referint plugin does not work (IPA)

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47624

• Created at 2013-12-10 19:02:22 by jcholast
• Closed as Duplicate
• Assigned to lkrispen (@elkris)

---

The referential integrity plugin does not work correctly in 389-ds-base-1.3.2.8-1.fc20:

$ kinit admin

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'cn=referential integrity postoperation,cn=plugins,cn=config' -s base '(objectClass=*)' nsslapd-pluginEnabled nsslapd-pluginarg7
# referential integrity postoperation, plugins, config
dn: cn=referential integrity postoperation,cn=plugins,cn=config
nsslapd-pluginEnabled: on
nsslapd-pluginarg7: manager

$ ipa user-add manager

$ ipa user-add user --manager=manager

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=user,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' manager
# user, users, accounts, example.com
dn: uid=user,cn=users,cn=accounts,dc=example,dc=com
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com

$ ipa user-del manager

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=manager,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' dn
# search result
search: 4
result: 32 No such object
matchedDN: cn=users,cn=accounts,dc=example,dc=com

$ ldapsearch -H ldap://ipa.example.com -Y GSSAPI -b 'uid=user,cn=users,cn=accounts,dc=example,dc=com' -s base '(objectClass=*)' manager
# user, users, accounts, example.com
dn: uid=user,cn=users,cn=accounts,dc=example,dc=com
manager: uid=manager,cn=users,cn=accounts,dc=example,dc=com

(The manager attribute should be deleted by refint and gone in the last ldapsearch output, but it is not.)

[389-ds-bot]

Comment from lkrispen (@elkris) at 2013-12-10 23:13:10

Could you check if it works if you add the two attrs to the referint config:

nsslapd-pluginEntryScope: dc=example,dc=com
nsslapd-pluginContainerScope: dc=example,dc=com

[389-ds-bot]

Comment from jcholast at 2013-12-11 16:01:49

That fixed the issue. Is this a misconfiguration on IPA's side?

[389-ds-bot]

Comment from lkrispen (@elkris) at 2013-12-11 17:06:11

nothing wrong with ipa. it is probably a side effect of fix 47527, where tese params were introduced, but without them behaviour should be as before.
I failed to reproduce with my current version for 47621, but will test again.

[389-ds-bot]

Comment from lkrispen (@elkris) at 2013-12-11 20:44:42

just confirmed that with the original fix for 47527 referint fails if the delay (pluginarg0) is set to 0. There are two workarounds,
either specify enetryscope and containerscope as suggested in comment 2
or configure a delay for the referential integrity plugin eg nsslapd-pluginarg0: 1

It will be fixed with 47621.

[389-ds-bot]

Comment from lkrispen (@elkris) at 2013-12-17 14:57:57

The bug was that update_integrity was only called if entryScope was defined:

<<< rc = update_integrity(argv, sdn, NULL, NULL, logChanges);

if (plugin_EntryScope && slapi_sdn_issuffix(sdn, plugin_EntryScope)) {
rc = update_integrity(argv, sdn, NULL, NULL, logChanges);
}
which violated default behaviour. The fix for 47621 handles this:

•    if (plugin_EntryScope && slapi_sdn_issuffix(sdn, plugin_EntryScope)) {
  

•    if (referint_sdn_in_entry_scope(sdn)) {
         rc = update_integrity(sdn, NULL, NULL, logChanges);
  

and referint_sdn_in_entry_scope() handles it correctly

[389-ds-bot]

Comment from nkinder (@nkinder) at 2013-12-18 02:46:12

Closing as a duplicate of ticket 47621.

[389-ds-bot]

Comment from lkrispen (@elkris) at 2017-02-11 22:59:03

Metadata Update from @elkris:

• Issue assigned to elkris
• Issue set to the milestone: N/A