https://bugzilla.redhat.com/show_bug.cgi?id=868841 (Red Hat Enterprise Linux 6)
Description of problem: Synchronization of newly created users from AD to DS fails with missing attribute "uidNumber" required by object class "posixAccount". The user is created with organizationalPerson objectClass in AD. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-2 How reproducible: Consistently Steps to Reproduce: 1. Install the latest build of 389-ds-base-1.2.11 on RHEL64. 2. Create an instance and configure winsync. 3. Enable Posix Winsync plugin - "cn=Posix Winsync API,cn=plugins,cn=config" 4. Run full sync to create the existing users from DS to AD and vice versa. 5. Create few posix users on AD with posixAccount objectClass, uidNumber and gidNumber attribute. 6. Check whether the users synced to DS. Successfully created user on DS. 7. Create a normal user without posixAccount(with organizationalPerson) objectClass from AD. 8. Check whether users synced to DS. Failed to create user on DS. Actual results: [22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "uidNumber" required by object class "posixAccount" [22/Oct/2012:01:24:20 -0400] - Entry "uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute "gidNumber" required by object class "posixAccount" [22/Oct/2012:01:24:20 -0400] NSMMReplicationPlugin - add operation of entry uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com returned: 65 Expected results: Winsync should support the normal user synchronization as well. Additional info: This looks like a regression.
Bug description: Posix Account objectclass requires homeDirectory, uidNumber, and gidNumber. When an AD entry has just some of these attributes or other allow-to-have attributes, i.e., loginShell or gecos, the entry is incompletely converted to Posix Account entry and fails to be added due to the missing attribute error.
Fix description: Before transforming the AD entry to the DS posix account entry, check the required attributes first. If any of the above 3 attributes is missing, all of the posix account related attributes are dropped and added to the DS as a non-posix account entry. If the PLUGIN log level is set, this type of message is logged in the error log. [] posix-winsync - AD entry CN=<CN>,OU=<OU>,DC=<DC>,DC=<COM> does not have MUST attribute uidNumber for posixAccount objectclass.
git patch file (master) 0001-Trac-Ticket-500-Newly-created-users-with-organizatio.patch
I think the error log message should use "required" instead of "MUST" - otherwise, looks good.
git patch file (master) - take 2 0001-Trac-Ticket-500-Newly-created-users-with.patch
Thanks to Rich for reviewing the change. I've replaced "MUST" with "required".
Pushed to master: commit 19e49e6
Pushed to 389-ds-base-1.2.11: commit f95bc25
Verification steps: test case 1) add a user entry to AD, which contains required attributes: unixHomeDirectory, uidNumber, gidNumber. The entry is supposed to be synchronized to the DS as a posix entry which includes: {{{ objectclass: posixaccount homeDirectory: <home directory> uidNumber: <uid number> gidNumber: <gid number> }}} test case 2) add a user entry to AD, which contains no required attributes, but an allowed attribute, loginShell. The entry is supposed to be synchronized to the DS as an ordinary entry which does not include any posix account related attributes.
test case 3) modify an ordinary entry on AD to add required attributes unixHomeDirectory, uidNumber, gidNumber. The entry on the DS is supposed to become a posix account entry with the above attributes.
test case 4) modify an ordinary entry on AD to add no required attributes, but an allowed attribute loginShell. The modification is supposed to be ignored.
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.17
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/500
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.