https://bugzilla.redhat.com/show_bug.cgi?id=700200
Description of problem: There are a list of reserved UIDs within Active Directory which cannot be synchronized from RHDS to AD. If a uid within RHDS is equal to one of these values, the initialization of the AD consumer will fail to complete. Version-Release number of selected component (if applicable): RHDS 8.2 How reproducible: 100% Steps to Reproduce: 1. Create an account in an RHDS with a sync agreement to an AD consumer. 2. Enter one of the prohibited words that Active Directory won't allow to be a uid. 3. Initiate a full sync. Actual results: When the user in question is encountered, the following message appears in /var/log/dirsrv/slapd-<instance>/errors: [27/Apr/2011:13:04:42 -0500] NSMMReplicationPlugin - agmt="cn=ADSync" (huey:389): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - -1 In our case, we used the uid "service". Expected results: I would like to see RHDS log the error however continue on with the initialization rather than aborting. Additional info:
batch move to milestone future
set default ticket origin to Community
Added initial screened field value.
Bug description: Some account names (e.g. "service") is reserved in Active Directory. If DS has an entry having such an NT user ID and the entry is synchronized to the AD, it fails with LDAP_ALREADY_ EXISTS, but the error is gracefully ignored. In the total update, updating Account Control bit follows the failed add, which fails since the AD entry WinSync expects does not exist and it aborts the total update.
Fix description: If adding a DS entry to AD fails and the updating Account Control bit also fails, the following note is logged in the error log and the total update continues: windows_process_total_add: Creating AD entry "cn=service service, cn=Users,dc=EXAMPLE,dc=COM" from DS entry "uid=service,ou=People, dc=example,dc=com" failed. AD reserves the account name. Ignoring the error...
In addition, in windows_parse_config_entry, if the attribute values in the agreement is retrieved before the agreement is started, the following error is logged, which is not necessary. This patch stops logging it if the agreement does not set "protocol" yet. Replication agreement for agmt="cn=WinSync" could not be updated. For replication to take place, please enable the suffix and restart the server.
git patch file (master) 0001-Ticket-48-Active-Directory-has-certain-uids-which-ar.patch
Reviewed by Rich (Thank you!!)
Pushed to master: 839c46c..b00b8ac master -> master commit b00b8ac
Coverity CID 11943 - Logically dead code
Fix description: The following commit mistakenly put the "Ignoring ALREADY EXIST case" code before retrieving the ldap_result_code. This patch fixes the order. commit b00b8ac Author: Noriko Hosoi nhosoi@redhat.com Date: Fri Aug 16 14:04:27 2013 -0700
git patch file (master) -- fixing Coverity CID 11943 0001-Ticket-48-Active-Directory-has-certain-uids-which-ar.2.patch
Reviewed by Rich (Thanks!!!)
Pushed to master: d01155c..52f7906 master -> master commit 52f7906
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.2 - 08/13 (August)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/48
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.