https://bugzilla.redhat.com/show_bug.cgi?id=797138 (Fedora)
Description of problem: Configuring automembership plugin with "nsslapd-pluginConfigArea", fails to update entries in the replicated environment. Version-Release number of selected component (if applicable): 389-ds-base-1.2.10.1-1.el6.x86_64 How reproducible: Consistently. Steps to Reproduce: 1. Install latest 389-ds-base(1.2.10) bits and configure four way MMR. - Replicated Suffix - "dc=replAutoMembers,dc=com". 2. Configure Automembership plugin with "nsslapd-pluginConfigArea" on all the masters. nsslapd-pluginConfigArea: dc=replAutomembers,dc=com 3. Add plugin configuration entries to "dc=replAutoMembers,dc=com" with regex rules. Automembers plugin's regex rule: dn: cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com objectclass: autoMemberDefinition autoMemberScope: cn=Employees,dc=replAutoMembers,dc=com autoMemberFilter: objectclass=posixAccount autoMemberDefaultGroup: cn=SubDef1,dc=replAutoMembers,dc=com autoMemberDefaultGroup: cn=SubDef2,dc=replAutoMembers,dc=com autoMemberDefaultGroup: cn=SubDef3,dc=replAutoMembers,dc=com autoMemberDefaultGroup: cn=SubDef4,dc=replAutoMembers,dc=com autoMemberDefaultGroup: cn=SubDef5,dc=replAutoMembers,dc=com autoMemberGroupingAttr: member: dn dn: cn=Managers,cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com objectclass: autoMemberRegexRule description: Group placement for Managers cn: Managers autoMemberTargetGroup: cn=Managers,cn=replsubGroups,dc=replAutoMembers,dc=com autoMemberInclusiveRegex: uidNumber=^5..5$ autoMemberInclusiveRegex: gidNumber=^[1-4]..3$ autoMemberInclusiveRegex: nsAdminGroupName=^Manager$|^Supervisor$ autoMemberExclusiveRegex: uidNumber=^999$ autoMemberExclusiveRegex: gidNumber=^[6-8].0$ autoMemberExclusiveRegex: nsAdminGroupName=^Junior$ dn: cn=Contractors,cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com objectclass: autoMemberRegexRule description: Group placement for Contractors cn: Contractors autoMemberTargetGroup: cn=Contractors,cn=replsubGroups,dc=replAutoMembers,dc=com autoMemberInclusiveRegex: uidNumber=^8..5$ autoMemberInclusiveRegex: gidNumber=^[5-9]..3$ autoMemberInclusiveRegex: nsAdminGroupName=^Contract|^Temporary$ autoMemberExclusiveRegex: uidNumber=^[1,3,8]99$ autoMemberExclusiveRegex: gidNumber=^[2-4]00$ autoMemberExclusiveRegex: nsAdminGroupName=^Employee$ 4. Create all the associated groups and containers before creating user entries. For eg: Groups - Contractors, Managers, SubDef1, SubDef2, SubDef3, SubDef4 and SubDef5. Containers: cn=autoMembersPlugin, cn=replsubGroups and cn=Employees 5. Add few user entries(with posixAccount objectClass) to M1 and observe whether the entry is added as a member to the groups. Actual results: The first user is added as member to the group but not the subsequent entries. Moreover the entries are not synced over to other Masters. At the same time the attempt to stop/restart the instance failed. Expected results: Plugin configuration should throw proper error messages if not configured properly. Additional info: Nathan's comment for the same problem: There is a deadlock issue. It appears that it's related to the way you have the config area overlapping with the data area. This configuration is causing the plug-in to be called recursively. The add operation for your test user comes in, which triggers the automembership plugin. Since the add is in the config area, it first obtains a write lock to reload the config, which it then successfully releases. It then obtains a read lock to check if the entry being added meets any of the automembership criteria in the config. The entry does meet the criteria, so an internal operation is kicked off to update the group entry with the new member value (the read lock is still held at this time). This internal operation is modifying a group entry that unfortunately is inside of your config area. We need to treat this as a configuration change, so we attempt to get a write lock to reload the config. Since this thread already holds a read lock, it deadlocks. This will cause further automembership operations to deadlock the first time they attempt to do anything with the lock, with the eventual possibility of locking up all of the worker threads and making the server unresponsive to clients. You should file a bug on this, though you should not see the issue if you correct the way you are using the config area. Please provide exact steps to reproduce the issue in the bug. I have attached the stack trace.
Fix is to verify the config, and skip invalid definition entries that contain default/target groups that are inside of the config area.
should use slapi_sdn_issuffix instead of strstr
Over all, your patch looks good. A couple of minor things...
640 dn = slapi_create_dn_string(values[i]); The sample usage of slapi_create_dn_string is like this: suffix = slapi_create_dn_string("%s", value);
654 if(strstr(nvalues[i], confAreaDN)){ 1046 if(strstr(group_dn, confAreaDN)){ To determine the first arg dn is under the second arg dn, you could use the API slapi_dn_issuffix (note: the args of this API do not have to be suffixes...:). I think strstr could get confused at, e.g., strstr("cn=A,o=B", "cn=A,o=B,c=C") although the first arg is not a child of the second... / * slapi_dn_issuffix - tells whether suffix is a suffix of dn. both dn * and suffix must be normalized. / int slapi_dn_issuffix(const char dn, const char suffix)
Just converted the group dn strings to real DN's for comparison to the configArea. slap_sdn_issuffix handles the normalization.
Sending out for review.
need to slapi_sdn_free(dn) and slapi_sdn_free(group_dn) after use - otherwise, looks good
attachment 0001-Ticket-308-Automembership-plugin-fails-if-data-and-c.patch
git merge ticket308 Updating 231cd7e..050adf6 Fast-forward ldap/servers/plugins/automember/automember.c | 38 ++++++++++++++++++++++++++ 1 files changed, 38 insertions(+), 0 deletions(-)
git push origin master Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.55 KiB, done. Total 7 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 231cd7e..050adf6 master -> master
originally targeted for 1.2.11.rc1, but actually in the 1.2.11.a1 release
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=834056
Added initial screened field value.
Even after fix this doesn`t work for singe instance setup (but is supposed to):
IP=192.168.122.185 PORT=22222 ROOT="dc=example,dc=com" PLUGIN_ROOT="cn=autoMembersPlugin,$ROOT" PLUGIN_AUTO="cn=Auto Membership Plugin,cn=plugins,cn=config"
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: $PLUGIN_ROOT objectClass: top objectClass: nscontainer EOF
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: $PLUGIN_AUTO changetype: modify add: nsslapd-pluginConfigArea nsslapd-pluginConfigArea: $ROOT - replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: cn=replsubGroups,$PLUGIN_ROOT objectclass: autoMemberDefinition autoMemberScope: cn=Employees,$ROOT autoMemberFilter: objectclass=posixAccount autoMemberDefaultGroup: cn=SubDef1,$ROOT autoMemberDefaultGroup: cn=SubDef2,$ROOT autoMemberDefaultGroup: cn=SubDef3,$ROOT autoMemberDefaultGroup: cn=SubDef4,$ROOT autoMemberDefaultGroup: cn=SubDef5,$ROOT autoMemberGroupingAttr: member: dn
dn: cn=Managers,cn=replsubGroups,$PLUGIN_ROOT objectclass: autoMemberRegexRule description: Group placement for Managers cn: Managers autoMemberTargetGroup: cn=Managers,cn=replsubGroups,$ROOT autoMemberInclusiveRegex: uidNumber=^5..5$ autoMemberInclusiveRegex: gidNumber=^[1-4]..3$ autoMemberInclusiveRegex: nsAdminGroupName=^Manager$|^Supervisor$ autoMemberExclusiveRegex: uidNumber=^999$ autoMemberExclusiveRegex: gidNumber=^[6-8].0$ autoMemberExclusiveRegex: nsAdminGroupName=^Junior$
dn:cn=Contractors,cn=replsubGroups,$PLUGIN_ROOT objectclass: autoMemberRegexRule description: Group placement for Contractors cn: Contractors autoMemberTargetGroup: cn=Contractors,cn=replsubGroups,$ROOT autoMemberInclusiveRegex: uidNumber=^8..5$ autoMemberInclusiveRegex: gidNumber=^[5-9]..3$ autoMemberInclusiveRegex: nsAdminGroupName=^Contract|^Temporary$ autoMemberExclusiveRegex: uidNumber=^[1,3,8]99$ autoMemberExclusiveRegex: gidNumber=^[2-4]00$ autoMemberExclusiveRegex: nsAdminGroupName=^Employee$ EOF
echo "Adding invalid configuration: $?"
The failure mentioned in comment#12 is due to not restarting ns-slapd after changing nsslapd-pluginConfigArea. This attribute does not support dynamically updates. Changing this back to fixed and resetting the milestone to 1.2.11.a1.
Metadata Update from @rmeggins: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.a1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/308
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.