Description of problem: Users created at DS with a comma in the CN entry fails to sync to AD. Version-Release number of selected component (if applicable): DS90 How reproducible: Consistently Steps to Reproduce: 1. Setup windows sync with win2008 AD server. 2. Create few entries at DS and AD before running "Initiate Full Re-synchronization". 3. Create entries in DS as this ldif file. dn: uid=testwinsyncsplDN\2C1,dc=pass_sync,dc=com telephoneNumber: 989898191 mail: testwinsyncsplDN1 givenName: testwinsyncsplDN1 objectClass: top objectClass: person objectClass: inetorgperson objectclass: ntUser sn: testwinsyncsplDN,1 cn: testwinsyncsplDN,1 ntUserCreateNewAccount: true ntUserDomainId: testwinsyncsplDN1 ntUserDeleteAccount: true userPassword: Secret1234 4. User successfully added to DS. 5. Run ldapsearch to check whether the entries are created at AD. 6. Check the error logs. Actual results: Entries fail to Sync to AD and this affects the other entries valid entries to be synced. Error log says, its a DN syntax error. [27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - agmt="cn=WinPassSyncPAMAD" (win2k8rhvd64:636): process_replay_add: failed to create mapped entry dn="cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com" [27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com] scope [0] filter [(objectclass=*)]: error 34:Invalid DN syntax Expected results: The entry should be synced to AD as comma is allowed in the CN's entry. Additional info: I tried adding a new user at AD as this ldif, and it fails with DN syntax error. dn: CN=testADUsr,_1,OU=pass_sync,DC=win2k8sync64,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testADUsr,_1 sn: testADUsr,_1 uid: testADUsr,_1 givenName: testADUsr_1 distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com displayName: testADUsr_1 sAMAccountName: testADUsr_1 userPrincipalName: testADUsr_1 userAccountControl: 512 unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA== If the comma in the CN(of the dn entry) is escaped, then it successfully creates the user at AD. dn: CN=testADUsr\,_1,OU=pass_sync,DC=win2k8sync64,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testADUsr,_1 sn: testADUsr,_1 uid: testADUsr,_1 givenName: testADUsr_1 distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com displayName: testADUsr_1 sAMAccountName: testADUsr_1 userPrincipalName: testADUsr_1 userAccountControl: 512 unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==
Created attachment 515610 [details] 0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch
To ssh://git.fedorahosted.org/git/389/ds.git 238b74d..7a0548b master -> master commit 7a0548ba3df54de5883c3a16a1c1951af9327dfc Author: Rich Megginson <rmeggins> Date: Wed Jul 27 18:54:03 2011 -0600 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: When we construct a new AD DN, usually from the value of the "cn" attribute in the entry, we need to escape the , and any other special characters in the value used in the DN. We do this by putting double quotes around the value, and let slapi_create_dn_string remove the quotes and use \ escapes instead. Platforms tested: RHEL6 x86_64, Windows 2008 x86_64 Flag Day: no Doc impact: no
Marking the bug as verified since its not reproducible with the latest build of 389-ds-base. rpm -qi 389-ds-base Name : 389-ds-base Relocations: (not relocatable) Version : 1.2.8.2 Vendor: Red Hat, Inc. Release : 1.el6_1.9 Build Date: Thu 11 Aug 2011 10:50:39 PM EDT Install Date: Tue 16 Aug 2011 09:18:45 PM EDT Build Host: x86-012.build.bos.redhat.com Group : System Environment/Daemons Source RPM: 389-ds-base-1.2.8.2-1.el6_1.9.src.rpm