andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Blob Blame History Raw
From 81f26a33df3c5f369097d673edfe52535ce77cc4 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 20 Aug 2013 14:09:26 -0700
Subject: [PATCH] Ticket #47488 - Users from AD sub OU does not sync to IPA

Bug description: When processing a DN from AD, the DN is passed to
a helper function is_subject_of_agreement_remote (windows_protocol_
util.c) to check if the DN is a subject of the sync service or not.
The helper function was checking if the AD DN is just one-level
child of the agreement subtree top (nsds7WindowsReplicaSubtree) but
not the subtree-level descendents.  Note: the DN is an original one
in AD, which has not be flattened yet.  Therefore, the AD entry was
determined not to be synchronized.

Fix description: This bug was fixed in the master tree with the
ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to
replay change.
 3) is_subject_of_agreement_remote (windows_protocol_util.c):
    When checking if the entry was in the subtree defined in the
    agreement or not, it returned true only if the entry is a
    direct child of the agreement subtree top. This patch returns
    true if the entry is the further descendent of the subtree.
The fix is back ported to 389-ds-base-1.3.1 branch.

Reviewed by Rich (Thank you!!)

https://fedorahosted.org/389/ticket/47488
(cherry picked from commit 529a544a2fe9961d9286e191346fb5faca27d38b)
(cherry picked from commit 26c669dcad15f9dbbfdff6fbeffac579099b7718)
---
 ldap/servers/plugins/replication/windows_protocol_util.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c
index 0b3c575..75cb935 100644
--- a/ldap/servers/plugins/replication/windows_protocol_util.c
+++ b/ldap/servers/plugins/replication/windows_protocol_util.c
@@ -3891,7 +3891,12 @@ error:
 	return retval;
 }
 
-/* Tests if the entry is subject to our agreement (i.e. is it in the sync'ed subtree in AD and either a user or a group ?) */
+/* 
+ * Tests if the entry is subject to our agreement
+ * (i.e. is it in the sync'ed subtree in AD and either a user or a group ?)
+ * return value: 1 -- it is subject to the agreement
+ *               0 -- out of scope
+ */
 static int 
 is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra)
 {
@@ -3922,7 +3927,8 @@ is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra)
 		 * 'e' as out of scope.
 		 */
 		slapi_sdn_get_parent(sdn, &psdn);
-		if (0 == slapi_sdn_compare(&psdn, agreement_subtree)) {
+		if (slapi_sdn_issuffix(&psdn, agreement_subtree)) {
+			/* parent is in agreement_subtree. */
 			retval = 1;
 		} else {
 			/* If parent entry is not local, the entry is out of scope */
-- 
1.8.1.4