Bug 818762 - winsync should not delete entry that appears to be out of scope
Summary: winsync should not delete entry that appears to be out of scope
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 6.4
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
: 824073 839812 (view as bug list)
Depends On:
Blocks: 839812 868187
TreeView+ depends on / blocked
 
Reported: 2012-05-03 21:18 UTC by Rich Megginson
Modified: 2020-09-13 20:09 UTC (History)
8 users (show)

Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Having an entry in DS with the same user/group name as an entry in AD but the entry in AD is out of scope of the Windows sync agreement, either because it was already there, or it was moved. Consequence: The DS entry is deleted. Fix: Allow the user to specify the behavior of out of scope AD entries with the new DS attribute for the Windows sync agreement entry, winSyncMoveAction. If the value is "none", an out of scope AD entry will do nothing to the corresponding DS entry. If the value is "delete", an out of scope AD entry will delete the corresponding DS entry. If the value is "unsync", an out of scope AD entry will be un-synchronized with the corresponding DS entry - changes made to either entry will not be sync'd. The default value is "none" which solves the original problem of deleted entries. Result: By default, the DS entry is not deleted when the corresponding AD entry is out of sync, and the user can specify what behavior to take when the AD entry is out of scope.
Clone Of:
Environment:
Last Closed: 2013-02-21 08:17:09 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 355 0 None None None 2020-09-13 20:09:50 UTC
Red Hat Product Errata RHSA-2013:0503 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Rich Megginson 2012-05-03 21:18:28 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/355

see https://fedorahosted.org/freeipa/ticket/2688 for the gory details

Instead of deleting, I think we should just log a warning like

"Could not sync the AD entry %s with the DS entry %s, even though they have the same user id (or group id) %s, because the AD entry is out of scope %s of the windows sync agreement"

deleting perfectly good users is bad
Comment 4 Rich Megginson 2012-07-13 15:21:44 UTC 
This is not a regression - removing Regression keyword
Comment 5 Rich Megginson 2012-08-29 23:57:04 UTC 
r6908 | rmeggins | 2012-08-29 17:56:11 -0600 (Wed, 29 Aug 2012) | 7 lines

Resolves: bug 818762 winsync should not delete entry that appears to be out of scope
Resolves: bug 847868 [RFE] support posix schema for user and group sync

The tests have been enhanced to cover more posix attribute checking.
Added tests for ticket 355/bug 818762
The tests by default will ignore errors caused by tickets 415 and 428
Comment 7 Dmitri Pal 2012-10-16 17:37:58 UTC 
*** Bug 839812 has been marked as a duplicate of this bug. ***
Comment 12 Milan Kubík 2012-11-22 14:13:33 UTC 
Verification steps:

1. Create DS user, verify sync to AD

$ AddNDSUsr dstestusr
adding new entry uid=dstestusr,ou=people,dc=brq,dc=redhat,dc=com

$ ChkNADUsr dstestusr ; echo $?
0

2. Create AD user, verify sync to DS

$ AddNADUsr adtestusr
adding new entry CN=adtestusr,cn=Users,dc=brq,dc=redhat,dc=com

$ ChkNDSUsr adtestusr ; echo $?
0

3. Move AD user out of scope of synchronization agreement, entry on DS should not be deleted.

$ ldapsearch -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -w Secret123 -b "dc=brq,dc=redhat,dc=com" cn=adtestusr dn
dn: CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com

$ ChkNDSUsr adtestusr ; echo $?
0

4. Remove AD user. Synchronized user on DS should be deleted as well

$ ldapdelete -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -W CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com
$ echo $?
0

$ ChkNDSUsr adtestusr ; echo $?
ldap_search: No such object
ldap_search: matched: ou=people,dc=brq,dc=redhat,dc=com
1

adtestusr entry is deleted. The bug is verified.

389-ds-base-1.2.11.15-3.el6.i686
Comment 14 errata-xmlrpc 2013-02-21 08:17:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html
Comment 15 Namita Soman 2013-03-05 19:51:11 UTC 
*** Bug 824073 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.