725953 – Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Bug 725953 - Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Summary: Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Sync Service
Sub Component:
Version:	1.2.9
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	434915 389_1.2.9 726273
TreeView+	depends on / blocked

Reported:	2011-07-27 07:27 UTC by Sankar Ramalingam
Modified:	2015-12-07 16:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	726273 (view as bug list)
Environment:
Last Closed:	2015-12-07 16:35:52 UTC
Embargoed:

Attachments	(Terms of Use)
0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch (4.16 KB, patch) 2011-07-28 01:00 UTC, Rich Megginson	nhosoi: review+	Details \| Diff
View All

Description Sankar Ramalingam 2011-07-27 07:27:28 UTC

Description of problem: Users created at DS with a comma in the CN entry fails to sync to AD. 


Version-Release number of selected component (if applicable): DS90


How reproducible: Consistently


Steps to Reproduce:
1. Setup windows sync with win2008 AD server.
2. Create few entries at DS and AD before running "Initiate Full Re-synchronization".
3. Create entries in DS as this ldif file.

dn: uid=testwinsyncsplDN\2C1,dc=pass_sync,dc=com
telephoneNumber: 989898191
mail: testwinsyncsplDN1
givenName: testwinsyncsplDN1
objectClass: top
objectClass: person
objectClass: inetorgperson
objectclass: ntUser
sn: testwinsyncsplDN,1
cn: testwinsyncsplDN,1
ntUserCreateNewAccount: true
ntUserDomainId: testwinsyncsplDN1
ntUserDeleteAccount: true
userPassword: Secret1234

4. User successfully added to DS.
5. Run ldapsearch to check whether the entries are created at AD.
6. Check the error logs.  

Actual results:
Entries fail to Sync to AD and this affects the other entries valid entries to be synced.

Error log says, its a DN syntax error.

[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - agmt="cn=WinPassSyncPAMAD" (win2k8rhvd64:636): process_replay_add: failed to create mapped entry dn="cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com"
[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com] scope [0] filter [(objectclass=*)]: error 34:Invalid DN syntax



Expected results:
The entry should be synced to AD as comma is allowed in the CN's entry.

Additional info:

I tried adding a new user at AD as this ldif, and it fails with DN syntax error.

dn: CN=testADUsr,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

If the comma in the CN(of the dn entry) is escaped, then it successfully creates the user at AD.

dn: CN=testADUsr\,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

Comment 1 Rich Megginson 2011-07-28 01:00:33 UTC

Created attachment 515610 [details]
0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch

Comment 2 Rich Megginson 2011-07-28 02:43:53 UTC

To ssh://git.fedorahosted.org/git/389/ds.git
   238b74d..7a0548b  master -> master
commit 7a0548ba3df54de5883c3a16a1c1951af9327dfc
Author: Rich Megginson <rmeggins>
Date:   Wed Jul 27 18:54:03 2011 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: When we construct a new AD DN, usually from the value of the
    "cn" attribute in the entry, we need to escape the , and any other special
    characters in the value used in the DN.  We do this by putting double
    quotes around the value, and let slapi_create_dn_string remove the quotes
    and use \ escapes instead.
    Platforms tested: RHEL6 x86_64, Windows 2008 x86_64
    Flag Day: no
    Doc impact: no

Comment 5 Sankar Ramalingam 2011-08-24 13:13:39 UTC

Marking the bug as verified since its not reproducible with the latest build of 389-ds-base.

rpm -qi 389-ds-base
Name        : 389-ds-base                  Relocations: (not relocatable)
Version     : 1.2.8.2                           Vendor: Red Hat, Inc.
Release     : 1.el6_1.9                     Build Date: Thu 11 Aug 2011 10:50:39 PM EDT
Install Date: Tue 16 Aug 2011 09:18:45 PM EDT      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: 389-ds-base-1.2.8.2-1.el6_1.9.src.rpm

Note You need to log in before you can comment on or make changes to this bug.