memberOf plugin ancestor cache errors when an entry has both implicit and explicit group membership

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49265

• Created at 2017-05-19 14:22:43 by pj101
• Assigned to tbordaz (@tbordaz)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1859286

---

The ticket created as per comment https://pagure.io/389-ds-base/issue/49031#comment-441593

386ds v.1.3.6.5on CentOS7.3 compiled from sources, memeberOf plugin activated:

cn=MemberOf Plugin,cn=plugins,cn=config
...
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf
memberofautoaddoc: X-Misc

We don't have circular groups. And the particular group that was emptied/recreated is a simple one, without any nesting. But each user is a member of 20-30 other groups on the average.

After some research i think i have found out the exact situation when it happens. The person needs to be explicitly and implicitly a member of the same group. If that person is "touched" during any group membership change, the error will pop.

Here is an example:
cn=Utilisateurs Service Lambda,ou=Groupes Globaux,ou=Groupes,dc=example,dc=com
cn: Utilisateurs Service Lambda
objectClass: groupofuniquenames
objectClass: top
uniqueMember: cn=Management Team,ou=Administration,ou=Groupes,dc=example,dc=com
uniqueMember: uid=unfortunate_user,ou=personnel,ou=utilisateurs,dc=example,dc=com

cn=Management Team,ou=Administration,ou=Groupes,dc=example,dc=com
cn: Management Team
objectClass: groupofuniquenames
objectClass: top
uniqueMember: uid=unfortunate_user,ou=Personnel,ou=Utilisateurs,dc=example,dc=com
memberOf: cn=Utilisateurs Service Lambda,ou=Groupes Globaux,ou=Groupes,dc=example,dc=com

With this configuration each time we add (or delete?) the uid=unfortunate_user to a third group, the error message will pop:

/May/2017:14:06:57.552645685 +0200] - ERR - memberof-plugin - memberof_fix_memberof_callback: Weird, uid=unfortunate_user,ou=Personnel,ou=Utilisateurs,dc=example,dc=com is not in the cache

Maybe it happens because uid=unfortunate_user is evicted from ancestor cache first time due to the implicit group membership and second time because of the entry's explicit membership...

The tests are made on development server so if necessary, i can easily enable debug logging, recompile a modified memberOf plugin etc.

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2017-05-19 15:06:10

Metadata Update from @tbordaz:

• Issue assigned to tbordaz

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2017-05-19 17:00:26

@pj101 Thanks for you perfect description of the test case. I prepared this lib389 test case and reproduced the issue

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2017-05-19 17:00:31

Metadata Update from @tbordaz:

• Custom field type adjusted to defect

[389-ds-bot]

Comment from spichugi (@droideck) at 2017-05-24 12:32:57

@tbordaz hi, strange, but I have "Page not found (404)" on your file...

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2017-05-24 13:32:03

[389-ds-bot]

Comment from tbordaz (@tbordaz) at 2017-05-24 13:33:07

@droideck good catch, I do not know what happened. I attached the file again.

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-05-25 17:49:31

Metadata Update from @mreynolds389:

• Issue set to the milestone: 1.3.6.0

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-07-05 17:32:58

Metadata Update from @mreynolds389:

• Issue set to the milestone: 1.3.7 backlog (was: 1.3.6.0)

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-08-23 20:44:18

Metadata Update from @mreynolds389:

• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None
• Issue set to the milestone: 1.4.2 (was: 1.3.7 backlog)

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-03-11 15:56:16

Metadata Update from @vashirov:

• Issue set to the milestone: 1.4.3 (was: 1.4.2)

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-07-21 17:54:18

Metadata Update from @mreynolds389:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1859286

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-07-21 17:54:18

Issue linked to Bugzilla: Bug 1859286