Sorry, this formatted, poorly. Find attached,
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 William Brown <william@xxxxxxxxxxxxxxxx>
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
#
from lib389._constants import DEFAULT_SUFFIX
from lib389.topologies import topology_st
from lib389.idm.group import Groups
from lib389.idm.user import nsUserAccounts
from lib389.idm.organizationalunit import OrganizationalUnit as OrganisationalUnit
from lib389.plugins import AutoMembershipPlugin, ReferentialIntegrityPlugin, AutoMembershipDefinitions
def test_rename_large_subtree(topology_st):
"""
A report stated that the following configuration would lead
to an operation failure:
ou=int,ou=account,dc=...
ou=s1,ou=int,ou=account,dc=...
ou=s2,ou=int,ou=account,dc=...
rename ou=s1 to re-parent to ou=account, leaving:
ou=int,ou=account,dc=...
ou=s1,ou=account,dc=...
ou=s2,ou=account,dc=...
The ou=s1 if it has < 100 entries below, is able to be reparented.
If ou=s1 has > 400 entries, it fails.
Other conditions was the presence of referential integrity - so one would
assume that all users under s1 are a member of some group external to this.
:id: 5915c38d-b3c2-4b7c-af76-8a1e002e27f7
:setup: standalone instance
:steps: 1. Enable automember plugin
2. Add < 500 users, and ensure they are members of a group.
3. Enable refer-int plugin
4. Move ou=s1 to a new parent
:expectedresults:
1. The plugin is enabled
2. The users are members of the group
3. The plugin is enabled
4. The rename operation of ou=s1 succeeds
"""
st = topology_st.standalone
# Create a default group
gps = Groups(st, DEFAULT_SUFFIX)
# Keep the group so we can get it's DN out.
group = gps.create(properties={
'cn': 'default_group'
})
# Enable automember
amp = AutoMembershipPlugin(st)
amp.enable()
# Create the automember definition
automembers = AutoMembershipDefinitions(st)
automember = automembers.create(properties={
'cn': 'testgroup_definition',
'autoMemberScope': DEFAULT_SUFFIX,
'autoMemberFilter': 'objectclass=nsAccount',
'autoMemberDefaultGroup': group.dn,
'autoMemberGroupingAttr': 'member:dn',
})
# Enable referint
rip = ReferentialIntegrityPlugin(st)
# We only need to enable the plugin, the default configuration is sane and
# correctly coveres member as an enforced attribute.
rip.enable()
# Restart to make sure it's enabled and good to go.
st.restart()
# Now unlike normal, we bypass the plural-create method, because we need control
# over the exact DN of the OU to create.
# Create the ou=account
# We don't need to set a DN here because ...
ou_account = OrganisationalUnit(st)
# It's set in the .create step.
ou_account.create(
basedn = DEFAULT_SUFFIX,
properties={
'ou': 'account'
})
# create the ou=int,ou=account
ou_int = OrganisationalUnit(st)
ou_int.create(
basedn = ou_account.dn,
properties={
'ou': 'int'
})
# Create the ou=s1,ou=int,ou=account
ou_s1 = OrganisationalUnit(st)
ou_s1.create(
basedn = ou_int.dn,
properties={
'ou': 's1'
})
# Create the users 1 -> 1000 in ou=s1
nsu = nsUserAccounts(st, basedn=ou_s1.dn, rdn=None)
for i in range(1000, 2000):
nsu.create_test_user(uid=i)
# Assert they are in the group as we expect
members = group.get_attr_vals_utf8('member')
assert len(members) == 1000
# Move ou=s1 to ou=account as parent. We have to provide the rdn,
# even though it's not changing.
ou_s1.rename('ou=s1', newsuperior=ou_account.dn)
members = group.get_attr_vals_utf8('member')
assert len(members) == 1000
# Check that we really did refer-int properly, and ou=int is not in the members.
for member in members:
assert 'ou=int' not in member
> On 21 Feb 2019, at 14:17, William Brown <wbrown@xxxxxxx> wrote:
>
>
>
>> On 21 Feb 2019, at 13:12, William Brown <wbrown@xxxxxxx> wrote:
>>
>>
>>
>>> On 21 Feb 2019, at 08:57, Olivier JUDITH <gnulux@xxxxxxxxx> wrote:
>>>
>>> Hi,
>>>
>>> I'm moving many ou to one level up
>>> ou=SITE1,ou=BU,ou=Account,dc=...
>>> ou=SITE2,ou=BU,ou=Account,dc=...
>>> to
>>> ou=SITE1,ou=Account,dc=......
>>> ou=SITE2,ou=Account,dc=...
>>>
>>> Don't want OU=BU anymore.
>>>
>>> ou=SITE1,ou=Account,dc=... has less than 100 entries it works fine
>>> ou=SITE2,ou=Account,dc=... has more than 400 entries , works randomly. Today i succeeded to move it (after instance restart) . So i tried another OU with more than 1000 entries and i got the
>>> same error.
>>
>> I am going to attempt to reproduce this, and I will report the results to you tomorrow :)
>
> Hey there,
>
> I can’t reproduce this. A likely explanation could be that it affects versions less than 1.4.x (which is what I was testing against).
> Here is the test case. Can you check that it matches your expectations? It may look a bit foreign as it’s based on our python lib389 suite:
>
> # --- BEGIN COPYRIGHT BLOCK ---
> # Copyright (C) 2019 William Brown <william@xxxxxxxxxxxxxxxx>
> # All rights reserved.
> #
> # License: GPL (version 3 or any later version).
> # See LICENSE for details.
> # --- END COPYRIGHT BLOCK ---
> #
>
>
> from lib389._constants import DEFAULT_SUFFIX
> from lib389.topologies import topology_st
>
> from lib389.idm.group import Groups
> from lib389.idm.user import nsUserAccounts
> from lib389.idm.organizationalunit import OrganizationalUnit as OrganisationalUnit
>
> from lib389.plugins import AutoMembershipPlugin, ReferentialIntegrityPlugin, AutoMembershipDefinitions
>
>
> def test_rename_large_subtree(topology_st):
> """
> A report stated that the following configuration would lead
> to an operation failure:
>
> ou=int,ou=account,dc=...
> ou=s1,ou=int,ou=account,dc=...
> ou=s2,ou=int,ou=account,dc=...
>
> rename ou=s1 to re-parent to ou=account, leaving:
>
> ou=int,ou=account,dc=...
> ou=s1,ou=account,dc=...
> ou=s2,ou=account,dc=...
>
> The ou=s1 if it has < 100 entries below, is able to be reparented.
>
> If ou=s1 has > 400 entries, it fails.
>
> Other conditions was the presence of referential integrity - so one would
> assume that all users under s1 are a member of some group external to this.
>
> :id: 5915c38d-b3c2-4b7c-af76-8a1e002e27f7
>
> :setup: standalone instance
>
> :steps: 1. Enable automember plugin
> 2. Add < 500 users, and ensure they are members of a group.
> 3. Enable refer-int plugin
> 4. Move ou=s1 to a new parent
>
> :expectedresults:
> 1. The plugin is enabled
> 2. The users are members of the group
> 3. The plugin is enabled
> 4. The rename operation of ou=s1 succeeds
> """
>
> st = topology_st.standalone
>
> # Create a default group
> gps = Groups(st, DEFAULT_SUFFIX)
> # Keep the group so we can get it's DN out.
> group = gps.create(properties={
> 'cn': 'default_group'
> })
>
> # Enable automember
> amp = AutoMembershipPlugin(st)
> amp.enable()
>
> # Create the automember definition
> automembers = AutoMembershipDefinitions(st)
>
> automember = automembers.create(properties={
> 'cn': 'testgroup_definition',
> 'autoMemberScope': DEFAULT_SUFFIX,
> 'autoMemberFilter': 'objectclass=nsAccount',
> 'autoMemberDefaultGroup': group.dn,
> 'autoMemberGroupingAttr': 'member:dn',
> })
>
> # Enable referint
> rip = ReferentialIntegrityPlugin(st)
> # We only need to enable the plugin, the default configuration is sane and
> # correctly coveres member as an enforced attribute.
> rip.enable()
>
> # Restart to make sure it's enabled and good to go.
> st.restart()
>
> # Now unlike normal, we bypass the plural-create method, because we need control
> # over the exact DN of the OU to create.
> # Create the ou=account
>
> # We don't need to set a DN here because ...
> ou_account = OrganisationalUnit(st)
>
> # It's set in the .create step.
> ou_account.create(
> basedn = DEFAULT_SUFFIX,
> properties={
> 'ou': 'account'
> })
> # create the ou=int,ou=account
> ou_int = OrganisationalUnit(st)
> ou_int.create(
> basedn = ou_account.dn,
> properties={
> 'ou': 'int'
> })
> # Create the ou=s1,ou=int,ou=account
> ou_s1 = OrganisationalUnit(st)
> ou_s1.create(
> basedn = ou_int.dn,
> properties={
> 'ou': 's1'
> })
>
> # Create the users 1 -> 1000 in ou=s1
> nsu = nsUserAccounts(st, basedn=ou_s1.dn, rdn=None)
> for i in range(1000, 2000):
> nsu.create_test_user(uid=i)
>
> # Assert they are in the group as we expect
> members = group.get_attr_vals_utf8('member')
> assert len(members) == 1000
>
> # Move ou=s1 to ou=account as parent. We have to provide the rdn,
> # even though it's not changing.
> ou_s1.rename('ou=s1', newsuperior=ou_account.dn)
>
> members = group.get_attr_vals_utf8('member')
> assert len(members) == 1000
> # Check that we really did refer-int properly, and ou=int is not in the members.
> for member in members:
> assert 'ou=int' not in member
>
>
>
>
>>
>>>
>>> Regards
>>>
>>> Le mer. 20 févr. 2019 à 23:44, William Brown <wbrown@xxxxxxx> a écrit :
>>> We would need to test this scenario, but it could very likely be a bug in the server.
>>>
>>> To be sure the conditions you have here are:
>>>
>>> ou=start,dc=…
>>> ou=destination,dc=…
>>>
>>> In ou=start you have 800+ entries.
>>>
>>> Then you are doing a modrdn of ou=start to ou=start,ou=destination,dc=…, and the error condition occurs?
>>>
>>> Is this correct?
>>>
>>>> On 21 Feb 2019, at 02:49, Olivier JUDITH <gnulux@xxxxxxxxx> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have activated Referential Integrity plugin on my instance in order to move several OU to a new parent subtree. Also to update automatically uniqueMember attribute defined in group member .
>>>> It works fine with few user entries under some OU but fails when the OU contains more than 400 entries or somtime more than 800.
>>>> The error from the 389-console is :
>>>> ou=UNITA, OU=Accounts,dc=mydomain,dc=com: netscape.ldap.LDAPException: error result (1); Operations error.
>>>> In error file
>>>> [20/Feb/2019:17:37:59.123749991 +0100] - ERR - ldbm_back_modrdn - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE
>>>>
>>>> After this error the OU : UNITA, OU=Accounts,dc=mydomain,dc=com is not visible from 389-console . I have to restart the instance in order to recover the OU.
>>>>
>>>> Did i miss something in my configuration or do i have to set a specific parameter to support big entries ?
>>>>
>>>> My installation : 389DS 1.3.6 .
>>>> _______________________________________________
>>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>> —
>>> Sincerely,
>>>
>>> William Brown
>>> Software Engineer, 389 Directory Server
>>> SUSE Labs
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> —
>> Sincerely,
>>
>> William Brown
>> Software Engineer, 389 Directory Server
>> SUSE Labs
>>
>
> —
> Sincerely,
>
> William Brown
> Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
