[389-users] MemberOf plugin beahvior change in 1.3.3.

Mark Reynolds mareynol at redhat.com
Tue Aug 4 14:14:11 UTC 2015 


On 08/04/2015 07:50 AM, Andrey Ivanov wrote:
> Looks like the behavior change was introduced in this ticket: 
> https://fedorahosted.org/389/ticket/47810
Yes, with the introduction of backend transaction plugins in 1.3.3, if a 
plugin fails to do its "job", the entire operation should fail.  This 
applies to all the plugins now.  I believe this was documented in the DS 
10 release notes, and for upstream releases the ticket that applied this 
change was listed 
here(http://www.port389.org/docs/389ds/releases/release-1-3-3-0.html). I 
apologize for any inconvenience this has caused you.   See more comments 
below...
>
>
>
>
> 2015-08-04 11:13 GMT+02:00 Andrey Ivanov 
> <andrey.ivanov at polytechnique.fr <mailto:andrey.ivanov at polytechnique.fr>>:
>
>     Hi,
>
>     just wanted to share our experience. We've recently migrated from
>     1.3.2.x to 1.3.3.x in our production environment (CentOS7, x86_64,
>     three 389ds in multimaster replication).
>
>     So far everything looks fine but we have two issues - one
>     important and the other is more a documentation flaw/behavior change.
>
>     * The important issue - crash at shutdown when ACIs with ip
>     address are present (https://fedorahosted.org/389/ticket/48233).
>     The possible effect could be the database corruption and/or
>     replication problems after shutdown and restart
>     ("replica_check_for_data_reload: Warning: disordely shutdown for
>     replica dc=example,dc=com. Check if DB RUV needs to be updated").
>     The workaround for now is that we are not restarting our 389ds
>     servers :)
>
>     ** The change of behavior/consistency issue: since memberOf plugin
>     has been redesigned in 1.3.3
>     (http://www.port389.org/docs/389ds/design/memberof-plugin-configuration.html)
>     its behavior has changed a bit.
>
As you noted this design change is not what impacted the behavior you 
are now seeing, but the change to make most plugins backend transaction 
aware.

>     Previously the plugin added "uniqueMember" attribute in any case
>     when it was requested and tried to add the "memberOf" to the
>     linked entry. If "memberOf"was not allowed by schema there was an
>     error message like this one:
>     Entry "uid=user1,ou=People,dc=example,dc=com" -- attribute
>     "memberOf" not allowed
>
>     In the version 1.3.3 (both rpm in CentOS 7.1 and compiled from
>     source 1.3.3.12) this behavior has changed - the plugin refuses to
>     add the uniqueMember attribute if the corresponding linked entry
>     is not allowed to have the "memberOf" attribute. Example using the
>     standard sample entries installed with the server (dc=example,dc=com):
>
>     Activate memberOf plugin with
>     nsslapd-pluginEnabled: on
>     memberofgroupattr: uniquemember
>     memberofattr: memberOf
>
>
>     Add the following group:
>     cn=LDAP Test group,ou=Groups,dc=example,dc=com
>     objectClass: top
>     objectClass: groupofuniquenames
>     cn: LDAP Test Group
>
>
>     Try to add the following member (the entry exists and is of
>     objectClass=inetOrgOPerson):
>
>     dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com
>     changetype: modify
>     add: uniqueMember
>     uniqueMember: uid=user1,ou=People,dc=example,dc=com
>     -
>
>     The modification of uniqueMember will be refused with error 65
>     (object class violation). The error log:
>     [04/Aug/2015:10:58:17 +0200] - Entry
>     "uid=user1,ou=People,dc=example,dc=com" -- attribute "memberOf"
>     not allowed
>     [04/Aug/2015:10:58:17 +0200] memberof-plugin -
>     memberof_postop_modify: failed to add dn (cn=LDAP Test
>     group,ou=Groups,dc=example,dc=com) to target.  Error (65)
>
>
>     At the same time if we do "replace"  of "uniquemember" instead of
>     "add", then it works:
>
>     dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com
>     changetype: modify
>     replace: uniqueMember
>     uniqueMember: uid=user1,ou=People,dc=example,dc=com
>     -
>
>     The error message in this case is information only and the
>     modification is not refused:
>     [04/Aug/2015:11:04:45 +0200] - Entry
>     "uid=user1,ou=People,dc=example,dc=com" -- attribute "memberOf"
>     not allowed
>
This is a bug then, it should have been refused.  I'll reopen ticket 
47810 to address this...
>
>
>
>     So either this change in behavior is intentional and in this case :
>     - it should be present in release notes/documentation
>     - it should be consistent - the "replace"operation should not work
>     since "add" does not work
>
>     or, if it is not intentional, it should return to the old behavior
>     - only informational error message (like with"replace"). In this
>     case, the "add" operation should be fixed and allowed.
>
>     For now, as a workaround we have changed the schema to allow
>     "memberOf" attribute in all the classes used in entries referenced
>     by "uniqueMember" in our directory.
>
Or use a standard objectclass that allows memberOf like:  inetUser.

Regards,
Mark
>
>
>
>     Regards,
>     Andrey
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150804/15459c78/attachment.html>

More information about the 389-users mailing list