Red Hat Bugzilla – Bug 1258611
dna plugin needs to handle binddn groups for authorization
Last modified: 2016-11-03 16:35:53 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/48258 The dna plugin uses the replica bind credentials to check if a connecion is allowed to perform the range request operation. It checks the bindn in the replica object, but since the introduction of binddn groups a single bind dn may no longer exist. DNA plugin also needs to evaluate the bindn groupd
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
RHEL: RHEL 7.3 x86_64 Server DS builds: [root@ds ~]# rpm -qa | grep 389-ds-base 389-ds-base-libs-1.3.5.10-5.el7.x86_64 389-ds-base-debuginfo-1.3.5.8-1.el7.x86_64 389-ds-base-1.3.5.10-5.el7.x86_64 389-ds-base-snmp-1.3.5.10-5.el7.x86_64 Steps Performed: 1. Created two standalone DS instances as master1 and master2 2. Created a user for replication and added that user as a uniquemember of QA managers group [root@ds ~]# ldapsearch -xLLL -b 'uid=dnaAdmin,ou=People,dc=example,dc=com' -h localhost -p 389 dn: uid=dnaAdmin,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson uid: dnaAdmin cn: dnaAdmin sn: dnaAdmin [root@ds ~]# ldapsearch -xLLL -b 'cn=QA Managers,ou=Groups,dc=example,dc=com' -h localhost -p 389 dn: cn=QA Managers,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager uniqueMember: uid=dnaAdmin,ou=People,dc=example,dc=com 3. Configured DNA plugin on both instances Below is the DNA plugin configuration entry added on master1 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 1 dnaMaxValue: 20 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 5 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic dnaNextRange: 41-50 Below is the DNA plugin configuration entry added on master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' -s base dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 31 dnaMaxValue: 40 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 2 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic 4. Configured a 2x MMR setup by adding the required replication configuration entries on both masters Below is the replica entry added on master1 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 47 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com nsds5replicabinddngroupcheckinterval: 0 nsState:: LwAAAAAAAADhGo9XAAAAAAEAAAAAAAAAAQAAAAAAAAAGAAAAAAAAAA== nsDS5ReplicaName: 56f33903-4e4111e6-9916cf1e-79691512 nsds5ReplicaChangeCount: 29 nsds5replicareapactive: 0 Below is the replica entry added on master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -s base dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replica objectClass: extensibleObject cn: replica nsDS5ReplicaRoot: dc=example,dc=com nsDS5ReplicaId: 48 nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5replicabinddngroup: cn=QA Managers,ou=Groups,dc=example,dc=com nsds5replicabinddngroupcheckinterval: 0 nsState:: MAAAAAAAAADiGo9XAAAAAAAAAAAAAAAAAQAAAAAAAAAFAAAAAAAAAA== nsDS5ReplicaName: 1f38c102-4e4211e6-9434fc5d-05a4a07c nsds5ReplicaChangeCount: 28 nsds5replicareapactive: 0 5. Added 10 users on master2 to exhaust its available range [root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -f dnaUsers.ldif adding new entry "uid=testuser1,ou=People,dc=example,dc=com" adding new entry "uid=testuser2,ou=People,dc=example,dc=com" adding new entry "uid=testuser3,ou=People,dc=example,dc=com" adding new entry "uid=testuser4,ou=People,dc=example,dc=com" adding new entry "uid=testuser5,ou=People,dc=example,dc=com" adding new entry "uid=testuser6,ou=People,dc=example,dc=com" adding new entry "uid=testuser7,ou=People,dc=example,dc=com" adding new entry "uid=testuser8,ou=People,dc=example,dc=com" adding new entry "uid=testuser9,ou=People,dc=example,dc=com" adding new entry "uid=testuser10,ou=People,dc=example,dc=com" 6. Verified the working of replication and DNA plugin by running an ldapsearch on master1 as below [root@ds ~]# ldapsearch -xLLL -b 'uid=testuser1,ou=People,dc=example,dc=com' -h localhost -p 389 dn: uid=testuser1,ou=People,dc=example,dc=com cn: test user1 homeDirectory: /home/testuser1 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: organizationalPerson sn: user1 uid: testuser1 uidNumber: 31 gidNumber: 31 As can be seen above, the user has been replicated and uidNumber and gidNumber attributes have been set properly by DNA plugin [root@ds ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 dn: uid=testuser11,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount uid: testuser11 cn: test user11 sn: user11 uidNumber: magic gidNumber: magic homeDirectory: /home/testuser11 adding new entry "uid=testuser11,ou=People,dc=example,dc=com" As can be seen above, the entry was added successfully 8. Verified whether new range was transferred properly to master2 [root@ds ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w secret123 -h localhost -p 1389 -b 'cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' -s base dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: dnaPluginConfig cn: Account UIDs dnaType: uidNumber dnaType: gidNumber dnaFilter: (objectclass=posixAccount) dnaScope: ou=People,dc=example,dc=com dnaNextValue: 47 dnaMaxValue: 50 dnaSharedCfgDN: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnaThreshold: 2 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic As can be seen above, master2 now has new range of numbers to assign
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html