Description of problem: This is related to the RFE in bug https://bugzilla.redhat.com/show_bug.cgi?id=620927 I configured additional attributes to be the source of memberOf, two new attributes I've defined: memberHost and memberUser I'm seeing entries getting memberOf for entries that don't have member/memberUser/memberHost in it. Version-Release number of selected component (if applicable): 389-ds-base-1.2.7-0.6.a3.fc12.x86_64
There is a bug in the way we construct the filter in memberof_call_foreach_dn() when multiple grouping attribtues are set. We should be constructing a filter using the passed in types and dn that looks like this: (|(type1=dn)(type2=dn)) Instead, we have hard-coded wildcards in the place of the dn when multiple types are passed in. The result is a filter that looks like this: (|(type1=*)(type2=*)) When this function is used to find groups who have dn as a member, we end up finding all groups that have any grouping attribute present and treat dn as if it is a member. This issue does not occur when a single type is used.
Created attachment 456564 [details] Patch
Pushed to master. Thanks to Noriko for her review! Counting objects: 13, done. Delta compression using 2 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.05 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5fb379f..738eef1 master -> master
Can you please add steps to verify this issue? Thanks
(In reply to comment #5) > Can you please add steps to verify this issue? Thanks - Configure memberOf with two values for memberOfGroupAttr (memberHost and memberUser as Rob used is fine, though you'll have to add them to the schema). - Add 2 group entries (group1 and group2). - Add 2 user entries (user1 and user2). - Make each user be a member of their matching group, using memberHost to define membership for user1 and memberUser for user2. - Add a new group (group3), which has group2 listed as a member using either of the configured grouping attributes. At this point, the only entries that should have a memberOf attribute with the DN of group3 should be group2 and user2.
Hey Nathan I am failing at the first steps,: [root@rhel61 slapd-rhel61]# service dirsrv stop Shutting down dirsrv: rhel61... [ OK ] [root@rhel61 slapd-rhel61]# vim dse.ldif [root@rhel61 slapd-rhel61]# service dirsrv start Starting dirsrv: rhel61... [FAILED] *** Warning: 1 instance(s) failed to start dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofgroupattr: memberUser memberofgroupattr: memberHost memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.8.2 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin When I am doing nsslapd-pluginEnabled: off, It is getting started fine. [root@rhel61 slapd-rhel61]# vim dse.ldif [root@rhel61 slapd-rhel61]# service dirsrv start Starting dirsrv: rhel61... [ OK ]
Also, please note that this is working fine: dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.8.2 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin
(In reply to comment #7) > Hey Nathan I am failing at the first steps,: > > [root@rhel61 slapd-rhel61]# service dirsrv stop > Shutting down dirsrv: > rhel61... [ OK ] > [root@rhel61 slapd-rhel61]# vim dse.ldif > [root@rhel61 slapd-rhel61]# service dirsrv start > Starting dirsrv: > rhel61... [FAILED] > *** Warning: 1 instance(s) failed to start > What does the errors log show when the service fails to start?
[root@rhel61 ~]# service dirsrv start Starting dirsrv: rhel61... [FAILED] *** Warning: 1 instance(s) failed to start [root@rhel61 ~]# tail -f /var/log/dirsrv/slapd-rhel61/errors [07/Jun/2011:21:34:31 +051800] - Failed to start postoperation plugin MemberOf Plugin [07/Jun/2011:21:34:31 +051800] NSMMReplicationPlugin - agmtlist_config_init: found 0 replication agreements in DIT [07/Jun/2011:21:34:31 +051800] memberof-plugin - only one memberOf plugin instance can be used [07/Jun/2011:21:34:31 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [07/Jun/2011:21:34:31 +051800] - Failed to start postoperation plugin MemberOf Plugin [07/Jun/2011:21:34:31 +051800] memberof-plugin - only one memberOf plugin instance can be used [07/Jun/2011:21:34:31 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [07/Jun/2011:21:34:31 +051800] - Failed to start postoperation plugin MemberOf Plugin [07/Jun/2011:21:34:31 +051800] - Error: Failed to resolve plugin dependencies [07/Jun/2011:21:34:31 +051800] - Error: postoperation plugin MemberOf Plugin is not started [root@rhel61 ~]# tail -f /var/log/dirsrv/slapd-rhel61/access [07/Jun/2011:19:21:21 +051800] conn=8 op=3 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\3DDirectory Manager,ou=UserPreferences,ou=pnq.redhat.com,o=NetscapeRoot" [07/Jun/2011:19:21:21 +051800] conn=8 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [07/Jun/2011:19:21:21 +051800] conn=8 op=4 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\3DDirectory Manager,ou=UserPreferences,ou=pnq.redhat.com,o=NetscapeRoot" [07/Jun/2011:19:21:21 +051800] conn=8 op=4 RESULT err=0 tag=103 nentries=0 etime=0 [07/Jun/2011:19:21:22 +051800] conn=8 op=5 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\3DDirectory Manager,ou=UserPreferences,ou=pnq.redhat.com,o=NetscapeRoot" [07/Jun/2011:19:21:22 +051800] conn=8 op=5 RESULT err=0 tag=103 nentries=0 etime=0 [07/Jun/2011:19:21:22 +051800] conn=8 op=6 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\3DDirectory Manager,ou=UserPreferences,ou=pnq.redhat.com,o=NetscapeRoot" [07/Jun/2011:19:21:22 +051800] conn=8 op=6 RESULT err=0 tag=103 nentries=0 etime=0 [07/Jun/2011:19:21:23 +051800] conn=1 op=-1 fd=64 closed - B1 [07/Jun/2011:19:21:23 +051800] conn=8 op=-1 fd=65 closed - B1
Reopening this bug.
The problem on the test system is that the "memberHost" and "memberUser" attributes have not been defined in the schema. The following error is in the errors log when you attempt to start the DS instance: [07/Jun/2011:16:24:01 +051800] - 389-Directory/1.2.8.2 B2011.104.2252 starting up [07/Jun/2011:16:24:01 +051800] memberof-plugin - Error 53: The memberUser configuration attribute must be set to an attribute defined to use either the Distinguished Name or Name and Optional UID syntax. (illegal value: memberOfGroupAttr) [07/Jun/2011:16:24:02 +051800] memberof-plugin - configuration failed (Server is unwilling to perform) [07/Jun/2011:16:24:02 +051800] - Failed to start postoperation plugin MemberOf Plugin If you are going to use the "memberHost" and "memberUser" attributes for testing, you will need to add them to the schema with the "Distinguished Name" syntax. You can just use the "uniqueMember" and "member" attributes instead if you want, which are already defined in the base schema.
Thanks Nathan, Now I am using existing two attributes but for the 3rd case where I am making a group member of other group, there it is failing. Please guide. "uniqueMember" groupOfUniqueNames - and "member" -groupOfNames 1. Modified the dse.ldif dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.8.2 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin 2. Restarted the dirsrv . [root@rhel61 home]# vim /etc/dirsrv/slapd-rhel61/dse.ldif [root@rhel61 home]# service dirsrv start Starting dirsrv: rhel61... [ OK ] 3. - Add 2 group entries (group1 and group2). - Add 2 user entries (user1 and user2). - Make each user be a member of their matching group, using member to define membership for user1 and uniqueMember for user2. - Add a new group (group3), which has group2 listed as a member using either of the configured grouping attributes. At this point, the only entries that should have a memberOf attribute with the DN of group3 should be group2 and user2. dn: cn=membergroup,dc=example,dc=com member: cn=user1,dc=example,dc=com dn: cn=umembergroup,dc=example,dc=com uniqueMember: cn=user2,dc=example,dc=com dn: cn=group3,dc=example,dc=com member: cn=usergroup,dc=example,dc=com OUTPUT ====== dn: cn=user1,dc=example,dc=com memberOf: cn=membergroup,dc=example,dc=com dn: cn=user2,dc=example,dc=com memberOf: cn=umembergroup,dc=example,dc=com memberof: cn=group3,dc=example,dc=com dn: cn=umembergroup,dc=example,dc=com memberOf: ******NOTHING HERE**** Add Group =========== ldapadd -D "cn=Directory Manager" -w Secret123 -h localhost -p 389 << EOF dn: cn=membergroup,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: membergroup member: cn=user1,dc=example,dc=com ldapadd -D "cn=Directory Manager" -w Secret123 -h localhost -p 389 << EOF dn: cn=umembergroup,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: umembergroup uniquemember: cn=user2,dc=example,dc=com EOF ldapadd -D "cn=Directory Manager" -w Secret123 -h localhost -p 389 << EOF dn: cn=group3,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: group3 member: cn=umembergroup,dc=example,dc=com EOF UNEXPECTED RESULT - ================= [root@rhel61 schema]# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=umembergroup,dc=example,dc=com" -s sub "(objectclass=*)" # extended LDIF # # LDAPv3 # base <cn=umembergroup,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # umembergroup, example.com dn: cn=umembergroup,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: umembergroup uniqueMember: cn=user2,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@rhel61 schema]# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=group3,dc=example,dc=com" -s sub "(objectclass=*)"# extended LDIF # # LDAPv3 # base <cn=group3,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # group3, example.com dn: cn=group3,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: group3 member: cn=umembergroup,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@rhel61 schema]# [root@rhel61 schema]# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=user2,dc=example,dc=com" -s sub "(objectclass=*)" # extended LDIF # # LDAPv3 # base <cn=user2,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # user2, example.com dn: cn=user2,dc=example,dc=com cn: ams cn: user2 sn: ams givenName: ams objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser uid: ams mail: ams userPassword:: e1NTSEF9TUNRalZEYUhJT291em1IdmtDYjkzNmdwNHdsL3VYcERXcEhvVXc9PQ= = memberOf: cn=umembergroup,dc=example,dc=com memberOf: cn=group3,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@rhel61 schema]#
(In reply to comment #15) > Thanks Nathan, Now I am using existing two attributes but for the 3rd case > where I am making a group member of other group, there it is failing. > Please guide. I believe that you need to add an objectclass that allows the memberOf attribute to be present in your group entries. The plug-in will try to add the memberOf values to entries when needed, but it won't be able to do that if the schema doesn't allow it.
yeah Nathan, The Group Entry has to have objectClass: inetAdmin to have the memberof attribute. ldapmodify -a -D "cn=Directory Manager" -w Secret123 -h localhost -p 389 << EOF > dn: cn=umembergroup,dc=example,dc=com > changetype: modify > add: objectClass > objectClass: inetAdmin > EOF modifying entry "cn=umembergroup,dc=example,dc=com" After adding this object class, I am able to see : # umembergroup, example.com dn: cn=umembergroup,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: inetUser objectClass: inetAdmin cn: umembergroup uniqueMember: cn=user2,dc=example,dc=com memberOf: cn=group3,dc=example,dc=com Hence marking the bug as VERIFIED.