#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # Tests replication scenarios that involve conflicting linked attribute # information between the 2 DCs. # # Copyright (C) Catalyst.Net Ltd. 2017 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # # Usage: # export DC1=dc1_dns_name # export DC2=dc2_dns_name # export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun # PYTHONPATH="$PYTHONPATH:$samba4srcdir/torture/drs/python" $SUBUNITRUN \ # link_conflicts -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD" # import drs_base import samba.tests import ldb from ldb import SCOPE_BASE import random import time from drs_base import AbstractLink from samba.dcerpc import drsuapi, misc from samba.dcerpc.drsuapi import DRSUAPI_EXOP_ERR_SUCCESS # specifies the order to sync DCs in DC1_TO_DC2 = 1 DC2_TO_DC1 = 2 class DrsReplicaLinkConflictTestCase(drs_base.DrsBaseTestCase): def setUp(self): super(DrsReplicaLinkConflictTestCase, self).setUp() self.ou = samba.tests.create_test_ou(self.ldb_dc1, "test_link_conflict") self.base_dn = self.ldb_dc1.get_default_basedn() (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1) (self.drs2, self.drs2_handle) = self._ds_bind(self.dnsname_dc2) # disable replication for the tests so we can control at what point # the DCs try to replicate self._disable_inbound_repl(self.dnsname_dc1) self._disable_inbound_repl(self.dnsname_dc2) def tearDown(self): # re-enable replication self._enable_inbound_repl(self.dnsname_dc1) self._enable_inbound_repl(self.dnsname_dc2) self.ldb_dc1.delete(self.ou, ["tree_delete:1"]) super(DrsReplicaLinkConflictTestCase, self).tearDown() def get_guid(self, samdb, dn): """Returns an object's GUID (in string format)""" res = samdb.search(base=dn, attrs=["objectGUID"], scope=ldb.SCOPE_BASE) return self._GUID_string(res[0]['objectGUID'][0]) def add_object(self, samdb, dn, objectclass="organizationalunit"): """Adds an object""" samdb.add({"dn": dn, "objectclass": objectclass}) return self.get_guid(samdb, dn) def modify_object(self, samdb, dn, attr, value): """Modifies an attribute for an object""" m = ldb.Message() m.dn = ldb.Dn(samdb, dn) m[attr] = ldb.MessageElement(value, ldb.FLAG_MOD_ADD, attr) samdb.modify(m) def add_link_attr(self, samdb, source_dn, attr, target_dn): """Adds a linked attribute between 2 objects""" # add the specified attribute to the source object self.modify_object(samdb, source_dn, attr, target_dn) def del_link_attr(self, samdb, src, attr, target): m = ldb.Message() m.dn = ldb.Dn(samdb, src) m[attr] = ldb.MessageElement(target, ldb.FLAG_MOD_DELETE, attr) samdb.modify(m) def sync_DCs(self, sync_order=DC1_TO_DC2): """Manually syncs the 2 DCs to ensure they're in sync""" if sync_order == DC1_TO_DC2: # sync DC1-->DC2, then DC2-->DC1 self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1) self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2) else: # sync DC2-->DC1, then DC1-->DC2 self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2) self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1) def ensure_unique_timestamp(self): """Waits a second to ensure a unique timestamp between 2 objects""" time.sleep(1) def unique_dn(self, obj_name): """Returns a unique object DN""" # Because we run each test case twice, we need to create a unique DN so # that the 2nd run doesn't hit objects that already exist. Add some # randomness to the object DN to make it unique rand = random.randint(1, 10000000) return "%s-%d,%s" % (obj_name, rand, self.ou) def assert_attrs_match(self, res1, res2, attr, expected_count): """ Asserts that the search results contain the expected number of attributes and the results match on both DCs """ actual_len = len(res1[0][attr]) self.assertTrue(actual_len == expected_count, "Expected %u %s attributes, got %u" % (expected_count, attr, actual_len)) actual_len = len(res2[0][attr]) self.assertTrue(actual_len == expected_count, "Expected %u %s attributes, got %u" % (expected_count, attr, actual_len)) # check DCs both agree on the same linked attributes for val in res1[0][attr]: self.assertTrue(val in res2[0][attr], "%s '%s' not found on DC2" % (attr, val)) def zero_highwatermark(self): """Returns a zeroed highwatermark so that all DRS data gets returned""" hwm = drsuapi.DsReplicaHighWaterMark() hwm.tmp_highest_usn = 0 hwm.reserved_usn = 0 hwm.highest_usn = 0 return hwm def _check_replicated_links(self, src_obj_dn, expected_links): """Checks that replication sends back the expected linked attributes""" self._check_replication([src_obj_dn], drsuapi.DRSUAPI_DRS_WRIT_REP, dest_dsa=None, drs_error=drsuapi.DRSUAPI_EXOP_ERR_SUCCESS, nc_dn_str=src_obj_dn, exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ, expected_links=expected_links, highwatermark=self.zero_highwatermark()) # Check DC2 as well self.set_test_ldb_dc(self.ldb_dc2) self._check_replication([src_obj_dn], drsuapi.DRSUAPI_DRS_WRIT_REP, dest_dsa=None, drs_error=drsuapi.DRSUAPI_EXOP_ERR_SUCCESS, nc_dn_str=src_obj_dn, exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ, expected_links=expected_links, highwatermark=self.zero_highwatermark(), drs=self.drs2, drs_handle=self.drs2_handle) self.set_test_ldb_dc(self.ldb_dc1) def _test_conflict_single_valued_link(self, sync_order): """ Tests a simple single-value link conflict, i.e. each DC adds a link to the same source object but linking to different targets. """ src_ou = self.unique_dn("OU=src") src_guid = self.add_object(self.ldb_dc1, src_ou) self.sync_DCs() # create a unique target on each DC target1_ou = self.unique_dn("OU=target1") target2_ou = self.unique_dn("OU=target2") target1_guid = self.add_object(self.ldb_dc1, target1_ou) target2_guid = self.add_object(self.ldb_dc2, target2_ou) # link the test OU to the respective targets created self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_ou, "managedBy", target2_ou) # sync the 2 DCs self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) # check the object has only have one occurence of the single-valued # attribute and it matches on both DCs self.assert_attrs_match(res1, res2, "managedBy", 1) self.assertTrue(str(res1[0]["managedBy"][0]) == target2_ou, "Expected most recent update to win conflict") # we can't query the deleted links over LDAP, but we can check DRS # to make sure the DC kept a copy of the conflicting link link1 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, 0, misc.GUID(src_guid), misc.GUID(target1_guid)) link2 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE, misc.GUID(src_guid), misc.GUID(target2_guid)) self._check_replicated_links(src_ou, [link1, link2]) def test_conflict_single_valued_link(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_conflict_single_valued_link(sync_order=DC1_TO_DC2) self._test_conflict_single_valued_link(sync_order=DC2_TO_DC1) def _test_duplicate_single_valued_link(self, sync_order): """ Adds the same single-valued link on 2 DCs and checks we don't end up with 2 copies of the link. """ # create unique objects for the link target_ou = self.unique_dn("OU=target") self.add_object(self.ldb_dc1, target_ou) src_ou = self.unique_dn("OU=src") src_guid = self.add_object(self.ldb_dc1, src_ou) self.sync_DCs() # link the same test OU to the same target on both DCs self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target_ou) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_ou, "managedBy", target_ou) # sync the 2 DCs self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) # check the object has only have one occurence of the single-valued # attribute and it matches on both DCs self.assert_attrs_match(res1, res2, "managedBy", 1) def test_duplicate_single_valued_link(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_duplicate_single_valued_link(sync_order=DC1_TO_DC2) self._test_duplicate_single_valued_link(sync_order=DC2_TO_DC1) def _test_conflict_multi_valued_link(self, sync_order): """ Tests a simple multi-valued link conflict. This adds 2 objects with the same username on 2 different DCs and checks their group membership is preserved after the conflict is resolved. """ # create a common link source src_dn = self.unique_dn("CN=src") src_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") self.sync_DCs() # create the same user (link target) on each DC. # Note that the GUIDs will differ between the DCs target_dn = self.unique_dn("CN=target") target1_guid = self.add_object(self.ldb_dc1, target_dn, objectclass="user") self.ensure_unique_timestamp() target2_guid = self.add_object(self.ldb_dc2, target_dn, objectclass="user") # link the src group to the respective target created self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_dn, "member", target_dn) # sync the 2 DCs. We expect the more recent target2 object to win self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) target1_conflict = False # we expect exactly 2 members in our test group (both DCs should agree) self.assert_attrs_match(res1, res2, "member", 2) for val in [str(val) for val in res1[0]["member"]]: # check the expected conflicting object was renamed self.assertFalse("CNF:%s" % target2_guid in val) if "CNF:%s" % target1_guid in val: target1_conflict = True self.assertTrue(target1_conflict, "Expected link to conflicting target object not found") def test_conflict_multi_valued_link(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_conflict_multi_valued_link(sync_order=DC1_TO_DC2) self._test_conflict_multi_valued_link(sync_order=DC2_TO_DC1) def _test_duplicate_multi_valued_link(self, sync_order): """ Adds the same multivalued link on 2 DCs and checks we don't end up with 2 copies of the link. """ # create the link source/target objects src_dn = self.unique_dn("CN=src") src_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") target_dn = self.unique_dn("CN=target") self.add_object(self.ldb_dc1, target_dn, objectclass="user") self.sync_DCs() # link the src group to the same target user separately on each DC self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_dn, "member", target_dn) self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) # we expect to still have only 1 member in our test group self.assert_attrs_match(res1, res2, "member", 1) def test_duplicate_multi_valued_link(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_duplicate_multi_valued_link(sync_order=DC1_TO_DC2) self._test_duplicate_multi_valued_link(sync_order=DC2_TO_DC1) def _test_conflict_backlinks(self, sync_order): """ Tests that resolving a source object conflict fixes up any backlinks, e.g. the same user is added to a conflicting group. """ # create a common link target target_dn = self.unique_dn("CN=target") target_guid = self.add_object(self.ldb_dc1, target_dn, objectclass="user") self.sync_DCs() # create the same group (link source) on each DC. # Note that the GUIDs will differ between the DCs src_dn = self.unique_dn("CN=src") src1_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") self.ensure_unique_timestamp() src2_guid = self.add_object(self.ldb_dc2, src_dn, objectclass="group") # link the src group to the respective target created self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_dn, "member", target_dn) # sync the 2 DCs. We expect the more recent src2 object to win self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % target_guid, scope=SCOPE_BASE, attrs=["memberOf"]) res2 = self.ldb_dc2.search(base="" % target_guid, scope=SCOPE_BASE, attrs=["memberOf"]) src1_backlink = False # our test user should still be a member of 2 groups (check both # DCs agree) self.assert_attrs_match(res1, res2, "memberOf", 2) for val in [str(val) for val in res1[0]["memberOf"]]: # check the conflicting object was renamed self.assertFalse("CNF:%s" % src2_guid in val) if "CNF:%s" % src1_guid in val: src1_backlink = True self.assertTrue(src1_backlink, "Backlink to conflicting source object not found") def test_conflict_backlinks(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_conflict_backlinks(sync_order=DC1_TO_DC2) self._test_conflict_backlinks(sync_order=DC2_TO_DC1) def _test_link_deletion_conflict(self, sync_order): """ Checks that a deleted link conflicting with an active link is resolved correctly. """ # Add the link objects target_dn = self.unique_dn("CN=target") self.add_object(self.ldb_dc1, target_dn, objectclass="user") src_dn = self.unique_dn("CN=src") src_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") self.sync_DCs() # add the same link on both DCs, and resolve any conflict self.add_link_attr(self.ldb_dc2, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.sync_DCs(sync_order=sync_order) # delete and re-add the link on one DC self.del_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) # just delete it on the other DC self.ensure_unique_timestamp() self.del_link_attr(self.ldb_dc2, src_dn, "member", target_dn) # sanity-check the link is gone on this DC res1 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) self.assertFalse("member" in res1[0], "Couldn't delete member attr") # sync the 2 DCs. We expect the more older DC1 attribute to win # because it has a higher version number (even though it's older) self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) # our test user should still be a member of the group (check both # DCs agree) self.assertTrue("member" in res1[0], "Expected member attribute missing") self.assert_attrs_match(res1, res2, "member", 1) def test_link_deletion_conflict(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_link_deletion_conflict(sync_order=DC1_TO_DC2) self._test_link_deletion_conflict(sync_order=DC2_TO_DC1) def _test_obj_deletion_conflict(self, sync_order, del_target): """ Checks that a receiving a new link for a deleted object gets resolved correctly. """ target_dn = self.unique_dn("CN=target") target_guid = self.add_object(self.ldb_dc1, target_dn, objectclass="user") src_dn = self.unique_dn("CN=src") src_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") self.sync_DCs() # delete the object on one DC if del_target: search_guid = src_guid self.ldb_dc2.delete(target_dn) else: search_guid = target_guid self.ldb_dc2.delete(src_dn) # add a link on the other DC self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.sync_DCs(sync_order=sync_order) # the object deletion should trump the link addition. # Check the link no longer exists on the remaining object res1 = self.ldb_dc1.search(base="" % search_guid, scope=SCOPE_BASE, attrs=["member", "memberOf"]) res2 = self.ldb_dc2.search(base="" % search_guid, scope=SCOPE_BASE, attrs=["member", "memberOf"]) self.assertFalse("member" in res1[0], "member attr shouldn't exist") self.assertFalse("member" in res2[0], "member attr shouldn't exist") self.assertFalse("memberOf" in res1[0], "member attr shouldn't exist") self.assertFalse("memberOf" in res2[0], "member attr shouldn't exist") def test_obj_deletion_conflict(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_obj_deletion_conflict(sync_order=DC1_TO_DC2, del_target=True) self._test_obj_deletion_conflict(sync_order=DC2_TO_DC1, del_target=True) # and also try deleting the source object instead of the link target self._test_obj_deletion_conflict(sync_order=DC1_TO_DC2, del_target=False) self._test_obj_deletion_conflict(sync_order=DC2_TO_DC1, del_target=False) def _test_full_sync_link_conflict(self, sync_order): """ Checks that doing a full sync doesn't affect how conflicts get resolved """ # create the objects for the linked attribute src_dn = self.unique_dn("CN=src") src_guid = self.add_object(self.ldb_dc1, src_dn, objectclass="group") target_dn = self.unique_dn("CN=target") self.add_object(self.ldb_dc1, target_dn, objectclass="user") self.sync_DCs() # add the same link on both DCs self.add_link_attr(self.ldb_dc2, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) # Do a couple of full syncs which should resolve the conflict # (but only for one DC) if sync_order == DC1_TO_DC2: self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, full_sync=True) self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, full_sync=True) else: self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, full_sync=True) self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, full_sync=True) # delete and re-add the link on one DC self.del_link_attr(self.ldb_dc1, src_dn, "member", target_dn) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc1, src_dn, "member", target_dn) # just delete the link on the 2nd DC self.ensure_unique_timestamp() self.del_link_attr(self.ldb_dc2, src_dn, "member", target_dn) # sync the 2 DCs. We expect DC1 to win based on version number self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["member"]) # check the membership still exits (and both DCs agree) self.assertTrue("member" in res1[0], "Expected member attribute missing") self.assert_attrs_match(res1, res2, "member", 1) def test_full_sync_link_conflict(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_full_sync_link_conflict(sync_order=DC1_TO_DC2) self._test_full_sync_link_conflict(sync_order=DC2_TO_DC1) def _singleval_link_conflict_deleted_winner(self, sync_order): """ Tests a single-value link conflict where the more-up-to-date link value is deleted. """ src_ou = self.unique_dn("OU=src") src_guid = self.add_object(self.ldb_dc1, src_ou) self.sync_DCs() # create a unique target on each DC target1_ou = self.unique_dn("OU=target1") target2_ou = self.unique_dn("OU=target2") target1_guid = self.add_object(self.ldb_dc1, target1_ou) target2_guid = self.add_object(self.ldb_dc2, target2_ou) # add the links for the respective targets, and delete one of the links self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.add_link_attr(self.ldb_dc2, src_ou, "managedBy", target2_ou) self.ensure_unique_timestamp() self.del_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) # sync the 2 DCs self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) # Although the more up-to-date link value is deleted, this shouldn't # trump DC1's active link self.assert_attrs_match(res1, res2, "managedBy", 1) self.assertTrue(str(res1[0]["managedBy"][0]) == target2_ou, "Expected active link win conflict") # we can't query the deleted links over LDAP, but we can check that # the deleted links exist using DRS link1 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, 0, misc.GUID(src_guid), misc.GUID(target1_guid)) link2 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE, misc.GUID(src_guid), misc.GUID(target2_guid)) self._check_replicated_links(src_ou, [link1, link2]) def test_conflict_single_valued_link_deleted_winner(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._singleval_link_conflict_deleted_winner(sync_order=DC1_TO_DC2) self._singleval_link_conflict_deleted_winner(sync_order=DC2_TO_DC1) def _singleval_link_conflict_deleted_loser(self, sync_order): """ Tests a single-valued link conflict, where the losing link value is deleted. """ src_ou = self.unique_dn("OU=src") src_guid = self.add_object(self.ldb_dc1, src_ou) self.sync_DCs() # create a unique target on each DC target1_ou = self.unique_dn("OU=target1") target2_ou = self.unique_dn("OU=target2") target1_guid = self.add_object(self.ldb_dc1, target1_ou) target2_guid = self.add_object(self.ldb_dc2, target2_ou) # add the links - we want the link to end up deleted on DC2, but active # on DC1. DC1 has the better version and DC2 has the better timestamp - # the better version should win self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.del_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_ou, "managedBy", target2_ou) self.del_link_attr(self.ldb_dc2, src_ou, "managedBy", target2_ou) self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) # check the object has only have one occurence of the single-valued # attribute and it matches on both DCs self.assert_attrs_match(res1, res2, "managedBy", 1) self.assertTrue(str(res1[0]["managedBy"][0]) == target1_ou, "Expected most recent update to win conflict") # we can't query the deleted links over LDAP, but we can check DRS # to make sure the DC kept a copy of the conflicting link link1 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE, misc.GUID(src_guid), misc.GUID(target1_guid)) link2 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, 0, misc.GUID(src_guid), misc.GUID(target2_guid)) self._check_replicated_links(src_ou, [link1, link2]) def test_conflict_single_valued_link_deleted_loser(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._singleval_link_conflict_deleted_loser(sync_order=DC1_TO_DC2) self._singleval_link_conflict_deleted_loser(sync_order=DC2_TO_DC1) def _test_conflict_existing_single_valued_link(self, sync_order): """ Tests a single-valued link conflict, where the conflicting link value already exists (as inactive) on both DCs. """ # create the link objects src_ou = self.unique_dn("OU=src") src_guid = self.add_object(self.ldb_dc1, src_ou) target1_ou = self.unique_dn("OU=target1") target2_ou = self.unique_dn("OU=target2") target1_guid = self.add_object(self.ldb_dc1, target1_ou) target2_guid = self.add_object(self.ldb_dc1, target2_ou) # add the links, but then delete them self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.del_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target2_ou) self.del_link_attr(self.ldb_dc1, src_ou, "managedBy", target2_ou) self.sync_DCs() # re-add the links independently on each DC self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) self.ensure_unique_timestamp() self.add_link_attr(self.ldb_dc2, src_ou, "managedBy", target2_ou) # try to sync the 2 DCs self.sync_DCs(sync_order=sync_order) res1 = self.ldb_dc1.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) res2 = self.ldb_dc2.search(base="" % src_guid, scope=SCOPE_BASE, attrs=["managedBy"]) # check the object has only have one occurence of the single-valued # attribute and it matches on both DCs self.assert_attrs_match(res1, res2, "managedBy", 1) # here we expect DC2 to win because it has the more recent link self.assertTrue(str(res1[0]["managedBy"][0]) == target2_ou, "Expected most recent update to win conflict") # we can't query the deleted links over LDAP, but we can check DRS # to make sure the DC kept a copy of the conflicting link link1 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, 0, misc.GUID(src_guid), misc.GUID(target1_guid)) link2 = AbstractLink(drsuapi.DRSUAPI_ATTID_managedBy, drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE, misc.GUID(src_guid), misc.GUID(target2_guid)) self._check_replicated_links(src_ou, [link1, link2]) def test_conflict_existing_single_valued_link(self): # repeat the test twice, to give each DC a chance to resolve # the conflict self._test_conflict_existing_single_valued_link(sync_order=DC1_TO_DC2) self._test_conflict_existing_single_valued_link(sync_order=DC2_TO_DC1) def test_link_attr_version(self): """ Checks the link attribute version starts from the correct value """ # create some objects and add a link src_ou = self.unique_dn("OU=src") self.add_object(self.ldb_dc1, src_ou) target1_ou = self.unique_dn("OU=target1") self.add_object(self.ldb_dc1, target1_ou) self.add_link_attr(self.ldb_dc1, src_ou, "managedBy", target1_ou) # get the link info via replication ctr6 = self._get_replication(drsuapi.DRSUAPI_DRS_WRIT_REP, dest_dsa=None, drs_error=DRSUAPI_EXOP_ERR_SUCCESS, exop=drsuapi.DRSUAPI_EXOP_REPL_OBJ, highwatermark=self.zero_highwatermark(), nc_dn_str=src_ou) self.assertTrue(ctr6.linked_attributes_count == 1, "DRS didn't return a link") link = ctr6.linked_attributes[0] rcvd_version = link.meta_data.version self.assertTrue(rcvd_version == 1, "Link version started from %u, not 1" % rcvd_version)