Bug 924937 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync
Summary: Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.1
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
Depends On:
TreeView+ depends on / blocked
Reported: 2013-03-22 21:15 UTC by Ján Rusnačko
Modified: 2015-03-05 09:30 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-05 09:30:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Ján Rusnačko 2013-03-22 21:15:14 UTC
Description of problem:
PosixWinsync plugin keeps posix attributes in sync between DS and AD. One of configuration options for this plugin is posixWinsyncMapMemberUID, which attempts to populate the memberUid attribute in 389 if it is missing from AD, based on the member attribute. Default for this attribute is TRUE. However, if this attribute is enabled, plugin fails to correctly synchronize nested posix group.

Version-Release number of selected component (if applicable):
389-ds-base- on RHEL 6.4

How reproducible:

Steps to Reproduce:
1. Set posixWinsyncMapMemberUid to TRUE for Posix Winsync API plugin.
2. Add a posix group(group1) on AD.
3. Add another posix group(groups2) with member as group1. Basically, you are testing nested groups.
4. When the group is synced(trying to sync) to DS, it throws this error message - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed

==> /var/log/dirsrv/slapd-M1/errors <==
[22/Mar/2013:14:12:35 -0400] - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed
[22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_01,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed
[22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_02,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed 

The corresponding AD entry looks like this...

[root@intel-piketon-01 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2k8rhvd64.win2k8sync64.com -p 636 -D "cn=SyncManager,cn=Users,dc=win2k8sync64,dc=com" -w Secret123 -b cn=adg_posix_t13_01,ou=adpasssync,dc=win2k8sync64,dc=com objectClass=*
version: 1
dn: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: posixGroup
objectClass: group
cn: adg_posix_t13_01
member: CN=adg_posix_t13,OU=adpasssync,DC=win2k8sync64,DC=com
distinguishedName: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com
instanceType: 4
whenCreated: 20130322181406.0Z
whenChanged: 20130322181406.0Z
uSNCreated: 426380
uSNChanged: 426383
name: adg_posix_t13_01
objectGUID:: ar229MRn8E+UaCdTwlVPHA==
objectSid:: AQUAAAAAAAUVAAAAwfmfzEa6cJsGbjjEcFAAAA==
sAMAccountName: adg_posix_t13_01
sAMAccountType: 268435457
groupType: 2
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=win2k8sync64,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 3933 

Additional info:
This issue was originally reported by Milan Kubik and discovered as part of posix Winsync automation. It is automated and corresponds to /scripts/MMR_WINSYNC/posix_sync_manual.sh testcase bug847868_13.

Comment 1 Nathan Kinder 2013-04-01 22:08:49 UTC
Upstream ticket:

Comment 3 Viktor Ashirov 2015-01-19 02:27:24 UTC
$ rpm -qa | grep 389

Using test case bug847868_13 I added posix groups on AD:

dn: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com
objectClass: top
objectClass: posixGroup
objectClass: group
cn: adg_posix_t13_00
member: CN=adg_posix_t13,OU=adsync,DC=adrelm,DC=com
distinguishedName: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20150119021429.0Z
whenChanged: 20150119021429.0Z
uSNCreated: 32944
uSNChanged: 32947
name: adg_posix_t13_00
objectGUID:: I0ToPFoDcEi46e5tB9O2tA==
sAMAccountName: adg_posix_t13_00
sAMAccountType: 268435457
groupType: 2
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 3933

Corresponding entry in DS after sync:

dn: cn=adg_posix_t13_00,ou=People,dc=example,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: ntGroup
objectclass: posixGroup
objectclass: dynamicGroup
ntGroupDeleteGroup: true
cn: adg_posix_t13_00
uniqueMember: cn=adg_posix_t13,ou=People,dc=example,dc=com
ntUserDomainId: adg_posix_t13_00
ntGroupType: 2
ntUniqueId: 2344e83c5a037048b8e9ee6d07d3b6b4
gidNumber: 3933
dsOnlyMemberUid: adu_posix_t13
memberUid: adu_posix_t13

objectClass dynamicGroup was added to allow dsOnlyMemberUid attribute, no errors in the error log.
Marking as VERIFIED.

Comment 5 errata-xmlrpc 2015-03-05 09:30:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.