Bug 818762 – winsync should not delete entry that appears to be out of scope

This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 818762 - winsync should not delete entry that appears to be out of scope

Summary:	winsync should not delete entry that appears to be out of scope

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	6.4
Assigned To:	Rich Megginson
QA Contact:	Sankar Ramalingam
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Duplicates:	824073 839812 (view as bug list)
Depends On:
Blocks:	839812 868187
	Show dependency tree / graph

Reported:	2012-05-03 17:18 EDT by Rich Megginson
Modified:	2015-02-14 09:12 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	389-ds-base-1.2.11.12-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Having an entry in DS with the same user/group name as an entry in AD but the entry in AD is out of scope of the Windows sync agreement, either because it was already there, or it was moved. Consequence: The DS entry is deleted. Fix: Allow the user to specify the behavior of out of scope AD entries with the new DS attribute for the Windows sync agreement entry, winSyncMoveAction. If the value is "none", an out of scope AD entry will do nothing to the corresponding DS entry. If the value is "delete", an out of scope AD entry will delete the corresponding DS entry. If the value is "unsync", an out of scope AD entry will be un-synchronized with the corresponding DS entry - changes made to either entry will not be sync'd. The default value is "none" which solves the original problem of deleted entries. Result: By default, the DS entry is not deleted when the corresponding AD entry is out of sync, and the user can specify what behavior to take when the AD entry is out of scope.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 03:17:09 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Rich Megginson 2012-05-03 17:18:28 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/355

see https://fedorahosted.org/freeipa/ticket/2688 for the gory details

Instead of deleting, I think we should just log a warning like

"Could not sync the AD entry %s with the DS entry %s, even though they have the same user id (or group id) %s, because the AD entry is out of scope %s of the windows sync agreement"

deleting perfectly good users is bad

Comment 4 Rich Megginson 2012-07-13 11:21:44 EDT

This is not a regression - removing Regression keyword

Comment 5 Rich Megginson 2012-08-29 19:57:04 EDT

r6908 | rmeggins@REDHAT.COM | 2012-08-29 17:56:11 -0600 (Wed, 29 Aug 2012) | 7 lines

Resolves: bug 818762 winsync should not delete entry that appears to be out of scope
Resolves: bug 847868 [RFE] support posix schema for user and group sync

The tests have been enhanced to cover more posix attribute checking.
Added tests for ticket 355/bug 818762
The tests by default will ignore errors caused by tickets 415 and 428

Comment 7 Dmitri Pal 2012-10-16 13:37:58 EDT

*** Bug 839812 has been marked as a duplicate of this bug. ***

Comment 12 Milan Kubík 2012-11-22 09:13:33 EST

Verification steps:

1. Create DS user, verify sync to AD

$ AddNDSUsr dstestusr
adding new entry uid=dstestusr,ou=people,dc=brq,dc=redhat,dc=com

$ ChkNADUsr dstestusr ; echo $?
0

2. Create AD user, verify sync to DS

$ AddNADUsr adtestusr
adding new entry CN=adtestusr,cn=Users,dc=brq,dc=redhat,dc=com

$ ChkNDSUsr adtestusr ; echo $?
0

3. Move AD user out of scope of synchronization agreement, entry on DS should not be deleted.

$ ldapsearch -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -w Secret123 -b "dc=brq,dc=redhat,dc=com" cn=adtestusr dn
dn: CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com

$ ChkNDSUsr adtestusr ; echo $?
0

4. Remove AD user. Synchronized user on DS should be deleted as well

$ ldapdelete -h windir -p 389 -D "cn=administrator,cn=users,dc=brq,dc=redhat,dc=com" -W CN=adtestusr,OU=BadUsers,DC=brq,DC=redhat,DC=com
$ echo $?
0

$ ChkNDSUsr adtestusr ; echo $?
ldap_search: No such object
ldap_search: matched: ou=people,dc=brq,dc=redhat,dc=com
1

adtestusr entry is deleted. The bug is verified.

389-ds-base-1.2.11.15-3.el6.i686

Comment 14 errata-xmlrpc 2013-02-21 03:17:09 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Comment 15 Namita Soman 2013-03-05 14:51:11 EST

*** Bug 824073 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.