#1469 Disabling ipa-nis-manage removes netgroup compat suffix in DS.
Closed: Fixed None Opened 10 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=719656

Disabling ipa-nis-manage removes the following suffix from DS causing "ipa
hostgroup" command to fail to automatically add any netgroup info in
cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com.

<snip>
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng
</snip>

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa server
2. Make sure "# ng, compat, lab.eng.pnq.redhat.com" exists 
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b
cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

3. Add hostgroup
# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1

4. Verify if netgroup info is automatically added to "cn=ng,cn=compat,
dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" suffix
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b
cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

# hostgrp1, ng, compat, lab.eng.pnq.redhat.com
dn: cn=hostgrp1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

5. Now, disable ipa-nis-manage

6. Check if netgroup info exists in "ng, compat, lab.eng.pnq.redhat.com"

Actual results:

# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b
cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# search result
search: 2
result: 32 No such object     <<<<<<<<<<<<<<<<<<
matchedDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

All netgroup data from cn=compat is removed.

Expected results:
Should not remove any existing data.

Additional info:
1. Enabling ipa-nis-manage doesn't help.
2. This causes adding hostgroup to "ipa sudorule" to fail.
3. Also, affects SSSD while enumerating netgroups.

Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 2.1 - 2011/07

5 years ago

Login to comment on this ticket.

Metadata