Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47529 When a MODRDN operation moves an entry into the configured scope of the automember plug-in, we should process the automember rules just as we do for an ADD operation. If the entry is already within the automember scope and is being moved elsewhere, the automember should just ignore it as it does today. This functionality is needed by FreeIPA for a user provisioning feature that is being proposed.
Created two suffixes as... dc=testsuff,dc=com - for automembers configuration dc=testsuff2,dc=com - for automember scope and default group Configured automember plugin as... [root@vm-idm-035 MMR_WINSYNC]# ldapmodify -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn:cn=Auto Membership Plugin,cn=plugins,cn=config changetype: modify add: nsslapd-pluginConfigArea nsslapd-pluginConfigArea: dc=testsuff,dc=com EOF [root@vm-idm-035 MMR_WINSYNC]# ldapmodify -a -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=People2,dc=testsuff,dc=com objectclass: autoMemberDefinition autoMemberScope: ou=Groups,dc=testsuff2,dc=com autoMemberFilter: uid=newusr* autoMemberDefaultGroup: cn=newgrp1,ou=People,dc=testsuff2,dc=com autoMemberGroupingAttr: member:dn Added a new group - cn=newgrp1,ou=People,dc=testsuff2,dc=com Added few users to ou=groups and ou=people. Then ran modrdn to check whether this issue is fixed. Users moved from automemberscope to outside, is still keeping the member attribute in groups. Where as, the entries moved from outside to automemberscope, is creating member attributes to the groups as a new user is added. Users newusr1, newusr2 and newusr3 added to ou=groups. User newusr4 added to oou=people. # newgrp1, People, testsuff2.com dn: cn=newgrp1,ou=People,dc=testsuff2,dc=com objectClass: top objectClass: groupOfNames cn: newgrp1 member: uid=newusr3,ou=groups,dc=testsuff2,dc=com member: uid=newusr1,ou=groups,dc=testsuff2,dc=com member: uid=newusr2,ou=groups,dc=testsuff2,dc=com Then, completed modrdn for users in ou=people and ou=groups. [root@vm-idm-035 MMR_WINSYNC]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=newusr4,ou=People,dc=testsuff2,dc=com changetype: modrdn newrdn: uid=newusr5 deleteoldrdn: 1 newsuperior: ou=groups,dc=testsuff2,dc=com EOF [root@vm-idm-035 MMR_WINSYNC]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=newusr2,ou=groups,dc=testsuff2,dc=com changetype: modrdn newrdn: uid=newusr6 deleteoldrdn: 1 newsuperior: ou=people,dc=testsuff2,dc=com EOF The end result is ... # newgrp1, People, testsuff2.com dn: cn=newgrp1,ou=People,dc=testsuff2,dc=com objectClass: top objectClass: groupOfNames cn: newgrp1 member: uid=newusr3,ou=groups,dc=testsuff2,dc=com member: uid=newusr1,ou=groups,dc=testsuff2,dc=com member: uid=newusr2,ou=groups,dc=testsuff2,dc=com member: uid=newusr5,ou=groups,dc=testsuff2,dc=com Hence, marking the bug as Verified.
Automember plugin fails to add user entries if the DefaultGroup not present. I manually removed the group entry which was added in the automember definition as "autoMemberDefaultGroup:", then the user add fails. [root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com" "localhost" ou=groups 1189 adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com ldap_add: DSA is unwilling to perform ldap_add: additional info: Automember Plugin update unexpectedly failed. ==> /var/log/dirsrv/slapd-M1/errors <== [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - automember_add_member_value: Unable to add "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object). [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - automember_add_member_value: Unable to add "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object).
(In reply to Sankar Ramalingam from comment #3) > Automember plugin fails to add user entries if the DefaultGroup not present. > > I manually removed the group entry which was added in the automember > definition as "autoMemberDefaultGroup:", then the user add fails. > > [root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com" > "localhost" ou=groups 1189 > adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com > ldap_add: DSA is unwilling to perform > ldap_add: additional info: Automember Plugin update unexpectedly failed. > > > ==> /var/log/dirsrv/slapd-M1/errors <== > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - > automember_add_member_value: Unable to add > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object). > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - > automember_add_member_value: Unable to add > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object). What is the concern? This seems like the correct result to me. If there is no group, how can we add members to it?
(In reply to mreynolds from comment #4) > (In reply to Sankar Ramalingam from comment #3) > > Automember plugin fails to add user entries if the DefaultGroup not present. > > > > I manually removed the group entry which was added in the automember > > definition as "autoMemberDefaultGroup:", then the user add fails. > > > > [root@vm-idm-035 MMR_WINSYNC]# AddNDSUsr newusr2 "dc=testsuff2,dc=com" > > "localhost" ou=groups 1189 > > adding new entry uid=newusr2,ou=groups,dc=testsuff2,dc=com > > ldap_add: DSA is unwilling to perform > > ldap_add: additional info: Automember Plugin update unexpectedly failed. > > > > > > ==> /var/log/dirsrv/slapd-M1/errors <== > > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - > > automember_add_member_value: Unable to add > > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group > > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object). > > [20/Nov/2014:19:04:25 +051800] auto-membership-plugin - > > automember_add_member_value: Unable to add > > "uid=newusr2,ou=groups,dc=testsuff2,dc=com" as a "member" value to group > > "cn=newgrp1,ou=People,dc=testsuff2,dc=com" (No such object). > > What is the concern? This seems like the correct result to me. If there is > no group, how can we add members to it? I learnt that, with the backend transaction plug-in, the automembership plugin is expected to reject the add operation. This working as per design.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html