From 81f26a33df3c5f369097d673edfe52535ce77cc4 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Tue, 20 Aug 2013 14:09:26 -0700 Subject: [PATCH] Ticket #47488 - Users from AD sub OU does not sync to IPA Bug description: When processing a DN from AD, the DN is passed to a helper function is_subject_of_agreement_remote (windows_protocol_ util.c) to check if the DN is a subject of the sync service or not. The helper function was checking if the AD DN is just one-level child of the agreement subtree top (nsds7WindowsReplicaSubtree) but not the subtree-level descendents. Note: the DN is an original one in AD, which has not be flattened yet. Therefore, the AD entry was determined not to be synchronized. Fix description: This bug was fixed in the master tree with the ticket #521 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change. 3) is_subject_of_agreement_remote (windows_protocol_util.c): When checking if the entry was in the subtree defined in the agreement or not, it returned true only if the entry is a direct child of the agreement subtree top. This patch returns true if the entry is the further descendent of the subtree. The fix is back ported to 389-ds-base-1.3.1 branch. Reviewed by Rich (Thank you!!) https://fedorahosted.org/389/ticket/47488 (cherry picked from commit 529a544a2fe9961d9286e191346fb5faca27d38b) (cherry picked from commit 26c669dcad15f9dbbfdff6fbeffac579099b7718) --- ldap/servers/plugins/replication/windows_protocol_util.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 0b3c575..75cb935 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -3891,7 +3891,12 @@ error: return retval; } -/* Tests if the entry is subject to our agreement (i.e. is it in the sync'ed subtree in AD and either a user or a group ?) */ +/* + * Tests if the entry is subject to our agreement + * (i.e. is it in the sync'ed subtree in AD and either a user or a group ?) + * return value: 1 -- it is subject to the agreement + * 0 -- out of scope + */ static int is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra) { @@ -3922,7 +3927,8 @@ is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra) * 'e' as out of scope. */ slapi_sdn_get_parent(sdn, &psdn); - if (0 == slapi_sdn_compare(&psdn, agreement_subtree)) { + if (slapi_sdn_issuffix(&psdn, agreement_subtree)) { + /* parent is in agreement_subtree. */ retval = 1; } else { /* If parent entry is not local, the entry is out of scope */ -- 1.8.1.4