Bug 1171663 - MODDN fails when entry doesn't have memberOf attribute and new DN is in the scope of memberOfExcludeSubtree
Summary: MODDN fails when entry doesn't have memberOf attribute and new DN is in the s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-08 10:30 UTC by Viktor Ashirov
Modified: 2020-09-13 21:20 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 11:42:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1343 0 None None None 2020-09-13 21:20:23 UTC
Red Hat Product Errata RHBA-2015:2351 0 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2015-11-19 10:28:44 UTC

Description Viktor Ashirov 2014-12-08 10:30:16 UTC
Description of problem:
MODDN fails when entry doesn't have memberOf attribute and new DN is in the scope of memberOfExcludeSubtree
I see the following error message in the errors log:
> [20/Nov/2014:00:16:35 +0100] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (uid=user1,ou=Deleted,ou=People,dc=example,dc=com), error (16)

Version-Release number of selected component (if applicable):
389-ds-base-libs-1.3.3.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64
389-ds-base-1.3.3.1-9.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. make a fresh install of DS

2. enable memberOf plugin:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
add: memberofallbackends
memberofallbackends: on   
-
replace: memberofgroupattr
memberofgroupattr: member
memberofgroupattr: uniqueMember
-
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
EOF

3. create test entries:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF 
dn: ou=Deleted,ou=People,dc=example,dc=com
changetype: add
objectClass: top
objectClass: organizationalunit
ou: Deleted

dn: cn=group0,ou=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: group0

dn: uid=user0,ou=People,dc=example,dc=com
changetype: add
uid: user0
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user0
sn: user0

dn: uid=user1,ou=People,dc=example,dc=com
changetype: add
uid: user1
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1
EOF

4. configure scope of the memberOf plugin to include suffix and exclude ou=Deleted
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
add: memberofentryscope
memberofentryscope: dc=example,dc=com
-
add: memberofentryscopeexcludesubtree
memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com
EOF

5. restart the server
$ sudo systemctl restart dirsrv.target

6. add user0 to group0
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: cn=group0,ou=Groups,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=user0,ou=people,dc=example,dc=com
EOF

7. check that user0 has memberOf attribute and user1 doesn't:
$ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" memberOf
dn: uid=user0,ou=People,dc=example,dc=com
memberOf: cn=group0,ou=Groups,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com

8. MODDN user0 and user1 to ou=Deleted:
$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: uid=user0,ou=People,dc=example,dc=com
changetype: moddn
newrdn: uid=user0
deleteoldrdn: 1
newsuperior: ou=Deleted,ou=People,dc=example,dc=com
EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user0,ou=People,dc=example,dc=com"
	new RDN: "uid=user0" (do not keep existing values)
rename complete

$ ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
dn: uid=user1,ou=People,dc=example,dc=com
changetype: moddn
newrdn: uid=user1
deleteoldrdn: 1
newsuperior: ou=Deleted,ou=People,dc=example,dc=com
EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user1,ou=People,dc=example,dc=com"
	new RDN: "uid=user1" (do not keep existing values)
ldap_rename: No such attribute (16)

9. check for memberOf attribute:
$ ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" memberOf
dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com

dn: uid=user1,ou=Deleted,ou=People,dc=example,dc=com

It was successfully stripped from user0. 

10. restart the server

11. search for user0 and user0 again:
ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" dn
dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com

Looks like the transaction of MODDN of user1 was aborted.

Comment 3 Noriko Hosoi 2015-01-28 00:58:47 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/48012

Comment 4 thierry bordaz 2015-02-23 15:39:04 UTC
I think that bug is related to upstream ticket https://fedorahosted.org/389/ticket/47833 (https://bugzilla.redhat.com/show_bug.cgi?id=1118066#c5).

So https://fedorahosted.org/389/ticket/47833 and https://fedorahosted.org/389/ticket/48012 are possibly duplicate

Comment 7 Amita Sharma 2015-07-10 09:59:47 UTC
[root@dhcp201-167 ~]# rpm -qa |grep 389
389-ds-base-1.3.4.0-3.el7.x86_64
389-ds-base-libs-1.3.4.0-3.el7.x86_64
389-ds-base-debuginfo-1.3.4.0-3.el7.x86_64

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
Your new DS instance 'dhcp201-167' was successfully created.
Exiting . . .
Log file is '/tmp/setupQmFPX2.log'

[root@dhcp201-167 ~]# 
[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> changetype: modify
> add: memberofallbackends
> memberofallbackends: on   
> -
> replace: memberofgroupattr
> memberofgroupattr: member
> memberofgroupattr: uniqueMember
> -
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> -
> EOF
ldap_initialize( ldap://localhost:389 )
add memberofallbackends:
	on   
replace memberofgroupattr:
	member
	uniqueMember
replace nsslapd-pluginEnabled:
	on
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"
modify complete

[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF 
> dn: ou=Deleted,ou=People,dc=example,dc=com
> changetype: add
> objectClass: top
> objectClass: organizationalunit
> ou: Deleted
> 
> dn: cn=group0,ou=Groups,dc=example,dc=com
> changetype: add
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: group0
> 
> dn: uid=user0,ou=People,dc=example,dc=com
> changetype: add
> uid: user0
> objectClass: inetUser
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: organizationalPerson
> objectClass: person
> cn: user0
> sn: user0
> 
> dn: uid=user1,ou=People,dc=example,dc=com
> changetype: add
> uid: user1
> objectClass: inetUser
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: organizationalPerson
> objectClass: person
> cn: user1
> sn: user1
> EOF
ldap_initialize( ldap://localhost:389 )
add objectClass:
	top
	organizationalunit
add ou:
	Deleted
adding new entry "ou=Deleted,ou=People,dc=example,dc=com"
modify complete

add objectClass:
	top
	groupOfUniqueNames
add cn:
	group0
adding new entry "cn=group0,ou=Groups,dc=example,dc=com"
modify complete

add uid:
	user0
add objectClass:
	inetUser
	inetOrgPerson
	top
	organizationalPerson
	person
add cn:
	user0
add sn:
	user0
adding new entry "uid=user0,ou=People,dc=example,dc=com"
modify complete

add uid:
	user1
add objectClass:
	inetUser
	inetOrgPerson
	top
	organizationalPerson
	person
add cn:
	user1
add sn:
	user1
adding new entry "uid=user1,ou=People,dc=example,dc=com"
modify complete

[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> changetype: modify
> add: memberofentryscope
> memberofentryscope: dc=example,dc=com
> -
> add: memberofentryscopeexcludesubtree
> memberofentryscopeexcludesubtree: ou=Deleted,ou=People,dc=example,dc=com
> EOF
ldap_initialize( ldap://localhost:389 )
add memberofentryscope:
	dc=example,dc=com
add memberofentryscopeexcludesubtree:
	ou=Deleted,ou=People,dc=example,dc=com
modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config"
modify complete

[root@dhcp201-167 ~]# sudo systemctl restart dirsrv.target
[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
> dn: cn=group0,ou=Groups,dc=example,dc=com
> changetype: modify
> add: uniqueMember
> uniqueMember: uid=user0,ou=people,dc=example,dc=com
> EOF
ldap_initialize( ldap://localhost:389 )
add uniqueMember:
	uid=user0,ou=people,dc=example,dc=com
modifying entry "cn=group0,ou=Groups,dc=example,dc=com"
modify complete

[root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)" memberOf
dn: uid=user0,ou=People,dc=example,dc=com
memberOf: cn=group0,ou=Groups,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com

[root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)"
dn: uid=user0,ou=People,dc=example,dc=com
uid: user0
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user0
sn: user0
memberOf: cn=group0,ou=Groups,dc=example,dc=com

dn: uid=user1,ou=People,dc=example,dc=com
uid: user1
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1

[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
> dn: uid=user0,ou=People,dc=example,dc=com
> changetype: moddn
> newrdn: uid=user0
> deleteoldrdn: 1
> newsuperior: ou=Deleted,ou=People,dc=example,dc=com
> EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user0,ou=People,dc=example,dc=com"
	new RDN: "uid=user0" (do not keep existing values)
rename complete

[root@dhcp201-167 ~]# ldapmodify -v -h localhost:389 -D "cn=Directory Manager" -w "Secret123" << EOF
> dn: uid=user1,ou=People,dc=example,dc=com
> changetype: moddn
> newrdn: uid=user1
> deleteoldrdn: 1
> newsuperior: ou=Deleted,ou=People,dc=example,dc=com
> EOF
ldap_initialize( ldap://localhost:389 )
modifying rdn of entry "uid=user1,ou=People,dc=example,dc=com"
	new RDN: "uid=user1" (do not keep existing values)
rename complete

[root@dhcp201-167 ~]# ldapsearch -h localhost:389 -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com  -LLL  "(uid=user*)"
dn: uid=user0,ou=Deleted,ou=People,dc=example,dc=com
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user0
sn: user0
uid: user0

dn: uid=user1,ou=Deleted,ou=People,dc=example,dc=com
objectClass: inetUser
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1
uid: user1

This is working as expected, both users moved to new OU and memberof attribute is deleted.
Hence marking as VERIFIED.

Comment 8 errata-xmlrpc 2015-11-19 11:42:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html


Note You need to log in before you can comment on or make changes to this bug.