Issue #3017: Duplicate objects in directory with identical DNs - freeipa

freeipa

#3017 Duplicate objects in directory with identical DNs

Closed: Fixed None Opened 11 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=848925 (Red Hat Enterprise Linux 6)

Description of problem:

This has happened twice now, but is not readily reproducible.  It is possible
to end up with duplicate objects in the directory with identical DNs when
adding a sudo rule within IPA.  It was produced once with the CLIs and then
again with the  webUI.

Duplicate entries ::

# ldapsearch -x -D "cn=Directory Manager" -w mysecret -b "dc=testrelm,dc=com" |
grep AlowRule
# AlowRule, sudoers, testrelm.com
dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com
cn: AlowRule
# AlowRule, sudoers, testrelm.com
dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com
cn: AlowRule

Version-Release number of selected component (if applicable):

ipa-server-2.2.0-16.el6.x86_64
389-ds-base-1.2.10.2-19.el6_3.x86_64


How reproducible:
intermittent

Steps to Reproduce:
1. aquire admin credentials
2. ipa sudorule-add AlowRule
3. ipa sudorule-add AlowRule

Actual results:


Expected results:


Additional info:

ldapsearch -LLL -x -D "cn=Directory Manager" -w mysecret -b
"dc=testrelm,dc=com" cn=AlowRule entryid nsuniqueid

dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com
cn: AlowRule

dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com
cn: AlowRule

dn:
ipaUniqueID=d4de6ea8-e7d3-11e1-ad68-782bcb785283,cn=sudorules,cn=sudo,dc=t
  estrelm,dc=com
entryid: 20269
nsuniqueid: c8c07f81-e7d311e1-ada6e619-e3bd77c0
cn: AlowRule

dn:
ipaUniqueID=d5db1356-e7d3-11e1-9d92-782bcb785283,cn=sudorules,cn=sudo,dc=t
  estrelm,dc=com
entryid: 20270
nsuniqueid: c8c07f82-e7d311e1-ada6e619-e3bd77c0
cn: AlowRule

rcritten commented 11 years ago

This is caused by a race condition. Most objects use the name within the DN. sudorules use ipaUniqueId. In order to determine if a duplicate object exists we have to do perform a search. If two objects are being added at the same time and there is sufficient load so the searches both return at the same time that the entry doesn't exist, this duplication can happen.

We will need to enable the uniqueness plugin for sudo rule cn.

rcritten commented 11 years ago

attachment
freeipa-rcrit-1056-sudorule-uniqueness.patch

rcritten commented 11 years ago

master: 96decfe

ipa-3-0: b89367a

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 GA

7 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.0 GA

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=848925

tester

None

changelog

None

design

None

freeipa

Source Code

#3017 Duplicate objects in directory with identical DNs Closed: Fixed None Opened 11 years ago by dpal.

Metadata

#3017 Duplicate objects in directory with identical DNs

Closed: Fixed None Opened 11 years ago by dpal.