Bug 868841 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
Newly created users with organizationalPerson objectClass fails to sync from ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.4
All Linux
high Severity high
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On:
Blocks: 881827
  Show dependency treegraph
 
Reported: 2012-10-22 05:26 EDT by Sankar Ramalingam
Modified: 2013-02-21 03:21 EST (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.15-4.el6
Doc Type: Bug Fix
Doc Text:
Cause: Even if an entry in AD does not have all the required attributes for the posix account entry, the entry is being synchronized to the directory server as an posix account entry. Consequence: The synchronization fails due to the missing attribute error. Fix: If the entry does not have all the required attributes, the posix account related attributes are dropped and the entry is synchronized as an ordinary entry. Result: Even if there are missing posix account related attributes, the entry is successfully synchronized.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:21:07 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sankar Ramalingam 2012-10-22 05:26:12 EDT
Description of problem: Synchronization of newly created users from AD to DS fails with missing attribute "uidNumber" required by object class "posixAccount". The user is created with organizationalPerson objectClass in AD. 

Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-2

How reproducible: Consistently

Steps to Reproduce:
1. Install the latest build of 389-ds-base-1.2.11 on RHEL64.
2. Create an instance and configure winsync.
3. Enable Posix Winsync plugin - "cn=Posix Winsync API,cn=plugins,cn=config"
4. Run full sync to create the existing users from DS to AD and vice versa.
5. Create few posix users on AD with posixAccount objectClass, uidNumber and gidNumber attribute.
6. Check whether the users synced to DS. Successfully created user on DS.
7. Create a normal user without posixAccount(with organizationalPerson) objectClass from AD.
8. Check whether users synced to DS. Failed to create user on DS.
  
Actual results: 
[22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "uidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "gidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] NSMMReplicationPlugin - add operation of entry uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com returned: 65

Expected results:
Winsync should support the normal user synchronization as well.


Additional info: This looks like a regression.
Comment 2 Noriko Hosoi 2012-10-29 19:37:46 EDT
Upstream ticket:
https://fedorahosted.org/389/ticket/500
Comment 3 Noriko Hosoi 2012-11-13 14:49:45 EST
These are the verification steps.  Please note that this change is included in 389-ds-base-1.2.11.15-4.el6 or after.

Verification steps:
test case 1) add a user entry to AD, which contains required attributes: unixHomeDirectory, uidNumber, gidNumber. The entry is supposed to be synchronized to the DS as a posix entry which includes:

objectclass: posixaccount
homeDirectory: <home directory>
uidNumber: <uid number>
gidNumber: <gid number>

test case 2) add a user entry to AD, which contains no required attributes, but an allowed attribute, loginShell. The entry is supposed to be synchronized to the DS as an ordinary entry which does not include any posix account related attributes.

test case 3) modify an ordinary entry on AD to add required attributes unixHomeDirectory, uidNumber, gidNumber. The entry on the DS is supposed to become a posix account entry with the above attributes.

test case 4) modify an ordinary entry on AD to add no required attributes, but an allowed attribute loginShell. The modification is supposed to be ignored.
Comment 5 Sankar Ramalingam 2012-11-27 08:14:14 EST
The above mentioned tests successfully passed after upgrading the 389-ds-base package to 1.2.11.15-4. Hence marking the bug as Verified.
Comment 6 errata-xmlrpc 2013-02-21 03:21:07 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Note You need to log in before you can comment on or make changes to this bug.