726273 – Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Bug 726273 - Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Summary: Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rich Megginson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	725953
Blocks:	727467
TreeView+	depends on / blocked

Reported:	2011-07-28 02:44 UTC by Rich Megginson
Modified:	2011-12-06 17:55 UTC (History)
CC List:	10 users (show)
Fixed In Version:	389-ds-base-1.2.9.11-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	725953
Environment:
Last Closed:	2011-12-06 17:55:51 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:1711	0	normal	SHIPPED_LIVE	389-ds-base bug fix and enhancement update	2011-12-06 01:02:20 UTC

Description Rich Megginson 2011-07-28 02:44:52 UTC

+++ This bug was initially created as a clone of Bug #725953 +++

Description of problem: Users created at DS with a comma in the CN entry fails to sync to AD. 


Version-Release number of selected component (if applicable): DS90


How reproducible: Consistently


Steps to Reproduce:
1. Setup windows sync with win2008 AD server.
2. Create few entries at DS and AD before running "Initiate Full Re-synchronization".
3. Create entries in DS as this ldif file.

dn: uid=testwinsyncsplDN\2C1,dc=pass_sync,dc=com
telephoneNumber: 989898191
mail: testwinsyncsplDN1
givenName: testwinsyncsplDN1
objectClass: top
objectClass: person
objectClass: inetorgperson
objectclass: ntUser
sn: testwinsyncsplDN,1
cn: testwinsyncsplDN,1
ntUserCreateNewAccount: true
ntUserDomainId: testwinsyncsplDN1
ntUserDeleteAccount: true
userPassword: Secret1234

4. User successfully added to DS.
5. Run ldapsearch to check whether the entries are created at AD.
6. Check the error logs.  

Actual results:
Entries fail to Sync to AD and this affects the other entries valid entries to be synced.

Error log says, its a DN syntax error.

[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - agmt="cn=WinPassSyncPAMAD" (win2k8rhvd64:636): process_replay_add: failed to create mapped entry dn="cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com"
[27/Jul/2011:08:50:37 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [cn=testwinsyncsplDN,1,ou=pass_sync,dc=win2k8sync64,dc=com] scope [0] filter [(objectclass=*)]: error 34:Invalid DN syntax



Expected results:
The entry should be synced to AD as comma is allowed in the CN's entry.

Additional info:

I tried adding a new user at AD as this ldif, and it fails with DN syntax error.

dn: CN=testADUsr,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

If the comma in the CN(of the dn entry) is escaped, then it successfully creates the user at AD.

dn: CN=testADUsr\,_1,OU=pass_sync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testADUsr,_1
sn: testADUsr,_1
uid: testADUsr,_1
givenName: testADUsr_1
distinguishedName: CN=testADUsr_1,OU=pass_sync,DC=win2k8sync64,DC=com
displayName: testADUsr_1
sAMAccountName: testADUsr_1
userPrincipalName: testADUsr_1
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwAiAA==

--- Additional comment from rmeggins on 2011-07-27 21:00:33 EDT ---

Created attachment 515610 [details]
0001-Bug-725953-Winsync-DS-entries-fail-to-sync-to-AD-if-.patch

--- Additional comment from rmeggins on 2011-07-27 22:43:53 EDT ---

To ssh://git.fedorahosted.org/git/389/ds.git
   238b74d..7a0548b  master -> master
commit 7a0548ba3df54de5883c3a16a1c1951af9327dfc
Author: Rich Megginson <rmeggins>
Date:   Wed Jul 27 18:54:03 2011 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: When we construct a new AD DN, usually from the value of the
    "cn" attribute in the entry, we need to escape the , and any other special
    characters in the value used in the DN.  We do this by putting double
    quotes around the value, and let slapi_create_dn_string remove the quotes
    and use \ escapes instead.
    Platforms tested: RHEL6 x86_64, Windows 2008 x86_64
    Flag Day: no
    Doc impact: no

Comment 3 Chandrasekar Kannan 2011-09-16 21:33:35 UTC

ds-replication is no longer a component of rhel. folding back to 389-ds-base.

Comment 5 Amita Sharma 2011-09-21 17:19:23 UTC

Clone https://bugzilla.redhat.com/show_bug.cgi?id=725953 is already Verified, so marking this as Verified.

Comment 6 errata-xmlrpc 2011-12-06 17:55:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1711.html

Note You need to log in before you can comment on or make changes to this bug.