Ticket #47624 (closed defect: duplicate)

Opened 4 months ago

Last modified 4 months ago

referint plugin does not work (IPA)

Reported by: jcholast Owned by: lkrispen
Priority: major Milestone: N/A
Component: Directory Server Version: 1.3.2
Keywords: Cc:
Blocked By: Blocking:
Review: Ticket origin: IPA
Red Hat Bugzilla:

Description

The referential integrity plugin does not work correctly in 389-ds-base-1.3.2.8-1.fc20:

$ kinit admin

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'cn=referential integrity postoperation,cn=plugins,cn=config' -s base '(objectClass=*)' nsslapd-pluginEnabled nsslapd-pluginarg7
# referential integrity postoperation, plugins, config
dn: cn=referential integrity postoperation,cn=plugins,cn=config
nsslapd-pluginEnabled: on
nsslapd-pluginarg7: manager

$ ipa user-add manager

$ ipa user-add user --manager=manager

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=user,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' manager
# user, users, accounts, example.com
dn: uid=user,cn=users,cn=accounts,dc=example,dc=com
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com

$ ipa user-del manager

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=manager,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' dn
# search result
search: 4
result: 32 No such object
matchedDN: cn=users,cn=accounts,dc=example,dc=com

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=user,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' manager
# user, users, accounts, example.com
dn: uid=user,cn=users,cn=accounts,dc=example,dc=com
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com

(The manager attribute should be deleted by refint and gone in the last ldapsearch output, but it is not.)

Change History

comment:1 Changed 4 months ago by lkrispen

Could you check if it works if you add the two attrs to the referint config:

nsslapd-pluginEntryScope: dc=example,dc=com
nsslapd-pluginContainerScope: dc=example,dc=com

comment:2 Changed 4 months ago by jcholast

That fixed the issue. Is this a misconfiguration on IPA's side?

comment:3 Changed 4 months ago by lkrispen

  • Owner set to lkrispen
  • Status changed from new to assigned

nothing wrong with ipa. it is probably a side effect of fix 47527, where tese params were introduced, but without them behaviour should be as before.
I failed to reproduce with my current version for #47621, but will test again.

comment:4 Changed 4 months ago by lkrispen

just confirmed that with the original fix for 47527 referint fails if the delay (pluginarg0) is set to 0. There are two workarounds,
either specify enetryscope and containerscope as suggested in comment #2
or configure a delay for the referential integrity plugin eg nsslapd-pluginarg0: 1

It will be fixed with 47621.

comment:5 Changed 4 months ago by nkinder

  • Ticket origin changed from Community to IPA
  • Milestone changed from 0.0 NEEDS_TRIAGE to 1.3.2.9

comment:6 Changed 4 months ago by lkrispen

The bug was that update_integrity was only called if entryScope was defined:

<<< rc = update_integrity(argv, sdn, NULL, NULL, logChanges);
---

if (plugin_EntryScope && slapi_sdn_issuffix(sdn, plugin_EntryScope)) {

rc = update_integrity(argv, sdn, NULL, NULL, logChanges);

}

which violated default behaviour. The fix for #47621 handles this:

  • if (plugin_EntryScope && slapi_sdn_issuffix(sdn, plugin_EntryScope)) {

+ if (referint_sdn_in_entry_scope(sdn)) {

rc = update_integrity(sdn, NULL, NULL, logChanges);

and referint_sdn_in_entry_scope() handles it correctly

comment:7 Changed 4 months ago by nkinder

  • Resolution set to duplicate
  • screened changed from 0 to 1
  • Milestone changed from 1.3.2.9 to N/A
  • Status changed from assigned to closed

Closing as a duplicate of ticket #47621.

Note: See TracTickets for help on using tickets.