#500 Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
Closed: wontfix None Opened 11 years ago by nhosoi.

https://bugzilla.redhat.com/show_bug.cgi?id=868841 (Red Hat Enterprise Linux 6)

Description of problem: Synchronization of newly created users from AD to DS
fails with missing attribute "uidNumber" required by object class
"posixAccount". The user is created with organizationalPerson objectClass in
AD.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-2

How reproducible: Consistently

Steps to Reproduce:
1. Install the latest build of 389-ds-base-1.2.11 on RHEL64.
2. Create an instance and configure winsync.
3. Enable Posix Winsync plugin - "cn=Posix Winsync API,cn=plugins,cn=config"
4. Run full sync to create the existing users from DS to AD and vice versa.
5. Create few posix users on AD with posixAccount objectClass, uidNumber and
gidNumber attribute.
6. Check whether the users synced to DS. Successfully created user on DS.
7. Create a normal user without posixAccount(with organizationalPerson)
objectClass from AD.
8. Check whether users synced to DS. Failed to create user on DS.

Actual results:
[22/Oct/2012:01:24:20 -0400] - Entry
"uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute
"uidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] - Entry
"uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com" missing attribute
"gidNumber" required by object class "posixAccount"
[22/Oct/2012:01:24:20 -0400] NSMMReplicationPlugin - add operation of entry
uid=adadnewadad1,ou=dswinsync,dc=passsync,dc=com returned: 65

Expected results:
Winsync should support the normal user synchronization as well.


Additional info: This looks like a regression.

Bug description: Posix Account objectclass requires homeDirectory,
uidNumber, and gidNumber. When an AD entry has just some of these
attributes or other allow-to-have attributes, i.e., loginShell or
gecos, the entry is incompletely converted to Posix Account entry
and fails to be added due to the missing attribute error.

Fix description: Before transforming the AD entry to the DS posix
account entry, check the required attributes first. If any of the
above 3 attributes is missing, all of the posix account related
attributes are dropped and added to the DS as a non-posix account
entry. If the PLUGIN log level is set, this type of message is
logged in the error log.
[] posix-winsync - AD entry CN=<CN>,OU=<OU>,DC=<DC>,DC=<COM> does
not have MUST attribute uidNumber for posixAccount objectclass.

I think the error log message should use "required" instead of "MUST" - otherwise, looks good.

Thanks to Rich for reviewing the change. I've replaced "MUST" with "required".

Pushed to master: commit 19e49e6

Pushed to 389-ds-base-1.2.11: commit f95bc25

Verification steps:
test case 1) add a user entry to AD, which contains required attributes: unixHomeDirectory, uidNumber, gidNumber. The entry is supposed to be synchronized to the DS as a posix entry which includes:
{{{
objectclass: posixaccount
homeDirectory: <home directory>
uidNumber: <uid number>
gidNumber: <gid number>
}}}
test case 2) add a user entry to AD, which contains no required attributes, but an allowed attribute, loginShell. The entry is supposed to be synchronized to the DS as an ordinary entry which does not include any posix account related attributes.

test case 3) modify an ordinary entry on AD to add required attributes unixHomeDirectory, uidNumber, gidNumber. The entry on the DS is supposed to become a posix account entry with the above attributes.

test case 4) modify an ordinary entry on AD to add no required attributes, but an allowed attribute loginShell. The modification is supposed to be ignored.

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.17

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/500

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata