Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/111 https://bugzilla.redhat.com/show_bug.cgi?id=453756 {{{ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Description of problem: It would be a nice feature (for example, some additional functions in the plug-in API) that the plugins could execute internal modification operations without changing the operational attributes (modifiersName, modifyTimestamp etc). It would greatly simplify the management of an LDAP infrastructure in case there are many admins and unit managers - one could see right away who was the last person to change the entry. Today in our production environment we have to write and stock full audit logs to follow these changes. The problem is that each time an internal plug-in modifies the entry (in particular it concerns the referential integrity and memberOf plugins in our production environment) the modifiersName is changed to the plug-in configuration DN (and the attribute modifyTimestamp accordingly). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Make a modification that concerns a plug-in like memberOf or referential integrity. Actual Results: Take a look at the attributes modifiersName and modifyTimestamp. Even if we have not DIRECTLY changed the entry we will find these attributes changed. Example : nscpentryWSI: creatorsName: uid=andrey.ivanov,ou=person... nscpentryWSI: modifiersName: cn=MemberOf,cn=plugins,cn=config nscpentryWSI: createTimestamp: 20070803092138Z nscpentryWSI: modifyTimestamp: 20080419154554Z Expected Results: An option should allow to avoid touching the modifiersName and modifyTimestamp by internal plug-in modification operations. Additional info: This is not a bug, it is a feature request. It is linked in a certain way to the bug 434914. }}}
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Found an issue while testing DNA plugin for this RFE. Steps:: 1. Set nsslapd-plugin-binddn-tracking attribute is ON 2. Enable DNA plugin 3. Add a test entry which should take next dna value for its uidnumber 4. Check the internelModifier name for the test entry, It should be plugin DN /usr/lib64/mozldap/ldapsearch -1 -h dhcp201-134.englab.pnq.redhat.com -p 22594 -D cn=directory manager -w Secret123 -b cn=Posix User1,dc=example,dc=com objectClass=* internalModifiersname | grep cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config internalModifiersname is not plugin DN But as in above ldapsearch, we are not getting plugin DN and instead we are getting UserDN. Which is may be due to "ticket 302 superseded ticket 111". Reopening the bug.
memberOf does not create entries, so internalCreatorsname is not used.
Also, if there is no internalCreatorsname, then that entry was probably created before turning on nsslapd-plugin-binddn-tracking.
Bug fix for this RFE bug is added to the build 389-ds-base-1.2.11.12-4.el6: Ticket #495 - internalModifiersname not updated by DNA plugin
The previous comment had a typo in the version number. The correct package where the latest fix exists is 389-ds-base-1.2.11.15-4.el6.
Test cases are automated and all are passed. So marking the bug as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html