1118066 – [RFE] memberof scope: allow to exclude subtrees

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1118066 - [RFE] memberof scope: allow to exclude subtrees

Summary: [RFE] memberof scope: allow to exclude subtrees

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-09 23:15 UTC by Noriko Hosoi
Modified:	2020-09-13 21:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.3.3.1-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 09:36:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
valgrind-20141120-001350-rhel7ds.out (61.99 KB, text/plain) 2014-11-20 00:16 UTC, Viktor Ashirov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1160	0	None	None	None	2020-09-13 21:07:46 UTC
Red Hat Product Errata	RHSA-2015:0416	0	normal	SHIPPED_LIVE	Important: 389-ds-base security, bug fix, and enhancement update	2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-07-09 23:15:14 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47829

Memberof allows to scope a specific part of the subtree (memberOfEntryScope)

There is no way to exclude subtrees that are under 'memberOfEntryScope'
For example if we want to scope all entries under SUFFIX but 'cn=provisioning,SUFFIX'

It should introduce a new config attribute: memberOfExcludeSubtree
The new attribut is multivalued, DN syntax

This enhancement is required for https://fedorahosted.org/freeipa/ticket/3813, where memberof plugin should scope SUFFIX except 'Stage' and 'Delete' entries (under cn=provisioning,SUFFIX)

Comment 3 Viktor Ashirov 2014-11-20 00:14:47 UTC

MODDN and MODRDN fail when entry doesn't have memberOf attribute and new DN is in the scope of memberOfExcludeSubtree.
I see following error message in the errors log:
> [20/Nov/2014:00:16:35 +0100] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (uid=user1,ou=Deleted,ou=People,dc=example,dc=com), error (16)

Steps to reproduce:
1. make a fresh install of DS

2. enable memberOf plugin:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
add: memberofallbackends
memberofallbackends: on   
-
replace: memberofgroupattr
memberofgroupattr: member
memberofgroupattr: uniqueMember
-
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
EOF

3. create test entries:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF 
dn: ou=Deleted,ou=People,dc=example,dc=com
changetype: add
objectClass: top
objectClass: organizationalunit
ou: Deleted

dn: cn=group0,ou=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: group0

dn: uid=user0,ou=People,dc=example,dc=com
changetype: add
uid: user0
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user0
sn: user0

dn: uid=user1,ou=People,dc=example,dc=com
changetype: add
uid: user1
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1
EOF

4. configure scope of the memberOf plugin to include suffix and exclude ou=Deleted
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
add: memberofentryscope
memberofentryscope: dc=example,dc=com
-
add: memberofentryscopeexcludesubtree
memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com
EOF

5. restart the server
$ sudo systemctl restart dirsrv.target

6. add user0 to group0
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=group0,ou=Groups,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=user0,ou=people,dc=example,dc=com
EOF

7. check that user0 has memberOf attribute and user1 doesn't:
$ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" memberOf
dn: uid=user0,ou=People,dc=example,dc=com
memberOf: cn=group0,ou=Groups,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com

8. MODDN user0 and user1 to ou=Deleted:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: uid=user0,ou=People,dc=example,dc=com
changetype: moddn
newrdn: uid=user0
deleteoldrdn: 1
newsuperior: ou=Deleted,ou=People,dc=example,dc=com
EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user0,ou=People,dc=example,dc=com"
	new RDN: "uid=user0" (do not keep existing values)
rename complete

$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: uid=user1,ou=People,dc=example,dc=com
changetype: moddn
newrdn: uid=user1
deleteoldrdn: 1
newsuperior: ou=Deleted,ou=People,dc=example,dc=com
EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user1,ou=People,dc=example,dc=com"
	new RDN: "uid=user1" (do not keep existing values)
ldap_rename: No such attribute (16)

9. check for memberOf attribute:
$ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" memberOf
dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com

dn: uid=user1,ou=Deleted,ou=People,dc=example,dc=com

It was successfully stripped from user0. 

10. restart the server

11. search for user0 and user0 again:
ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" dn
dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com

Looks like the transaction of MODDN of user1 was aborted.

Comment 4 Viktor Ashirov 2014-11-20 00:16:37 UTC

Created attachment 959205 [details]
valgrind-20141120-001350-rhel7ds.out

Comment 5 thierry bordaz 2014-11-26 17:38:56 UTC

Thanks to your test case, I reproduced the bug but in python.

I my test we can see that the MODRDN of the 'user2' ('user1' in your TC) reports a failure:

[26/Nov/2014:18:02:28 +0100] conn=2 op=12 MODRDN dn="cn=user2,cn=accounts,cn=in,dc=example,dc=com" newrdn="cn=user2" newsuperior="cn=deleted users,cn=provisioning,cn=in,dc=example,dc=com"
[26/Nov/2014:18:02:28 +0100] conn=2 op=12 RESULT err=16 tag=109 nentries=0 etime=0

I believe it is related to ticket https://fedorahosted.org/389/ticket/47833.
Where the memberof post op plugin try to remove 'memberof' attribute from an entry where the it does not exists.

Comment 6 Noriko Hosoi 2014-12-05 20:09:16 UTC

Thank you for the clarification, Thierry!

Since we pushed #47833 to 1.3.4, the failed test case is not included in the rhel-7.1.  We should exclude the case from this bug and treat it as a known issue.

Setting the status back to ON_QA.

Comment 7 Sankar Ramalingam 2014-12-08 04:25:11 UTC

Feature seems to be working fine as per Noriko's comment. The failed test case should be filed as a new bug.
Hi Viktor, can you open a new bug for this test case failure?

Comment 8 Viktor Ashirov 2014-12-08 10:31:29 UTC

New bug opened: https://bugzilla.redhat.com/show_bug.cgi?id=1171663

Comment 10 errata-xmlrpc 2015-03-05 09:36:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.