1044170 – [RFE] Allow memberOf suffixes to be configurable

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1044170 - [RFE] Allow memberOf suffixes to be configurable

Summary: [RFE] Allow memberOf suffixes to be configurable

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1082754 1109759 1115294 1168850 1185102 1249775 2084180
TreeView+	depends on / blocked

Reported:	2013-12-17 21:39 UTC by Nathan Kinder
Modified:	2022-05-11 15:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.3.3.1-10.el7
Doc Type:	Known Issue
Doc Text:	Feature: A new configuration parameter is added to the memberof plugin: nsslapd-memberofScope: <dn> Description: If the memberof plugin is enabled and a scope is defined, moving a group out of scope with a modrdn operation fails with (err=16). Moving a member entry out of scope, correctly removes the memberof value.
Clone Of:
Environment:
Last Closed:	2015-03-05 09:32:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 863	0	None	closed	Allow memberOf suffixes to be configurable	2020-12-16 09:56:09 UTC
Red Hat Product Errata	RHSA-2015:0416	0	normal	SHIPPED_LIVE	Important: 389-ds-base security, bug fix, and enhancement update	2015-03-05 14:26:33 UTC

Description Nathan Kinder 2013-12-17 21:39:18 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47526

The memberOf plug-in currently doesn't allow you to restrict the suffixes it applies to.  It would be nice to be able to list the suffixes to include or exclude for memberOf operations.  There are a few scenarios to consider:

- If a user that is outside of one of the configured suffixes is added as a member to a group that is within one of the configured suffixes, no memberOf attribute should be added to the user.  This is the same behavior that happens today when you add a non-existent user DN as a member in a group.

- If a user entry is moved outside of one of the configured suffixes, any groups that reference the member would need to have the member attribute removed for that user, and the memberOf values would also need to be removed from the user.

- If a group is moved outside of one of the configured suffixes, any memberOf attributes that reference that group inside of user entries within the configured suffixes should be removed.  We need to decide if the member values should also be removed from the group or left as is.

This functionality is needed by FreeIPA for a user provisioning feature that is being designed.

Comment 2 Sankar Ramalingam 2014-11-25 07:29:40 UTC

Enabling member of plugin and configuring it with nsslapd-pluginConfigArea is failing. I think it crashes the server. I will reproduce the crash with the debuginfo packages and provide the stack trace.

1). Default plugin status: Off

ldapsearch -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config"|egrep 'nsslapd-pluginEnabled|dn'
dn: cn=MemberOf Plugin,cn=plugins,cn=config
nsslapd-pluginEnabled: off

2). Enabling the plugin without nsslapd-pluginConfigArea

ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace:nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"

/usr/lib64/dirsrv/slapd-M1/restart-slapd 

ldapsearch -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config" |egrep 'nsslapd-pluginEnabled|dn'
dn: cn=MemberOf Plugin,cn=plugins,cn=config
nsslapd-pluginEnabled: on

3). Adding nsslapd-pluginConfigArea to memberof plugin

ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginConfigArea
nsslapd-pluginConfigArea:ou=People,dc=memofsuff,dc=com
EOF
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"
ldap_result: Can't contact LDAP server (-1)

4). DS error logs...

[25/Nov/2014:12:50:13 +051800] - Listening on All Interfaces port 1616 for LDAPS requests
[25/Nov/2014:12:52:08 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:12:52:08 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:12:52:08 +051800] memberof-plugin -  ��


5). Some other error messages observed when trying to play around with the plugin...

[25/Nov/2014:12:27:47 +051800] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1
[25/Nov/2014:12:27:47 +051800] - slapd shutting down - closing down internal subsystems and plugins

[25/Nov/2014:12:27:48 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up
[25/Nov/2014:12:27:48 +051800] - I'm resizing my cache now...cache was 2621440 and is now 2097152
[25/Nov/2014:12:27:48 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:12:27:49 +051800] - Error: Failed to resolve plugin dependencies
[25/Nov/2014:12:27:49 +051800] - Error: betxnpostoperation plugin MemberOf Plugin is not started
[25/Nov/2014:12:28:51 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up

Comment 3 Sankar Ramalingam 2014-11-25 08:44:49 UTC

Error log messages when trying to restart the server...

[25/Nov/2014:14:03:57 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:14:03:57 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:14:03:57 +051800] memberof-plugin - [25/Nov/2014:14:04:57 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up
[25/Nov/2014:14:04:57 +051800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[25/Nov/2014:14:04:57 +051800] memberof-plugin - Error 53: The memberOfGroupAttr and memberOfAttr configuration attributes must be provided
[25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Server is unwilling to perform)
[25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used
[25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine)
[25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used
[25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine)
[25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used
[25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine)
[25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin
[25/Nov/2014:14:04:58 +051800] - Error: Failed to resolve plugin dependencies
[25/Nov/2014:14:04:58 +051800] - Error: betxnpostoperation plugin MemberOf Plugin is not started

Comment 4 Sankar Ramalingam 2014-11-25 09:01:31 UTC

Build tested:
[root@vm-idm-035 ~]# rpm -qa 389-ds-base
389-ds-base-1.3.3.1-9.el7.x86_64

Comment 5 Nathan Kinder 2014-11-25 17:36:28 UTC

You are trying to test an alternate config area, but that feature is covered by bug 1044205.  This bug is for configuring the scope of entries that the memberOf plugin is supposed to operate on, not the configuration area.

The failure you are encountering is that you are trying to add nsslapd-pluginConfigArea to an already enabled memberOf plug-in on a running server.  This is not allowed, as the server was started with memberOf enabled without the alternate config area enabled.  The server then expects any changes to it's plugin config entry to result in a valid configuration.  The proper way to configure memberOf is one of the following:

- Enable the plugin and set all of the required attributes in the plugin config entry, then restart ns-slapd.

- Enable the plugin, set alternate config area, then restart ns-slapd.

Comment 6 Nathan Kinder 2014-11-25 17:43:27 UTC

The description in comment#5 doesn't explain the crash, but does explain the config validation errors you are receiving (which may be part of the cause of the crash).

Comment 7 Nathan Kinder 2014-11-25 19:00:38 UTC

I am putting this bug back to the ON_QA status, as it was reopened due to a failure in a completely different feature (alternate config area support).  This new failure should be dealt with in bug 1044205, which is the feature but for memberOf alternate config area support.

Comment 8 Sankar Ramalingam 2014-11-25 22:04:35 UTC

Configured memberOf plugin with new attributes:

nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: member
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.3.3.1
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: memberof plugin
nsslapd-memberofscope: ou=people,dc=memofsuff,dc=com
memberofallbackends: true
memberofentryscope: ou=people,dc=memofsuff,dc=com



[root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn memberof

# People, memofsuff.com
dn: ou=People,dc=memofsuff,dc=com

# tnewusr3, People, memofsuff.com
dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com
memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com

# tnewusr2, People, memofsuff.com
dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com
memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com

# tnewusr1, People, memofsuff.com
dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com
memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com

# newgrp2, People, memofsuff.com
dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com


[root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn member

# People, memofsuff.com
dn: ou=People,dc=memofsuff,dc=com

# tnewusr3, People, memofsuff.com
dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com

# tnewusr2, People, memofsuff.com
dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com

# tnewusr1, People, memofsuff.com
dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com

# newgrp2, People, memofsuff.com
dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com
member: uid=tnewusr3,ou=people,dc=memofsuff,dc=com
member: uid=tnewusr2,ou=people,dc=memofsuff,dc=com
member: uid=tnewusr1,ou=people,dc=memofsuff,dc=com

[root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com
changetype: modrdn
newrdn: cn=mynewgrp2
deleteoldrdn: 0
newsuperior: ou=testing,dc=memofsuff,dc=com
EOF

modifying rdn of entry "cn=newgrp2,ou=People,dc=memofsuff,dc=com"
ldap_rename: No such attribute (16)



==> /var/log/dirsrv/slapd-testinst1/errors <==
[26/Nov/2014:03:21:49 +051800] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com), error (16)


[root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn member

# People, memofsuff.com
dn: ou=People,dc=memofsuff,dc=com

# tnewusr3, People, memofsuff.com
dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com

# tnewusr2, People, memofsuff.com
dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com

# tnewusr1, People, memofsuff.com
dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com


memberOf attribute removed from the users. Its working. however, when I added another group with the same users to ou=people, the plugin failed to add memberof attribute to users.

[root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -f Group2.ldif 
adding new entry "cn=newgrp3,ou=people,dc=memofsuff,dc=com"

# tnewusr3, People, memofsuff.com
dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com

# tnewusr2, People, memofsuff.com
dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com

# tnewusr1, People, memofsuff.com
dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com

# newgrp3, People, memofsuff.com
dn: cn=newgrp3,ou=People,dc=memofsuff,dc=com
member: uid=tnewusr3,ou=people,dc=memofsuff,dc=com
member: uid=tnewusr2,ou=people,dc=memofsuff,dc=com
member: uid=tnewusr1,ou=people,dc=memofsuff,dc=com


Ds error logs:

==> /var/log/dirsrv/slapd-testinst1/errors <==
[26/Nov/2014:03:23:28 +051800] entryrdn-index - entryrdn_rename_subtree: Failed to read the target element "cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com" (-30988)
[26/Nov/2014:03:23:28 +051800] ldbm_back_modrdn - entryrdn_rename_subtree failed (-30988); dn: cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com, newsrdn: (null), dn_newsuperiordn: ou=Testing,dc=memofsuff,dc=com

The feature seems to be not working completely. Hence, marking the bug as Assigned.

Comment 9 Noriko Hosoi 2014-12-05 00:29:27 UTC

Hi Ludwig,

It looks this bug failed to verify.
Ticket #47526 - Allow memberOf suffixes to be configurable

Could you please take a look?

In the Comment 8 (https://bugzilla.redhat.com/show_bug.cgi?id=1044170#c8), I wonder why this rename fails due to LDAP_NO_SUCH_ATTRIBUTE in the call back.  The modrdn is renaming the rdn as well as move to the outside of the scope.

[root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com
changetype: modrdn
newrdn: cn=mynewgrp2
deleteoldrdn: 0
newsuperior: ou=testing,dc=memofsuff,dc=com
EOF

modifying rdn of entry "cn=newgrp2,ou=People,dc=memofsuff,dc=com"
ldap_rename: No such attribute (16)

==> /var/log/dirsrv/slapd-testinst1/errors <==
[26/Nov/2014:03:21:49 +051800] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com), error (16)

Thanks!
--noriko

Comment 10 Sankar Ramalingam 2014-12-10 13:32:02 UTC

Hi Ludwig, can you clarify the issues listed here?

Comment 11 Ludwig 2014-12-10 14:01:26 UTC

I'll investigate this

Comment 12 Ludwig 2014-12-10 14:34:14 UTC

Regarding the test in comment #8, it is failing with err=16, which I need to investigate, but the memberof was not removed, the following search was for member, not memberof

Comment 13 Ludwig 2014-12-10 15:11:16 UTC

looks like the check for the return code of memberof_del_dn_type_callback() was introduce with ticket 47810. 
When I had implemented the memberof scope this was not noticed, the feature seemed to work, need to check why memberof_del_dn_type_callback() is failing or why it should be ignored

Comment 14 Sankar Ramalingam 2014-12-10 18:38:34 UTC

Can you please add a Doc text for the list of issues and change the Doc type as known issue?

Comment 15 Ludwig 2014-12-11 12:58:10 UTC

I would prefer to fix it, instead of marking as known issue.

Looks like only the moving of an entry out of scope removes the memberof, but for moving a gropu out of scope it doesn't work.

Comment 16 Sankar Ramalingam 2014-12-11 13:03:15 UTC

The RHEl7.1 Beta compose is already out with 389-ds-base-1.3.3.1-9 build. It will be a known issue for the Beta customers. Later, we can change the Doc text once the feature is tested thoroughly. So, we need to explain in the doc text as which operation would fail and the consequences.

Comment 17 Ludwig 2014-12-11 13:35:20 UTC

doc text added

Comment 18 Sankar Ramalingam 2014-12-24 15:38:49 UTC

Memberof plugin configured with 
nsslapd-memberofscope: ou=people,dc=newmemof,dc=com
memberofentryscope: ou=groups,dc=newmemof,dc=com

is working fine for new groups addition as well as modrn operations. Hence, marking the bug as verified.

Build tested:

[root@mgmt9 MMR_WINSYNC]# rpm -qa 389-ds-base
389-ds-base-1.3.3.1-10.el7.x86_64

Comment 20 errata-xmlrpc 2015-03-05 09:32:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.