Hide Forgot
Description of problem: MODDN fails when entry doesn't have memberOf attribute and new DN is in the scope of memberOfExcludeSubtree I see the following error message in the errors log: > [20/Nov/2014:00:16:35 +0100] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (uid=user1,ou=Deleted,ou=People,dc=example,dc=com), error (16) Version-Release number of selected component (if applicable): 389-ds-base-libs-1.3.3.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64 389-ds-base-1.3.3.1-9.el7.x86_64 How reproducible: always Steps to Reproduce: 1. make a fresh install of DS 2. enable memberOf plugin: $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify add: memberofallbackends memberofallbackends: on - replace: memberofgroupattr memberofgroupattr: member memberofgroupattr: uniqueMember - replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - EOF 3. create test entries: $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: ou=Deleted,ou=People,dc=example,dc=com changetype: add objectClass: top objectClass: organizationalunit ou: Deleted dn: cn=group0,ou=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupOfUniqueNames cn: group0 dn: uid=user0,ou=People,dc=example,dc=com changetype: add uid: user0 objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user0 sn: user0 dn: uid=user1,ou=People,dc=example,dc=com changetype: add uid: user1 objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 EOF 4. configure scope of the memberOf plugin to include suffix and exclude ou=Deleted $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify add: memberofentryscope memberofentryscope: dc=example,dc=com - add: memberofentryscopeexcludesubtree memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com EOF 5. restart the server $ sudo systemctl restart dirsrv.target 6. add user0 to group0 $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: cn=group0,ou=Groups,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=user0,ou=people,dc=example,dc=com EOF 7. check that user0 has memberOf attribute and user1 doesn't: $ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" memberOf dn: uid=user0,ou=People,dc=example,dc=com memberOf: cn=group0,ou=Groups,dc=example,dc=com dn: uid=user1,ou=People,dc=example,dc=com 8. MODDN user0 and user1 to ou=Deleted: $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: uid=user0,ou=People,dc=example,dc=com changetype: moddn newrdn: uid=user0 deleteoldrdn: 1 newsuperior: ou=Deleted,ou=People,dc=example,dc=com EOF ldap_initialize( ldap://localhost:389 ) modifying rdn of entry "uid=user0,ou=People,dc=example,dc=com" new RDN: "uid=user0" (do not keep existing values) rename complete $ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF dn: uid=user1,ou=People,dc=example,dc=com changetype: moddn newrdn: uid=user1 deleteoldrdn: 1 newsuperior: ou=Deleted,ou=People,dc=example,dc=com EOF ldap_initialize( ldap://localhost:389 ) modifying rdn of entry "uid=user1,ou=People,dc=example,dc=com" new RDN: "uid=user1" (do not keep existing values) ldap_rename: No such attribute (16) 9. check for memberOf attribute: $ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" memberOf dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com dn: uid=user1,ou=Deleted,ou=People,dc=example,dc=com It was successfully stripped from user0. 10. restart the server 11. search for user0 and user0 again: ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" dn dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com dn: uid=user1,ou=People,dc=example,dc=com Looks like the transaction of MODDN of user1 was aborted.
Upstream ticket: https://fedorahosted.org/389/ticket/48012
I think that bug is related to upstream ticket https://fedorahosted.org/389/ticket/47833 (https://bugzilla.redhat.com/show_bug.cgi?id=1118066#c5). So https://fedorahosted.org/389/ticket/47833 and https://fedorahosted.org/389/ticket/48012 are possibly duplicate
[root@dhcp201-167 ~]# rpm -qa |grep 389 389-ds-base-1.3.4.0-3.el7.x86_64 389-ds-base-libs-1.3.4.0-3.el7.x86_64 389-ds-base-debuginfo-1.3.4.0-3.el7.x86_64 Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Your new DS instance 'dhcp201-167' was successfully created. Exiting . . . Log file is '/tmp/setupQmFPX2.log' [root@dhcp201-167 ~]# [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: cn=MemberOf Plugin,cn=plugins,cn=config > changetype: modify > add: memberofallbackends > memberofallbackends: on > - > replace: memberofgroupattr > memberofgroupattr: member > memberofgroupattr: uniqueMember > - > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > - > EOF ldap_initialize( ldap://localhost:389 ) add memberofallbackends: on replace memberofgroupattr: member uniqueMember replace nsslapd-pluginEnabled: on modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" modify complete [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: ou=Deleted,ou=People,dc=example,dc=com > changetype: add > objectClass: top > objectClass: organizationalunit > ou: Deleted > > dn: cn=group0,ou=Groups,dc=example,dc=com > changetype: add > objectClass: top > objectClass: groupOfUniqueNames > cn: group0 > > dn: uid=user0,ou=People,dc=example,dc=com > changetype: add > uid: user0 > objectClass: inetUser > objectClass: inetOrgPerson > objectClass: top > objectClass: organizationalPerson > objectClass: person > cn: user0 > sn: user0 > > dn: uid=user1,ou=People,dc=example,dc=com > changetype: add > uid: user1 > objectClass: inetUser > objectClass: inetOrgPerson > objectClass: top > objectClass: organizationalPerson > objectClass: person > cn: user1 > sn: user1 > EOF ldap_initialize( ldap://localhost:389 ) add objectClass: top organizationalunit add ou: Deleted adding new entry "ou=Deleted,ou=People,dc=example,dc=com" modify complete add objectClass: top groupOfUniqueNames add cn: group0 adding new entry "cn=group0,ou=Groups,dc=example,dc=com" modify complete add uid: user0 add objectClass: inetUser inetOrgPerson top organizationalPerson person add cn: user0 add sn: user0 adding new entry "uid=user0,ou=People,dc=example,dc=com" modify complete add uid: user1 add objectClass: inetUser inetOrgPerson top organizationalPerson person add cn: user1 add sn: user1 adding new entry "uid=user1,ou=People,dc=example,dc=com" modify complete [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: cn=MemberOf Plugin,cn=plugins,cn=config > changetype: modify > add: memberofentryscope > memberofentryscope: dc=example,dc=com > - > add: memberofentryscopeexcludesubtree > memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com > EOF ldap_initialize( ldap://localhost:389 ) add memberofentryscope: dc=example,dc=com add memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" modify complete [root@dhcp201-167 ~]# sudo systemctl restart dirsrv.target [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: cn=group0,ou=Groups,dc=example,dc=com > changetype: modify > add: uniqueMember > uniqueMember: uid=user0,ou=people,dc=example,dc=com > EOF ldap_initialize( ldap://localhost:389 ) add uniqueMember: uid=user0,ou=people,dc=example,dc=com modifying entry "cn=group0,ou=Groups,dc=example,dc=com" modify complete [root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" memberOf dn: uid=user0,ou=People,dc=example,dc=com memberOf: cn=group0,ou=Groups,dc=example,dc=com dn: uid=user1,ou=People,dc=example,dc=com [root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" dn: uid=user0,ou=People,dc=example,dc=com uid: user0 objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user0 sn: user0 memberOf: cn=group0,ou=Groups,dc=example,dc=com dn: uid=user1,ou=People,dc=example,dc=com uid: user1 objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: uid=user0,ou=People,dc=example,dc=com > changetype: moddn > newrdn: uid=user0 > deleteoldrdn: 1 > newsuperior: ou=Deleted,ou=People,dc=example,dc=com > EOF ldap_initialize( ldap://localhost:389 ) modifying rdn of entry "uid=user0,ou=People,dc=example,dc=com" new RDN: "uid=user0" (do not keep existing values) rename complete [root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF > dn: uid=user1,ou=People,dc=example,dc=com > changetype: moddn > newrdn: uid=user1 > deleteoldrdn: 1 > newsuperior: ou=Deleted,ou=People,dc=example,dc=com > EOF ldap_initialize( ldap://localhost:389 ) modifying rdn of entry "uid=user1,ou=People,dc=example,dc=com" new RDN: "uid=user1" (do not keep existing values) rename complete [root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com -LLL "(uid=user*)" dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user0 sn: user0 uid: user0 dn: uid=user1,ou=Deleted,ou=People,dc=example,dc=com objectClass: inetUser objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 uid: user1 This is working as expected, both users moved to new OU and memberof attribute is deleted. Hence marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2351.html