The dnaFilter configuration setting is supposed to be applied against an entry to determine if a particular managed range applies to the entry. I have found that it is not used properly. Here's what I have observed: - Configure two managed ranges. One is for the uidNumber for "objectclass=posixAccount" entries. The second is for the gidNumber for "objectclass=posixGroup" entries. - Add a new "posixAccount" entry without specifying a "uidNumber" or "gidNumber" attribute value. The user will be successfully added, and both "uidNumber" and "gidNumber" values will be generated for the new entry, even though the configuration states that only the "uidNumber" should be generated.
Created attachment 313008 [details] DNA config entries
This compiler warning seems to point to the root cause of this problem: ../ldapserver/ldap/servers/plugins/dna/dna.c: In function 'parseConfigEntry': ../ldapserver/ldap/servers/plugins/dna/dna.c:542: warning: assignment from incompatible pointer type The problem is related to the way we load the dnaFilter value from the configuration entries. Our cached configuration entries in the DNA plug-in contain a string representation of the filter in addition to a Slapi_Filter based off of that string. The problem is that we call slapi_str2filter() to create the Slapi_Filter, but we store the pointer to it in our char * pointer that is supposed to be the filter string.
Created attachment 313010 [details] CVS Diffs This fix simply stores the Slapi_Filter in the proper member of the configEntry struct. With this fix, the test in comment#1 properly rejects adding a new "posixAccount" with no "gidNumber" attribute specified. If one explicitly specifies a "gidNumber" when adding the entry, the entry is added successfully, and the "uidNumber" value is generated by the DNA plug-in.
Checked into ldapserver (HEAD). Thanks to Noriko for her review! Checking in ldap/servers/plugins/dna/dna.c; /cvs/dirsec/ldapserver/ldap/servers/plugins/dna/dna.c,v <-- dna.c new revision: 1.5; previous revision: 1.4 done
fix verified DS 8.1 - All supported OSes- scenarios where DNA is configured for both uidNumber and gidNumber being tested by DNA automated acceptance tests. * dnaScope - non overlapping - both managed values with the same range o Add and modify both users and groups from both servers * dnaScope - overlapping - managed values with different ranges o Add and modify both users and groups from both servers
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html