715112 – Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 715112 - Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry

Summary: Managed Entries: mep_mod_post_op: Unable to update mapped attributes from or...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	661102
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-21 21:45 UTC by Nathan Kinder
Modified:	2015-01-04 23:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Renaming users may return a Not Found error. Consequence: Renaming the user is successful but their user-private group is not. Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user. Result: Renaming a user will also rename the user-private group.
Clone Of:	661102
Environment:
Last Closed:	2011-12-06 18:36:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Comment 1 Dmitri Pal 2011-06-21 21:49:08 UTC

This bug triggered the following ticket: https://fedorahosted.org/freeipa/ticket/1370

Comment 2 Rob Crittenden 2011-08-01 20:04:23 UTC

master: a48a84a5ead90898630a23fc0de1c978d1e0b810

ipa-2-0: c58b351f285a879ffc1b095696f47a64042febe4

Comment 5 Rob Crittenden 2011-09-02 21:09:39 UTC

The ds team determined that the precedence is getting set in the wrong entry. It should be getting set in cn=IPA MODRDN,cn=plugins,cn=config instead

Comment 6 Martin Kosek 2011-09-13 15:39:33 UTC

Precedence is now put to the right entry:
master: https://fedorahosted.org/freeipa/changeset/5371c03c93ddc73ebafc4107e7340ac911e27ed5
ipa-2-1: https://fedorahosted.org/freeipa/changeset/613bd3ee6a657080a0c35db9472d7e51a8399805

Comment 8 Rob Crittenden 2011-10-31 20:30:31 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Renaming users may return a Not Found error.
Consequence: Renaming the user is successful but their user-private group is not.
Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user.
Result: Renaming a user will also rename the user-private group.

Comment 9 Gowrishankar Rajaiyan 2011-11-08 13:19:38 UTC

[root@ipaqavmc ~]# ipa user-add --first=test --last=test test
-----------------
Added user "test"
-----------------
  User login: test
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/test
  GECOS field: test test
  Login shell: /bin/sh
  Kerberos principal: test.BOS.REDHAT.COM
  UID: 1266400003
  GID: 1266400003
  Keytab: False
  Password: False
[root@ipaqavmc ~]# 

[root@ipaqavmc ~]# ipa user-mod --setattr uid=new test
--------------------
Modified user "test"
--------------------
  User login: new
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  UID: 1266400003
  GID: 1266400003
  Account disabled: False
  Keytab: False
  Password: False
  Member of groups: ipausers
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, users, accounts, idm.lab.bos.redhat.com
dn: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: test test
cn: test test
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: test
gecos: test test
homeDirectory: /home/test
krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
 dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
krbPrincipalName: new.BOS.REDHAT.COM
givenName: test
initials: tt
uidNumber: 1266400003
gidNumber: 1266400003
ipaUniqueID: 5b74793e-0a09-11e1-a015-021016980180
mepManagedEntry: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,d
 c=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
 com
uid: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, groups, accounts, idm.lab.bos.redhat.com
dn: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
gidNumber: 1266400003
description: User private group for new
mepManagedBy: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om <<<<<<<<<<<<<
ipaUniqueID: 5b8a6afa-0a09-11e1-a015-021016980180
cn: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]#

Also, checked "cn=IPA MODRDN,cn=plugins,cn=config":

[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=IPA MODRDN,cn=plugins,cn=config" objectClass=nsSlapdPlugin nsslapd-pluginprecedence
# extended LDIF
#
# LDAPv3
# base <cn=IPA MODRDN,cn=plugins,cn=config> with scope subtree
# filter: objectClass=nsSlapdPlugin
# requesting: nsslapd-pluginprecedence 
#

# IPA MODRDN, plugins, config
dn: cn=IPA MODRDN,cn=plugins,cn=config
nsslapd-pluginprecedence: 60

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]# 


Verified.

[root@ipaqavmc ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Mon 07 Nov 2011 03:00:54 PM EST
Install Date: Tue 08 Nov 2011 01:51:10 AM EST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@ipaqavmc ~]#

Comment 10 errata-xmlrpc 2011-12-06 18:36:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.