#47884 WinSync - manual replica refresh removes AD-only member values from DS and AD in groups (1.3.1- only)
Closed: wontfix None Opened 7 years ago by vashirov.

See also tickets #415 and #47464

  1. Add groups grp0, grp1, users AD_ONLY and AD_AND_DS to AD:

    ldapadd -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF
    dn: CN=AD_ONLY,cn=users,dc=adrelm,dc=com
    objectClass: top
    objectClass: user
    cn: AD_ONLY
    uid: AD_ONLY
    sAMAccountName: AD_ONLY
    distinguishedName: CN=AD_ONLY,cn=users,dc=adrelm,dc=com

    dn: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com
    objectClass: top
    objectClass: user
    cn: AD_AND_DS
    sn: AD_AND_DS
    uid: AD_AND_DS
    sAMAccountName: AD_AND_DS
    distinguishedName: CN=AD_AND_DS,cn=users,dc=adrelm,dc=com

    dn: CN=grp0,cn=users,dc=adrelm,dc=com
    objectClass: top
    objectClass: Group
    cn: grp0
    distinguishedName: CN=grp0,cn=users,dc=adrelm,dc=com
    name: grp0
    sAMAccountName: grp0

    dn: CN=grp1,cn=users,dc=adrelm,dc=com
    objectClass: top
    objectClass: Group
    cn: grp1
    distinguishedName: CN=grp1,cn=users,dc=adrelm,dc=com
    name: grp1
    sAMAccountName: grp1
    EOF

  2. Wait for them to appear in DS

  3. Add new AD_ONLY member to grp0, AD_ONLY and AD_AND_DS member to grp1

    ldapmodify -c -x -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF
    dn: CN=grp0,cn=users,DC=adrelm,DC=com
    changetype: modify
    add: member
    member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

    dn: CN=grp1,cn=users,DC=adrelm,DC=com
    changetype: modify
    add: member
    member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
    member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
    EOF

  4. Wait for sync

  5. grp0 contains AD_ONLY member, grp1 contains both AD_ONLY and AD_AND_DS members both on DS and AD.
    on DS:

    ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=passsync,dc=com "(cn=grp*)" uniquemember
    dn: cn=grp0,ou=People,dc=passsync,dc=com
    uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com

    dn: cn=grp1,ou=People,dc=passsync,dc=com
    uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com
    uniquemember: uid=AD_AND_DS,ou=People,dc=passsync,dc=com

on AD:

ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_ONLY,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com
  1. Do manual replica refresh
  2. From grp0 AD_ONLY member is removed both from AD and DS.
    From grp1 AD_ONLY member is removed only from AD, but it's still present on DS.

on DS:

ldapsearch -LLL -H ldap://localhost:1189 -D "cn=Directory Manager" -w Secret123 -x -b dc=passsync,dc=com "(cn=grp*)" uniquemember
dn: cn=grp0,ou=People,dc=passsync,dc=com

dn: cn=grp1,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_AND_DS,ou=People,dc=passsync,dc=com
uniquemember: uid=AD_ONLY,ou=People,dc=passsync,dc=com

on AD:

ldapsearch -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -h win2k8.adrelm.com -b dc=adrelm,dc=com "(cn=grp*)" member
dn: CN=grp0,CN=Users,DC=adrelm,DC=com

dn: CN=grp1,CN=Users,DC=adrelm,DC=com
member: CN=AD_AND_DS,CN=Users,DC=adrelm,DC=com

Description: windows_generate_update_mods had a bug which confused to
handle local and remote entry in the logic. The bug was fixed with
Ticket #460 in 1.3.2 and newer. Back-porting the function windows_
generate_update_mods to 1.3.1 and 1.2.11, as well.

git patch file (1.2.11) -- Back-porting the function windows_generate_update_mods from 1.3.2+
0001-Ticket-47884-WinSync-manual-replica-refresh-removes-.patch

Pushed to 389-ds-base-1.2.11:
4b7184c..8e79bef 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 8e79bef

Pushed to 389-ds-base-1.3.1:
412ec0e..b0cf445 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit b0cf44582707f20cebbae57ce14a6c103b4e217a

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.33

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1215

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a year ago

Login to comment on this ticket.

Metadata