp0,CN=Users,DC=adrelm,DC=com changetype: modify replace: member member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com EOF modifying entry "CN=grp0,CN=Users,DC=adrelm,DC=com" 4) MOD is synced over to DS $ ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=example,dc=com "(cn=grp*)" uniquemember dn: cn=grp0,ou=dswinsync,dc=example,dc=com uniquemember: uid=AD_AND_DS,ou=dswinsync,dc=example,dc=com Marking as VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html