2083589 – RHDS 11 returns entries from separate root suffixes while RHDS 10 doesn't.

Bug 2083589 - RHDS 11 returns entries from separate root suffixes while RHDS 10 doesn't.

Summary: RHDS 11 returns entries from separate root suffixes while RHDS 10 doesn't.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	11.4
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	DS11.6
Target Release:	dirsrv-11.6
Assignee:	Pierre Rogier
QA Contact:	RHDS QE
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-10 12:24 UTC by Têko Mihinto
Modified:	2023-03-07 09:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:	redhat-ds-11-8070020221125153052.95958119
Doc Type:	Bug Fix
Doc Text:	Cause: In RHDS 11, suffix handling configuration was simplified to avoid the need of configuring the parent-children relationship (which was often forgotten and leaded to inconsistent behavior) Consequence: But this change breaks some customer deployment that relied on the old buggy behavior Fix: Adding a new option to ignore the automatic relationship When the mapping tree entry has "orphan: true" attribute and value, the suffix parent is the root entry (reverting to the old default behavior) Result: a new option could be set using 'dsconf --advanced instance backend suffix set --enable-orphan/disable-orphan backend' to switch between RHDS 10 and RHDS 11 behavior about the sub-suffix handling
Clone Of:
Environment:
Last Closed:	2023-01-17 08:52:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	IDMDS-2708	None	None	None	2023-01-09 15:10:39 UTC
Red Hat Issue Tracker	IDMDS-2709	None	None	None	2023-01-09 15:13:49 UTC
Red Hat Knowledge Base (Solution)	7001049	None	None	None	2023-03-07 09:20:10 UTC
Red Hat Product Errata	RHBA-2023:0186	None	None	None	2023-01-17 08:52:13 UTC

Description Têko Mihinto 2022-05-10 12:24:38 UTC

Description of problem:

After creating separate root suffixes ( one having as ending DN the DN of the shorter suffix
- eg: "ou=customers,dc=example,dc=com" and "dc=example,dc=com" ),
search operations behave differently depending of the RHDS version:
* RHDS 10: a search on the shorter suffix returns matching entries only from the related backend.
* RHDS 11: a search on the shorter suffix returns also matching entries from other backend(s).

Version-Release number of selected component (if applicable):

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.5 (Ootpa)
$
$ rpm -qa | grep 389-ds-base-1
389-ds-base-1.4.3.27-2.module+el8dsrv+12690+c6df6d1b.x86_64
$

How reproducible:

Always.

Steps to Reproduce:

1. Create the following suffixes as root suffixes:
dc=example,dc=com
ou=customers,dc=example,dc=com ( NOT as a sub-suffix of "dc=example,dc=com" )

2. Run a subtree search on the suffix "dc=example,dc=com".
Depending of the RHDS version, entries from "ou=customers,dc=example,dc=com" will be returned.

3. According to the documentation, entries from the "ou=customers,dc=example,dc=com" should not be returned:
    https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases#creating_a_root_suffix
=============================================
Searches performed by client applications on the dc=example,dc=com branch of the directory will not return entries from the l=europe,dc=example,dc=com branch of the directory, as it is a separate root suffix.
=============================================

Actual results:
Entries from a separate root suffix are being returned.

Expected results:
Only entries from the specified suffix should be returned.

Additional info:
A customer is getting more entries than expected since there are entries matching their search filters in other root suffixes.
This is breaking some of their applications.

If the "Mapping Tree Assembly Rework" [1] has been implemented, such drastic change should be documented
along with a configuration parameter to switch to the old behavior.

[1]  https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html

Comment 1 Têko Mihinto 2022-05-10 12:29:09 UTC

STEPS:
=======

* RHDS 10:
+++++++++++

1) Suffix "dc=example,dc=com" was previously created.

2) Create a sub-suffix:

$ cat ./subSuffix.ldif "ou=subSuffix,dc=example,dc=com"
dn: cn="ou=subSuffix,dc=example,dc=com",cn=mapping tree,cn=config
changetype: add
cn: ou=subSuffix,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: SubSuffixData
nsslapd-parent-suffix: dc=example,dc=com

dn: cn=SubSuffixData,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=subSuffix,dc=example,dc=com

dn: ou=subSuffix,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: subSuffix

$

3) Create a separate root suffix "ou=newSuffix,dc=example,dc=com"

$ cat ./newRootSuffix.ldif
dn: cn="ou=newSuffix,dc=example,dc=com",cn=mapping tree,cn=config
changetype: add
cn: ou=newSuffix,dc=example,dc=com
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: NewSuffixData

dn: cn=NewSuffixData,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: ou=newSuffix,dc=example,dc=com

dn: ou=newSuffix,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: newSuffix

$

4) Create test entries:

$ cat ./testEntries.ldif
dn: cn=sameRDN,ou=subSuffix,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN

dn: cn=sameRDN,ou=newSuffix,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN

dn: cn=sameRDN,dc=example,dc=com
objectClass: top
objectClass: person
sn: test SN

$

5) Run a subtree search of the base DN "dc=example,dc=com":

$ ldapsearch -xLLL -D "cn=Directory Manager" -W -p 389 -h localhost -b "dc=example,dc=com" "cn=sameRDN" 1.1
Enter LDAP Password:
dn: cn=sameRDN,dc=example,dc=com

dn: cn=sameRDN,ou=subSuffix,dc=example,dc=com

$

==> The entry in the separate root suffix is not returned.
This conforms to the statement in the RHDS 11 documentation:
        https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_directory_databases#creating_a_root_suffix

* RHDS 11:
+++++++++++
6) Run similar steps on a RHDS 11 instance:

$ dsconf -D "cn=Directory Manager" ldaps://localhost:5636  backend suffix list
Enter password for cn=Directory Manager on ldaps://localhost:5636:
dc=example,dc=com (exampledb)
ou=customers,dc=example,dc=com (customersdb)
$

No sub-suffix is defined:
$ grep -ic parent-suffix /etc/dirsrv/slapd-<INSTANCE>/dse.ldif
0
$

7) A similar search now returns data from the other root suffix:

$ ldapsearch -xLLL -H ldaps://localhost:5636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" uid=demo_user 1.1
Enter LDAP Password:
dn: uid=demo_user,ou=people,dc=example,dc=com

dn: uid=demo_user,ou=people,ou=customers,dc=example,dc=com
$

Comment 4 Pierre Rogier 2022-05-23 13:33:58 UTC

Good news, my first test shows that it is easy to add an attribute in the mapping tree entry to dissociate a suffix from its parents.
So there should be no blocker for this one.

Still need some time to cleanup the code and to add the new attribute 
  in dsconf instance --advanced backend suffix set
I hope being able to commit the fix upstream by the end of the week.

Comment 10 Akshay Adhikari 2023-01-11 10:30:30 UTC

Build Tested: 389-ds-base-1.4.3.31-10.module+el8dsrv+17710+b3b86a4a.x86_64

# py.test -v dirsrvtests/tests/suites/mapping_tree/regression_test.py --disable-warnings
============================================================================ test session starts =======================================================================
platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-425.3.1.el8.x86_64-x86_64-with-redhat-8.7-Ootpa', 'Packages': {'pytest': '7.0.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.2.0', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.31-10.module+el8dsrv+17710+b3b86a4a
nss: 3.79.0-10.el8_6
nspr: 4.34.0-3.el8_6
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.2.0, ignore-flaky-2.0.0
collected 3 items                                                                                                                                                          

dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[orphan-is-true] PASSED                                                                    [ 33%]
dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[orphan-is-false] PASSED                                                                   [ 66%]
dirsrvtests/tests/suites/mapping_tree/regression_test.py::test_sub_suffixes[no-orphan] PASSED                                                                         [100%]

====================================================================== 3 passed, 28 warnings in 55.03s =================================================================

Marking as VERIFIED.

Comment 12 errata-xmlrpc 2023-01-17 08:52:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:11 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0186

Note You need to log in before you can comment on or make changes to this bug.