New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memberOf plugin ancestor cache errors when an entry has both implicit and explicit group membership #2324
Comments
Comment from tbordaz (@tbordaz) at 2017-05-19 15:06:10 Metadata Update from @tbordaz:
|
Comment from tbordaz (@tbordaz) at 2017-05-19 17:00:26 @pj101 Thanks for you perfect description of the test case. I prepared this lib389 test case and reproduced the issue |
Comment from tbordaz (@tbordaz) at 2017-05-19 17:00:31 Metadata Update from @tbordaz:
|
Comment from spichugi (@droideck) at 2017-05-24 12:32:57 @tbordaz hi, strange, but I have "Page not found (404)" on your file... |
Comment from tbordaz (@tbordaz) at 2017-05-24 13:32:03 |
Comment from tbordaz (@tbordaz) at 2017-05-24 13:33:07 @droideck good catch, I do not know what happened. I attached the file again. |
Comment from mreynolds (@mreynolds389) at 2017-05-25 17:49:31 Metadata Update from @mreynolds389:
|
Comment from mreynolds (@mreynolds389) at 2017-07-05 17:32:58 Metadata Update from @mreynolds389:
|
Comment from mreynolds (@mreynolds389) at 2019-08-23 20:44:18 Metadata Update from @mreynolds389:
|
Comment from vashirov (@vashirov) at 2020-03-11 15:56:16 Metadata Update from @vashirov:
|
Comment from mreynolds (@mreynolds389) at 2020-07-21 17:54:18 Metadata Update from @mreynolds389:
|
Comment from mreynolds (@mreynolds389) at 2020-07-21 17:54:18 Issue linked to Bugzilla: Bug 1859286 |
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49265
The ticket created as per comment https://pagure.io/389-ds-base/issue/49031#comment-441593
386ds v.1.3.6.5on CentOS7.3 compiled from sources, memeberOf plugin activated:
cn=MemberOf Plugin,cn=plugins,cn=config
...
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf
memberofautoaddoc: X-Misc
We don't have circular groups. And the particular group that was emptied/recreated is a simple one, without any nesting. But each user is a member of 20-30 other groups on the average.
After some research i think i have found out the exact situation when it happens. The person needs to be explicitly and implicitly a member of the same group. If that person is "touched" during any group membership change, the error will pop.
Here is an example:
cn=Utilisateurs Service Lambda,ou=Groupes Globaux,ou=Groupes,dc=example,dc=com
cn: Utilisateurs Service Lambda
objectClass: groupofuniquenames
objectClass: top
uniqueMember: cn=Management Team,ou=Administration,ou=Groupes,dc=example,dc=com
uniqueMember: uid=unfortunate_user,ou=personnel,ou=utilisateurs,dc=example,dc=com
cn=Management Team,ou=Administration,ou=Groupes,dc=example,dc=com
cn: Management Team
objectClass: groupofuniquenames
objectClass: top
uniqueMember: uid=unfortunate_user,ou=Personnel,ou=Utilisateurs,dc=example,dc=com
memberOf: cn=Utilisateurs Service Lambda,ou=Groupes Globaux,ou=Groupes,dc=example,dc=com
With this configuration each time we add (or delete?) the uid=unfortunate_user to a third group, the error message will pop:
/May/2017:14:06:57.552645685 +0200] - ERR - memberof-plugin - memberof_fix_memberof_callback: Weird, uid=unfortunate_user,ou=Personnel,ou=Utilisateurs,dc=example,dc=com is not in the cache
Maybe it happens because uid=unfortunate_user is evicted from ancestor cache first time due to the implicit group membership and second time because of the entry's explicit membership...
The tests are made on development server so if necessary, i can easily enable debug logging, recompile a modified memberOf plugin etc.
The text was updated successfully, but these errors were encountered: