715112 – Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry

Bug 715112 - Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry

Summary: Managed Entries: mep_mod_post_op: Unable to update mapped attributes from or...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	661102
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-21 21:45 UTC by Nathan Kinder
Modified:	2015-01-04 23:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Renaming users may return a Not Found error. Consequence: Renaming the user is successful but their user-private group is not. Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user. Result: Renaming a user will also rename the user-private group.
Clone Of:	661102
Environment:
Last Closed:	2011-12-06 18:36:23 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Comment 1 Dmitri Pal 2011-06-21 21:49:08 UTC

This bug triggered the following ticket: https://fedorahosted.org/freeipa/ticket/1370

Comment 2 Rob Crittenden 2011-08-01 20:04:23 UTC

master: a48a84a5ead90898630a23fc0de1c978d1e0b810

ipa-2-0: c58b351f285a879ffc1b095696f47a64042febe4

Comment 5 Rob Crittenden 2011-09-02 21:09:39 UTC

The ds team determined that the precedence is getting set in the wrong entry. It should be getting set in cn=IPA MODRDN,cn=plugins,cn=config instead

Comment 6 Martin Kosek 2011-09-13 15:39:33 UTC

Precedence is now put to the right entry:
master: https://fedorahosted.org/freeipa/changeset/5371c03c93ddc73ebafc4107e7340ac911e27ed5
ipa-2-1: https://fedorahosted.org/freeipa/changeset/613bd3ee6a657080a0c35db9472d7e51a8399805

Comment 8 Rob Crittenden 2011-10-31 20:30:31 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Renaming users may return a Not Found error.
Consequence: Renaming the user is successful but their user-private group is not.
Fix: Set the 389-ds plugin precedence so the ipa_modrdn plugin runs last. This plugin manages renaming the Kerberos principal name of the user.
Result: Renaming a user will also rename the user-private group.

Comment 9 Gowrishankar Rajaiyan 2011-11-08 13:19:38 UTC

[root@ipaqavmc ~]# ipa user-add --first=test --last=test test
-----------------
Added user "test"
-----------------
  User login: test
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/test
  GECOS field: test test
  Login shell: /bin/sh
  Kerberos principal: test@IDM.LAB.BOS.REDHAT.COM
  UID: 1266400003
  GID: 1266400003
  Keytab: False
  Password: False
[root@ipaqavmc ~]# 

[root@ipaqavmc ~]# ipa user-mod --setattr uid=new test
--------------------
Modified user "test"
--------------------
  User login: new
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  UID: 1266400003
  GID: 1266400003
  Account disabled: False
  Keytab: False
  Password: False
  Member of groups: ipausers
[root@ipaqavmc ~]# 


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, users, accounts, idm.lab.bos.redhat.com
dn: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: test test
cn: test test
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: test
gecos: test test
homeDirectory: /home/test
krbPwdPolicyReference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,
 dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
krbPrincipalName: new@IDM.LAB.BOS.REDHAT.COM
givenName: test
initials: tt
uidNumber: 1266400003
gidNumber: 1266400003
ipaUniqueID: 5b74793e-0a09-11e1-a015-021016980180
mepManagedEntry: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,d
 c=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
 com
uid: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# new, groups, accounts, idm.lab.bos.redhat.com
dn: cn=new,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
gidNumber: 1266400003
description: User private group for new
mepManagedBy: uid=new,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om <<<<<<<<<<<<<
ipaUniqueID: 5b8a6afa-0a09-11e1-a015-021016980180
cn: new

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]#

Also, checked "cn=IPA MODRDN,cn=plugins,cn=config":

[root@ipaqavmc ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=IPA MODRDN,cn=plugins,cn=config" objectClass=nsSlapdPlugin nsslapd-pluginprecedence
# extended LDIF
#
# LDAPv3
# base <cn=IPA MODRDN,cn=plugins,cn=config> with scope subtree
# filter: objectClass=nsSlapdPlugin
# requesting: nsslapd-pluginprecedence 
#

# IPA MODRDN, plugins, config
dn: cn=IPA MODRDN,cn=plugins,cn=config
nsslapd-pluginprecedence: 60

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipaqavmc ~]# 


Verified.

[root@ipaqavmc ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Mon 07 Nov 2011 03:00:54 PM EST
Install Date: Tue 08 Nov 2011 01:51:10 AM EST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@ipaqavmc ~]#

Comment 10 errata-xmlrpc 2011-12-06 18:36:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.