PosixWinsync plugin keeps posix attributes in sync between DS and AD. One of configuration options for this plugin is posixWinsyncMapMemberUID, which attempts to populate the memberUid attribute in 389 if it is missing from AD, based on the member attribute. Default for this attribute is TRUE. However, if this attribute is enabled, plugin fails to correctly synchronize nested posix group.
Steps to Reproduce: 1. Set posixWinsyncMapMemberUid to TRUE for Posix Winsync API plugin. 2. Add a posix group(group1) on AD. 3. Add another posix group(groups2) with member as group1. Basically, you are testing nested groups. 4. When the group is synced(trying to sync) to DS, it throws this error message
"dsOnlyMemberUid" not allowed
==> /var/log/dirsrv/slapd-M1/errors <== [22/Mar/2013:14:12:35 -0400] - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed [22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_01,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed [22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_02,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed
The corresponding AD entry looks like this...
[root@intel-piketon-01 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2k8rhvd64.win2k8sync64.com -p 636 -D "cn=SyncManager,cn=Users,dc=win2k8sync64,dc=com" -w Secret123 -b cn=adg_posix_t13_01,ou=adpasssync,dc=win2k8sync64,dc=com objectClass=* version: 1 dn: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com objectClass: top objectClass: posixGroup objectClass: group cn: adg_posix_t13_01 member: CN=adg_posix_t13,OU=adpasssync,DC=win2k8sync64,DC=com distinguishedName: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com instanceType: 4 whenCreated: 20130322181406.0Z whenChanged: 20130322181406.0Z uSNCreated: 426380 uSNChanged: 426383 name: adg_posix_t13_01 objectGUID:: ar229MRn8E+UaCdTwlVPHA== objectSid:: AQUAAAAAAAUVAAAAwfmfzEa6cJsGbjjEcFAAAA== sAMAccountName: adg_posix_t13_01 sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=win2k8sync64,DC=com dSCorePropagationData: 16010101000000.0Z gidNumber: 3933
Bug description: When Posix Winsync API plug-in is configured with posixWinsyncMapMemberUid and posixWinsyncMapNestedGrouping enabled (true), Posix Group added to AD is synchronized to DS with mapped dsOnlyMemberUid and memberUid. When adding a Posix Group with the nested group member, addGroupMembership function adds "dynamicGroup" to objectClass to allow the Posix Group entry to have dsOnlyMemberUid. The add should be made against the entry in the memory since the entry is not yet stored in the database, but it was trying to modify against the backend.
Fix description: This patch directly adds "dynamicGroup" to the objectclass valueset, by which the attribute "dsOnlyMemberUid" is allowed to add to the entry.
In addition, 1) when reflecting the mapped memberUid on DS to AD, the logic was corrected to "if dsOnlyMemberUid matches memberUid", 2) when the Posix Group is nested in the multiple levels, the mapped memberUid was not retrieved. The code was added.
git patch file (master) 0001-Ticket-47310-Attribute-dsOnlyMemberUid-not-allowed-w.patch
Reviewed by Rich (Thank you!!)
Pushed to master: 7f1631e..9093f58 master -> master commit 9093f58
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.2 - 08/13 (August)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/647
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.