https://bugzilla.redhat.com/show_bug.cgi?id=848925 (Red Hat Enterprise Linux 6)
Description of problem: This has happened twice now, but is not readily reproducible. It is possible to end up with duplicate objects in the directory with identical DNs when adding a sudo rule within IPA. It was produced once with the CLIs and then again with the webUI. Duplicate entries :: # ldapsearch -x -D "cn=Directory Manager" -w mysecret -b "dc=testrelm,dc=com" | grep AlowRule # AlowRule, sudoers, testrelm.com dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com cn: AlowRule # AlowRule, sudoers, testrelm.com dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com cn: AlowRule Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 389-ds-base-1.2.10.2-19.el6_3.x86_64 How reproducible: intermittent Steps to Reproduce: 1. aquire admin credentials 2. ipa sudorule-add AlowRule 3. ipa sudorule-add AlowRule Actual results: Expected results: Additional info: ldapsearch -LLL -x -D "cn=Directory Manager" -w mysecret -b "dc=testrelm,dc=com" cn=AlowRule entryid nsuniqueid dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com cn: AlowRule dn: cn=AlowRule,ou=sudoers,dc=testrelm,dc=com cn: AlowRule dn: ipaUniqueID=d4de6ea8-e7d3-11e1-ad68-782bcb785283,cn=sudorules,cn=sudo,dc=t estrelm,dc=com entryid: 20269 nsuniqueid: c8c07f81-e7d311e1-ada6e619-e3bd77c0 cn: AlowRule dn: ipaUniqueID=d5db1356-e7d3-11e1-9d92-782bcb785283,cn=sudorules,cn=sudo,dc=t estrelm,dc=com entryid: 20270 nsuniqueid: c8c07f82-e7d311e1-ada6e619-e3bd77c0 cn: AlowRule
This is caused by a race condition. Most objects use the name within the DN. sudorules use ipaUniqueId. In order to determine if a duplicate object exists we have to do perform a search. If two objects are being added at the same time and there is sufficient load so the searches both return at the same time that the entry doesn't exist, this duplication can happen.
We will need to enable the uniqueness plugin for sudo rule cn.
attachment freeipa-rcrit-1056-sudorule-uniqueness.patch
master: 96decfe
ipa-3-0: b89367a
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 GA
Login to comment on this ticket.