Hide Forgot
This bug triggered the following ticket: https://fedorahosted.org/freeipa/ticket/1370
master: a48a84a5ead90898630a23fc0de1c978d1e0b810 ipa-2-0: c58b351f285a879ffc1b095696f47a64042febe4
The ds team determined that the precedence is getting set in the wrong entry. It should be getting set in cn=IPA MODRDN,cn=plugins,cn=config instead
Precedence is now put to the right entry: master: https://fedorahosted.org/freeipa/changeset/5371c03c93ddc73ebafc4107e7340ac911e27ed5 ipa-2-1: https://fedorahosted.org/freeipa/changeset/613bd3ee6a657080a0c35db9472d7e51a8399805
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Renaming users may return a Not Found error. Consequence: Renaming the user is successful but their user-private group is not. Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user. Result: Renaming a user will also rename the user-private group.
[root@ipaqavmc ~]# ipa user-add --first=test --last=test test ----------------- Added user "test" ----------------- User login: test First name: test Last name: test Full name: test test Display name: test test Initials: tt Home directory: /home/test GECOS field: test test Login shell: /bin/sh Kerberos principal: test@IDM.LAB.BOS.REDHAT.COM UID: 1266400003 GID: 1266400003 Keytab: False Password: False [root@ipaqavmc ~]# [root@ipaqavmc ~]# ipa user-mod --setattr uid=new test -------------------- Modified user "test" -------------------- User login: new First name: test Last name: test Home directory: /home/test Login shell: /bin/sh UID: 1266400003 GID: 1266400003 Account disabled: False Keytab: False Password: False Member of groups: ipausers [root@ipaqavmc ~]# [root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" # extended LDIF # # LDAPv3 # base <uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # new, users, accounts, idm.lab.bos.redhat.com dn: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com displayName: test test cn: test test objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: mepOriginEntry loginShell: /bin/sh sn: test gecos: test test homeDirectory: /home/test krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos, dc=idm,dc=lab,dc=bos,dc=redhat,dc=com krbPrincipalName: new@IDM.LAB.BOS.REDHAT.COM givenName: test initials: tt uidNumber: 1266400003 gidNumber: 1266400003 ipaUniqueID: 5b74793e-0a09-11e1-a015-021016980180 mepManagedEntry: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,d c=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc= com uid: new # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" # extended LDIF # # LDAPv3 # base <cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # new, groups, accounts, idm.lab.bos.redhat.com dn: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top gidNumber: 1266400003 description: User private group for new mepManagedBy: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om <<<<<<<<<<<<< ipaUniqueID: 5b8a6afa-0a09-11e1-a015-021016980180 cn: new # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipaqavmc ~]# Also, checked "cn=IPA MODRDN,cn=plugins,cn=config": [root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=IPA MODRDN,cn=plugins,cn=config" objectClass=nsSlapdPlugin nsslapd-pluginprecedence # extended LDIF # # LDAPv3 # base <cn=IPA MODRDN,cn=plugins,cn=config> with scope subtree # filter: objectClass=nsSlapdPlugin # requesting: nsslapd-pluginprecedence # # IPA MODRDN, plugins, config dn: cn=IPA MODRDN,cn=plugins,cn=config nsslapd-pluginprecedence: 60 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipaqavmc ~]# Verified. [root@ipaqavmc ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Mon 07 Nov 2011 03:00:54 PM EST Install Date: Tue 08 Nov 2011 01:51:10 AM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@ipaqavmc ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html