RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 726273 - Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma
Summary: Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.2
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact:
URL:
Whiteboard:
Depends On: 725953
Blocks: 727467
TreeView+ depends on / blocked
 
Reported: 2011-07-28 02:44 UTC by Rich Megginson
Modified: 2011-12-06 17:55 UTC (History)
10 users (show)

Fixed In Version: 389-ds-base-1.2.9.11-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 725953
Environment:
Last Closed: 2011-12-06 17:55:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:1711 0 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2011-12-06 01:02:20 UTC

Description Rich Megginson 2011-07-28 02:44:52 UTC 
+++ This bug was initially created as a clone of Bug #725953 +++

Description of problem: Users created at DS with a comma in the CN entry fails to sync to AD. 


Version-Release number of selected component (if applicable): DS90


How reproducible: Consistently


Steps to Reproduce:
1. Setup windows sync with win2008 AD server.
2. Create few entries at DS and AD before running "Initiate Full Re-synchronization".
3. Create entries in DS as this ldif file.

dn: uid=testwinsyncsplDN\2C1,dc=pass_sync,dc=com
telephoneNumber: 989898191
mail: testwinsyncsplDN1
givenName: testwinsyncsplDN1
objectClass: top
objectClass: person
objectClass: inetorgperson
objectclass: ntUser
sn: testwinsyncsplDN,1
cn: testwinsyncsplDN,1
ntUserCreateNewAccount: true
ntUserDomainId: testwinsyncsplDN1
ntUserDeleteAccount: true
userPassword: Secret1234

4. User successfully added to DS.
5. Run ldapsearch to check whether the entries are created at AD.
6. Check the error logs.  

Actual results:
Entries fail to Sync to AD and this affects the other entries valid entries to be synced.

Error log says, its a DN syntax error.

[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - agmt="cn=WinPassSyncPAMAD" (win2k8rhvd64:636): process_replay_add: failed to create mapped entry dn="cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com"
[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com] scope [0] filter [(objectclass=*)]: error 34:Invalid DN syntax



Expected results:
The entry should be synced to AD as comma is allowed in the CN's entry.

Additional info:

I tried adding a new user at AD as this ldif, and it fails with DN syntax error.

dn: CN=testADUsr,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

If the comma in the CN(of the dn entry) is escaped, then it successfully creates the user at AD.

dn: CN=testADUsr\,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

--- Additional comment from rmeggins on 2011-07-27 21:00:33 EDT ---

Created attachment 515610 [details]
0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch

--- Additional comment from rmeggins on 2011-07-27 22:43:53 EDT ---

To ssh://git.fedorahosted.org/git/389/ds.git
   238b74d..7a0548b  master -> master
commit 7a0548ba3df54de5883c3a16a1c1951af9327dfc
Author: Rich Megginson <rmeggins>
Date:   Wed Jul 27 18:54:03 2011 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: When we construct a new AD DN, usually from the value of the
    "cn" attribute in the entry, we need to escape the , and any other special
    characters in the value used in the DN.  We do this by putting double
    quotes around the value, and let slapi_create_dn_string remove the quotes
    and use \ escapes instead.
    Platforms tested: RHEL6 x86_64, Windows 2008 x86_64
    Flag Day: no
    Doc impact: no
Comment 3 Chandrasekar Kannan 2011-09-16 21:33:35 UTC 
ds-replication is no longer a component of rhel. folding back to 389-ds-base.
Comment 5 Amita Sharma 2011-09-21 17:19:23 UTC 
Clone https://bugzilla.redhat.com/show_bug.cgi?id=725953 is already Verified, so marking this as Verified.
Comment 6 errata-xmlrpc 2011-12-06 17:55:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1711.html
Note You need to log in before you can comment on or make changes to this bug.