#308 Automembership plugin fails in a MMR setup, if data and config area mixed in the plugin configuration
Closed: wontfix None Opened 9 years ago by nkinder.

https://bugzilla.redhat.com/show_bug.cgi?id=797138 (Fedora)

Description of problem:
         Configuring automembership plugin with "nsslapd-pluginConfigArea",
fails to update entries in the replicated environment.


Version-Release number of selected component (if applicable):
389-ds-base-1.2.10.1-1.el6.x86_64


How reproducible: Consistently.


Steps to Reproduce:
1. Install latest 389-ds-base(1.2.10) bits and configure four way MMR.
- Replicated Suffix - "dc=replAutoMembers,dc=com".
2. Configure Automembership plugin with "nsslapd-pluginConfigArea" on all the
masters.
nsslapd-pluginConfigArea: dc=replAutomembers,dc=com
3. Add plugin configuration entries to "dc=replAutoMembers,dc=com" with regex
rules.
Automembers plugin's regex rule:

dn: cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com
objectclass: autoMemberDefinition
autoMemberScope: cn=Employees,dc=replAutoMembers,dc=com
autoMemberFilter: objectclass=posixAccount
autoMemberDefaultGroup: cn=SubDef1,dc=replAutoMembers,dc=com
autoMemberDefaultGroup: cn=SubDef2,dc=replAutoMembers,dc=com
autoMemberDefaultGroup: cn=SubDef3,dc=replAutoMembers,dc=com
autoMemberDefaultGroup: cn=SubDef4,dc=replAutoMembers,dc=com
autoMemberDefaultGroup: cn=SubDef5,dc=replAutoMembers,dc=com
autoMemberGroupingAttr: member: dn

dn: cn=Managers,cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com
objectclass: autoMemberRegexRule
description: Group placement for Managers
cn: Managers
autoMemberTargetGroup: cn=Managers,cn=replsubGroups,dc=replAutoMembers,dc=com
autoMemberInclusiveRegex: uidNumber=^5..5$
autoMemberInclusiveRegex: gidNumber=^[1-4]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Manager$|^Supervisor$
autoMemberExclusiveRegex: uidNumber=^999$
autoMemberExclusiveRegex: gidNumber=^[6-8].0$
autoMemberExclusiveRegex: nsAdminGroupName=^Junior$

dn:
cn=Contractors,cn=replsubGroups,cn=autoMembersPlugin,dc=replAutoMembers,dc=com
objectclass: autoMemberRegexRule
description: Group placement for Contractors
cn:  Contractors
autoMemberTargetGroup:
cn=Contractors,cn=replsubGroups,dc=replAutoMembers,dc=com
autoMemberInclusiveRegex: uidNumber=^8..5$
autoMemberInclusiveRegex: gidNumber=^[5-9]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Contract|^Temporary$
autoMemberExclusiveRegex: uidNumber=^[1,3,8]99$
autoMemberExclusiveRegex: gidNumber=^[2-4]00$
autoMemberExclusiveRegex: nsAdminGroupName=^Employee$

4. Create all the associated groups and containers before creating user
entries.
For eg: Groups - Contractors, Managers, SubDef1, SubDef2, SubDef3, SubDef4 and
SubDef5.
Containers: cn=autoMembersPlugin, cn=replsubGroups and cn=Employees

5. Add few user entries(with posixAccount objectClass) to M1 and observe
whether the entry is added as a member to the groups.

Actual results:
          The first user is added as member to the group but not the subsequent
entries. Moreover the entries are not synced over to other Masters. At the same
time the attempt to stop/restart the instance failed.

Expected results:
          Plugin configuration should throw proper error messages if not
configured properly.

Additional info:



Nathan's comment for the same problem:

There is a deadlock issue.  It appears that it's related to the way you have
the config area overlapping with the data area.  This configuration is causing
the plug-in to be called recursively.

The add operation for your test user comes in, which triggers the
automembership plugin.  Since the add is in the config area, it first obtains a
write lock to reload the config, which it then successfully releases.  It then
obtains a read lock to check if the entry being added meets any of the
automembership criteria in the config.  The entry does meet the criteria, so an
internal operation is kicked off to update the group entry with the new member
value (the read lock is still held at this time).  This internal operation is
modifying a group entry that unfortunately is inside of your config area.  We
need to treat this as a configuration change, so we attempt to get a write lock
to reload the config.  Since this thread already holds a read lock, it
deadlocks.  This will cause further automembership operations to deadlock the
first time they attempt to do anything with the lock, with the eventual
possibility of locking up all of the worker threads and making the server
unresponsive to clients.

You should file a bug on this, though you should not see the issue if you
correct the way you are using the config area.  Please provide exact steps to
reproduce the issue in the bug.  I have attached the stack trace.

Fix is to verify the config, and skip invalid definition entries that contain default/target groups that are inside of the config area.

should use slapi_sdn_issuffix instead of strstr

Over all, your patch looks good. A couple of minor things...

640 dn = slapi_create_dn_string(values[i]);
The sample usage of slapi_create_dn_string is like this:
suffix = slapi_create_dn_string("%s", value);

654 if(strstr(nvalues[i], confAreaDN)){
1046 if(strstr(group_dn, confAreaDN)){
To determine the first arg dn is under the second arg dn, you could use the API slapi_dn_issuffix (note: the args of this API do not have to be suffixes...:). I think strstr could get confused at, e.g., strstr("cn=A,o=B", "cn=A,o=B,c=C") although the first arg is not a child of the second...
/
* slapi_dn_issuffix - tells whether suffix is a suffix of dn. both dn
* and suffix must be normalized.
/
int slapi_dn_issuffix(const char dn, const char suffix)

Just converted the group dn strings to real DN's for comparison to the configArea. slap_sdn_issuffix handles the normalization.

Sending out for review.

need to slapi_sdn_free(dn) and slapi_sdn_free(group_dn) after use - otherwise, looks good

git merge ticket308
Updating 231cd7e..050adf6
Fast-forward
ldap/servers/plugins/automember/automember.c | 38 ++++++++++++++++++++++++++
1 files changed, 38 insertions(+), 0 deletions(-)

git push origin master
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.55 KiB, done.
Total 7 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
231cd7e..050adf6 master -> master

originally targeted for 1.2.11.rc1, but actually in the 1.2.11.a1 release

Added initial screened field value.

Even after fix this doesn`t work for singe instance setup (but is supposed to):

IP=192.168.122.185
PORT=22222
ROOT="dc=example,dc=com"
PLUGIN_ROOT="cn=autoMembersPlugin,$ROOT"
PLUGIN_AUTO="cn=Auto Membership Plugin,cn=plugins,cn=config"

Add container for automembers plugin

ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: $PLUGIN_ROOT
objectClass: top
objectClass: nscontainer
EOF

Configure nsslapd-pluginConfigArea

ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: $PLUGIN_AUTO
changetype: modify
add: nsslapd-pluginConfigArea
nsslapd-pluginConfigArea: $ROOT
-
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF

Add rules that conlict with pluginConfigArea

ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=replsubGroups,$PLUGIN_ROOT
objectclass: autoMemberDefinition
autoMemberScope: cn=Employees,$ROOT
autoMemberFilter: objectclass=posixAccount
autoMemberDefaultGroup: cn=SubDef1,$ROOT
autoMemberDefaultGroup: cn=SubDef2,$ROOT
autoMemberDefaultGroup: cn=SubDef3,$ROOT
autoMemberDefaultGroup: cn=SubDef4,$ROOT
autoMemberDefaultGroup: cn=SubDef5,$ROOT
autoMemberGroupingAttr: member: dn

dn: cn=Managers,cn=replsubGroups,$PLUGIN_ROOT
objectclass: autoMemberRegexRule
description: Group placement for Managers
cn: Managers
autoMemberTargetGroup: cn=Managers,cn=replsubGroups,$ROOT
autoMemberInclusiveRegex: uidNumber=^5..5$
autoMemberInclusiveRegex: gidNumber=^[1-4]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Manager$|^Supervisor$
autoMemberExclusiveRegex: uidNumber=^999$
autoMemberExclusiveRegex: gidNumber=^[6-8].0$
autoMemberExclusiveRegex: nsAdminGroupName=^Junior$

dn:cn=Contractors,cn=replsubGroups,$PLUGIN_ROOT
objectclass: autoMemberRegexRule
description: Group placement for Contractors
cn: Contractors
autoMemberTargetGroup: cn=Contractors,cn=replsubGroups,$ROOT
autoMemberInclusiveRegex: uidNumber=^8..5$
autoMemberInclusiveRegex: gidNumber=^[5-9]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Contract|^Temporary$
autoMemberExclusiveRegex: uidNumber=^[1,3,8]99$
autoMemberExclusiveRegex: gidNumber=^[2-4]00$
autoMemberExclusiveRegex: nsAdminGroupName=^Employee$
EOF

Should fail on 53

echo "Adding invalid configuration: $?"

The failure mentioned in comment#12 is due to not restarting ns-slapd after changing nsslapd-pluginConfigArea. This attribute does not support dynamically updates. Changing this back to fixed and resetting the milestone to 1.2.11.a1.

Metadata Update from @rmeggins:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.2.11.a1

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/308

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

8 months ago

Login to comment on this ticket.

Metadata