Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1996662

Summary: Deleted user accounts with --preserved parameter is listed on groups on 'ldapsearch'
Product: Red Hat Enterprise Linux 7 Reporter: Aleksandr Sharov <asharov>
Component: 389-ds-baseAssignee: LDAP Maintainers <ldap-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: dcamilof, ldap-maint, rcritten, tscherf
Target Milestone: rcFlags: asharov: needinfo?
dcamilof: needinfo?
pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-26 15:01:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksandr Sharov 2021-08-23 12:31:35 UTC 
Description of problem:
User accounts, deleted with --preserved key, still show up in the ldapsearch groups.


Version-Release number of selected component (if applicable):
RHEL 7.9, IPA 4.6.8

How reproducible:
-



Actual results:
*** PRESERVED USER
  dn: uid=lhellebusch,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
  User login: lhellebusch
  First name: Luke
  Last name: Hellebusch
  Full name: Luke Hellebusch
  Display name: Luke Hellebusch
  Initials: LH
  Home directory: /home/lhellebusch
  GECOS: Luke Hellebusch
  Login shell: /bin/bash
  Principal name: lhellebusch.NET
  Principal alias: lhellebusch.NET
  Email address: lhellebusch.net
  UID: 1515800792
  GID: 1515800792
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False
  ipauniqueid: 6e7f4bb0-b18b-11eb-8141-005056b18f36
  krbextradata: AAKo5qNga2FkbWluZEBJUEEuQ0JPRS5ORVQA
  krblastfailedauth: 20210727185335Z
  krbloginfailedcount: 0
  krbticketflags: 128
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys


$ ldapsearch -D "cn=Directory Manager" -W -H "ldap://ipa7101-master.ipa.cboe.net" "cn=us"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=cboe,dc=net> (default) with scope subtree
# filter: cn=us
# requesting: ALL
#

# us, groups, accounts, ipa.cboe.net
dn: cn=us,cn=groups,cn=accounts,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=515fcc96-68cb-11e8-8c2f-005056b18f36,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=adec2fc4-68c9-11e8-97e1-005056b18f36,cn=sudorules,cn=sudo,dc=ipa,dc=cboe,dc=net
memberOf: cn=users,cn=groups,cn=accounts,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=a51aba6c-5c6d-11e9-96a0-005056a0b427,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=b0d51902-d817-11ea-80bf-005056b18f36,cn=hbac,dc=ipa,dc=cboe,dc=net
memberOf: ipaUniqueID=6df44b8c-e6f2-11ea-b849-005056913c6d,cn=hbac,dc=ipa,dc=cboe,dc=net
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: us
description: Bulk Import
ipaUniqueID: 0bfb767e-68bb-11e8-90fe-005056b18f36
member: uid=ldoogs,cn=users,cn=accounts,dc=ipa,dc=cboe,dc=net
member: uid=zpan,cn=users,cn=accounts,dc=ipa,dc=cboe,dc=net
..snip..
member: uid=jlunceford,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
member: uid=cbaumert,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net
member: uid=lhellebusch,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=cboe,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Expected results:
deleted users shouldn't be listed in groups listings

Additional info:
Comment 4 Florence Blanc-Renaud 2021-08-23 13:37:31 UTC 
Hi,

I was not able to reproduce the behavior described in this BZ.
$ rpm -qa ipa-server 389-ds-base
389-ds-base-1.3.10.2-12.el7_9.x86_64
ipa-server-4.6.8-5.el7_9.5.x86_64

Scenario:
- create 2 users u1 and u2
--------------------------
$ ipa user-add u1 --first u1 --last u1
$ ipa user-add u2 --first u2 --last u2

- create a posix group g1, create a nonposix group nonposix1
------------------------------------------------------------
$ ipa group-add nonposix1
$ ipa group-add nonposix1 --nonposix

- add u1 and u2 to both groups
------------------------------
$ ipa group-add-member g1 --users u1 --users u2
$ ipa group-add-member nonposix1 --users u1 --users u2


- check the group membership: both groups contain u1 and u2
-----------------------------------------------------------
$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: g1
ipaUniqueID: e5d6f240-040f-11ec-8109-fa163ef9aedd
gidNumber: 593600010
member: uid=u1,cn=users,cn=accounts,dc=ipa,dc=test
member: uid=u2,cn=users,cn=accounts,dc=ipa,dc=test

$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: nonposix1
ipaUniqueID: f1fde858-040f-11ec-b8ae-fa163ef9aedd
member: uid=u1,cn=users,cn=accounts,dc=ipa,dc=test
member: uid=u2,cn=users,cn=accounts,dc=ipa,dc=test

- delete u1 (not preserved), delete u2 (preserved)
--------------------------------------------------
$ ipa user-del u1 
$ ipa user-del u2 --preserve


- check the group membership: both groups are now empty
-------------------------------------------------------
$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=g1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: g1
ipaUniqueID: e5d6f240-040f-11ec-8109-fa163ef9aedd
gidNumber: 593600010

$ ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
dn: cn=nonposix1,cn=groups,cn=accounts,dc=ipa,dc=test
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: nonposix1
ipaUniqueID: f1fde858-040f-11ec-b8ae-fa163ef9aedd


In order to progress further, can you check if there are any automember rules defined on the group?
# ipa automember-find --type hostgroup
# ipa automember-find --type group
With automember groups I wasn't able to reproduce the issue either but I would like to make sure we can eliminate this possible path of investigation.

I would also check if there are replication conflicts or replication issues. According to the sos report shared in the case, I can see a few errors in slapd error log:
[09/Aug/2021:08:17:11.566795995 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
[09/Aug/2021:08:21:30.689795892 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
[09/Aug/2021:08:23:52.935071195 -0400] - ERR - managed-entries-plugin - mep_mod_post_op - Unable to find config for origin entry "uid=XXXX,cn=deleted users,cn=accounts,cn=provisioning,dc=OBFUSCATED".
and they correspond to the preserved users that display the issue.
Comment 11 Florence Blanc-Renaud 2021-08-25 16:32:50 UTC 
Moving the issue to 389-ds component, the team has better knowledge of how the plugins should be triggered on this ipa user-del --preserve operation.