Bug 2083589
| Summary: | RHDS 11 returns entries from separate root suffixes while RHDS 10 doesn't. | ||
|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Têko Mihinto <tmihinto> |
| Component: | 389-ds-base | Assignee: | Pierre Rogier <progier> |
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | urgent | ||
| Version: | 11.4 | CC: | aadhikar, ldap-maint, mreynolds, pcech, tbordaz |
| Target Milestone: | DS11.6 | Keywords: | Triaged |
| Target Release: | dirsrv-11.6 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | redhat-ds-11-8070020221125153052.95958119 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: In RHDS 11, suffix handling configuration was simplified to avoid the need of configuring the parent-children relationship (which was often forgotten and leaded to inconsistent behavior)
Consequence: But this change breaks some customer deployment that relied on the old buggy behavior
Fix: Adding a new option to ignore the automatic relationship
When the mapping tree entry has "orphan: true" attribute and value, the suffix parent is the root entry (reverting to the old default behavior)
Result: a new option could be set using 'dsconf --advanced instance backend suffix set --enable-orphan/disable-orphan backend' to switch between RHDS 10 and RHDS 11 behavior about the sub-suffix handling
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-17 08:52:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
STEPS:
=======
* RHDS 10:
+++++++++++
1) Suffix "dc=example,dc=com" was previously created.
2) Create a sub-suffix:
$ cat ./subSuffix.ldif "ou=subSuffix,dc=example,dc=com"
dn: cn="ou=subSuffix,dc=example,dc=com",cn=mapping tree,cn=config
changetype: add
cn: ou=subSuffix,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: SubSuffixData
nsslapd-parent-suffix: dc=example,dc=com
dn: cn=SubSuffixData,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=subSuffix,dc=example,dc=com
dn: ou=subSuffix,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: subSuffix
$
3) Create a separate root suffix "ou=newSuffix,dc=example,dc=com"
$ cat ./newRootSuffix.ldif
dn: cn="ou=newSuffix,dc=example,dc=com",cn=mapping tree,cn=config
changetype: add
cn: ou=newSuffix,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: NewSuffixData
dn: cn=NewSuffixData,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=newSuffix,dc=example,dc=com
dn: ou=newSuffix,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: newSuffix
$
4) Create test entries:
$ cat ./testEntries.ldif
dn: cn=sameRDN,ou=subSuffix,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN
dn: cn=sameRDN,ou=newSuffix,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN
dn: cn=sameRDN,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN
$
5) Run a subtree search of the base DN "dc=example,dc=com":
$ ldapsearch -xLLL -D "cn=Directory Manager" -W -p 389 -h localhost -b "dc=example,dc=com" "cn=sameRDN" 1.1
Enter LDAP Password:
dn: cn=sameRDN,dc=example,dc=com
dn: cn=sameRDN,ou=subSuffix,dc=example,dc=com
$
==> The entry in the separate root suffix is not returned.
This conforms to the statement in the RHDS 11 documentation:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases#creating_a_root_suffix
* RHDS 11:
+++++++++++
6) Run similar steps on a RHDS 11 instance:
$ dsconf -D "cn=Directory Manager" ldaps://localhost:5636 backend suffix list
Enter password for cn=Directory Manager on ldaps://localhost:5636:
dc=example,dc=com (exampledb)
ou=customers,dc=example,dc=com (customersdb)
$
No sub-suffix is defined:
$ grep -ic parent-suffix /etc/dirsrv/slapd-<INSTANCE>/dse.ldif
0
$
7) A similar search now returns data from the other root suffix:
$ ldapsearch -xLLL -H ldaps://localhost:5636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" uid=demo_user 1.1
Enter LDAP Password:
dn: uid=demo_user,ou=people,dc=example,dc=com
dn: uid=demo_user,ou=people,ou=customers,dc=example,dc=com
$
Good news, my first test shows that it is easy to add an attribute in the mapping tree entry to dissociate a suffix from its parents. So there should be no blocker for this one. Still need some time to cleanup the code and to add the new attribute in dsconf instance --advanced backend suffix set I hope being able to commit the fix upstream by the end of the week. Build Tested: 389-ds-base-1.4.3.31-10.module+el8dsrv+17710+b3b86a4a.x86_64
# py.test -v dirsrvtests/tests/suites/mapping_tree/regression_test.py --disable-warnings
============================================================================ test session starts =======================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-425.3.1.el8.x86_64-x86_64-with-redhat-8.7-Ootpa', 'Packages': {'pytest': '7.0.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.2.0', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.31-10.module+el8dsrv+17710+b3b86a4a
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.2.0, ignore-flaky-2.0.0
collected 3 items
dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[orphan-is-true] PASSED [ 33%]
dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[orphan-is-false] PASSED [ 66%]
dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[no-orphan] PASSED [100%]
====================================================================== 3 passed, 28 warnings in 55.03s =================================================================
Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (redhat-ds:11 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:0186 |
Description of problem: After creating separate root suffixes ( one having as ending DN the DN of the shorter suffix - eg: "ou=customers,dc=example,dc=com" and "dc=example,dc=com" ), search operations behave differently depending of the RHDS version: * RHDS 10: a search on the shorter suffix returns matching entries only from the related backend. * RHDS 11: a search on the shorter suffix returns also matching entries from other backend(s). Version-Release number of selected component (if applicable): $ cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) $ $ rpm -qa | grep 389-ds-base-1 389-ds-base-1.4.3.27-2.module+el8dsrv+12690+c6df6d1b.x86_64 $ How reproducible: Always. Steps to Reproduce: 1. Create the following suffixes as root suffixes: dc=example,dc=com ou=customers,dc=example,dc=com ( NOT as a sub-suffix of "dc=example,dc=com" ) 2. Run a subtree search on the suffix "dc=example,dc=com". Depending of the RHDS version, entries from "ou=customers,dc=example,dc=com" will be returned. 3. According to the documentation, entries from the "ou=customers,dc=example,dc=com" should not be returned: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases#creating_a_root_suffix ============================================= Searches performed by client applications on the dc=example,dc=com branch of the directory will not return entries from the l=europe,dc=example,dc=com branch of the directory, as it is a separate root suffix. ============================================= Actual results: Entries from a separate root suffix are being returned. Expected results: Only entries from the specified suffix should be returned. Additional info: A customer is getting more entries than expected since there are entries matching their search filters in other root suffixes. This is breaking some of their applications. If the "Mapping Tree Assembly Rework" [1] has been implemented, such drastic change should be documented along with a configuration parameter to switch to the old behavior. [1] https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html