Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47603 The referint plug-in currently uses it's main plug-in config entry in cn=config for the referint configuration. This doesn't allow the referint configuration to be replicated across all masters in a replicated environment. We should add support for using an alternate config area that is in a normal backend. We already do this for other plug-ins by using nsslapd-pluginConfigArea in the main plug-in config entry.
$ rpm -qa | grep 389 389-ds-base-1.3.3.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64 389-ds-base-libs-1.3.3.1-9.el7.x86_64 Basic functionality works for this RFE, but there is an undefined behaviour, when an pluginConfigArea entry contaning options is renamed (see test case [7]) Also see [2], there is a minor issue with missing error message. Test cases [0] Create MMR setup [1] Enable plugin on M1, restart the server $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" $ sudo systemctl restart dirsrv.target $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=referential integrity postoperation,cn=plugins,cn=config' nsslapd-pluginEnabled dn: cn=referential integrity postoperation,cn=plugins,cn=config nsslapd-pluginEnabled: on RESULT: PASS [2] Try to add nsslapd-pluginConfigArea with inexisting DN - server should prevent it. $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginConfigArea nsslapd-pluginConfigArea: cn=referintConfig,dc=example,dc=com EOF modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" ldap_modify: Operations error (1) RESULT: PASS Buth there is no message in the error logs saying what's wrong. It would be nice to have one similar to messages in [3] [3] Add config area without the required args $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -a << EOF dn: cn=referintConfig,dc=example,dc=com objectClass: extensibleObject objectClass: nsContainer objectClass: top cn: referintConfig EOF adding new entry "cn=referintConfig,dc=example,dc=com" Try to add nsslapd-pluginConfigArea again as in [2]. It fails and server complains in the error logs: referint-plugin - referint_postop_del, args are NULL RESULT: PASS [4] Add config area with some required args Repeat [3] adding to cn=referintConfig required attributes. When one of them is missing, server complains about it in the error logs: referint-plugin - Plugin configuration is missing referint-update-delay referint-plugin - Plugin configuration is missing referint-logfile referint-plugin - Plugin configuration is missing referint-logchanges RESULT: PASS [5] Add config area with all required args $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -a << EOF dn: cn=referintConfig,dc=example,dc=com objectClass: extensibleObject objectClass: nsContainer objectClass: top cn: referintConfig referint-update-delay: 0 referint-logfile: /var/log/dirsrv/slapd-M1/referint referint-logchanges: 0 referint-membership-attr: member referint-membership-attr: uniquemember referint-membership-attr: owner referint-membership-attr: seeAlso EOF adding new entry "cn=referintConfig,dc=example,dc=com" $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginConfigArea nsslapd-pluginConfigArea: cn=referintConfig,dc=example,dc=com EOF modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" RESULT: PASS [6]. Check that nsslapd-pluginConfigArea overrrides cn=config plugin options: [6.1] Remove referint-membership-attr: uniquemember from cn=config plugin configuration referint-membership-attr: uniquemember should be present in pluginConfigArea $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=referential integrity postoperation,cn=plugins,cn=config' referint-membership-attr dn: cn=referential integrity postoperation,cn=plugins,cn=config referint-membership-attr: member referint-membership-attr: owner referint-membership-attr: seeAlso $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=referintConfig,dc=example,dc=com' referint-membership-attr dn: cn=referintConfig,dc=example,dc=com referint-membership-attr: member referint-membership-attr: uniquemember referint-membership-attr: owner referint-membership-attr: seeAlso [6.2] Modify an entry that is a member of groupOfUniqueNames - uniqueMember should be updated accordingly Before update: $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=group1,ou=People,dc=example,dc=com' uniqueMember dn: cn=group1,ou=People,dc=example,dc=com uniqueMember: cn=user1,ou=People,dc=example,dc=com uniqueMember: cn=user2,ou=People,dc=example,dc=com Modify an entry: $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=user1,ou=People,dc=example,dc=com changetype: modrdn newrdn: cn=user1_modified deleteoldrdn: 1 newsuperior: ou=People,dc=example,dc=com EOF modifying rdn of entry "cn=user1,ou=People,dc=example,dc=com" After update: $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=group1,ou=People,dc=example,dc=com' uniqueMember dn: cn=group1,ou=People,dc=example,dc=com uniqueMember: cn=user2,ou=People,dc=example,dc=com uniqueMember: cn=user1_modified,ou=people,dc=example,dc=com [6.3] Remove referint-membership-attr: uniquemember from pluginConfigArea $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=referintConfig,dc=example,dc=com changetype: modify replace: referint-membership-attr referint-membership-attr: member referint-membership-attr: owner referint-membership-attr: seeAlso EOF modifying entry "cn=referintConfig,dc=example,dc=com" [6.4] Modify entry that is a member of groupOfUniqueNames - uniqueMember should not be updated $ ldapmodify -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 << EOF dn: cn=user2,ou=People,dc=example,dc=com changetype: modrdn newrdn: cn=user2_modified deleteoldrdn: 1 newsuperior: ou=People,dc=example,dc=com EOF modifying rdn of entry "cn=user2,ou=People,dc=example,dc=com" After update: $ ldapsearch -LLL -D 'cn=Directory Manager' -w Secret123 -H ldap://localhost:1189 -b 'cn=group1,ou=People,dc=example,dc=com' uniqueMember dn: cn=group1,ou=People,dc=example,dc=com uniqueMember: cn=user2,ou=People,dc=example,dc=com uniqueMember: cn=user1_modified,ou=people,dc=example,dc=com RESULT: PASS [7] Test MODRDN on PluginConfigArea for referint PluginConfigArea contains referint-membership-attr: member referint-membership-attr: uniquemember referint-membership-attr: owner referint-membership-attr: seeAlso cn=referential integrity postoperation,cn=plugins,cn=config contains referint-membership-attr: member referint-membership-attr: owner referint-membership-attr: seeAlso MODRDN on entries updates uniqueMember in groupOfUniqueNames as expected. [7.1] Rename cn=referintConfig,dc=example,dc=com to cn=referintConfig_disabled,dc=example,dc=com Do MODRDN on entry that is a member of groupOfUniqueNames - server updates groupOfUniqueNames -> FAIL In my opinion, this is undefined behaviour, since server doesn't have valid runtime configuration for referint (pluginConfigArea points to inexisting dn, but options from it were used) Possible solutions: a) Server should not allow renaming of dn that is a value of pluginConfigArea. b) Server should fall back to cn=config options, if pluginConfigArea contains invalid dn during runtime. c) Server should maintain integrity of pluginConfigArea. [7.2] Remove from cn=referintConfig_disabled referint-membership-attr: uniquemember. Rename it back to cn=referintConfig. Do MODRDN on entry that is a member of groupOfUniqueNames - server updates groupOfUniqueNames, but there is no uniquemember in referint-membership-attr -> FAIL [7.3] Add back referint-membership-attr: uniquemember. Do MODRDN on entry that is a member of groupOfUniqueNames - server updates groupOfUniqueNames -> PASS [7.4] Remove referint-membership-attr: uniquemember. Do MODRDN on entry that is a member of groupOfUniqueNames - server doesn't update it, as expected -> PASS RESULT: FAIL
Marking it as Verified since the basic functionality works fine. Only moving/renaming of configuration entry fails. Requesting Viktor to open a new bug for the failed test case.
New bug: https://bugzilla.redhat.com/show_bug.cgi?id=1171682
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html