Bug 1533571

Summary:	memberof: schema violation error message is confusing as memberof will likely repair target entry
Product:	Red Hat Enterprise Linux 7	Reporter:	mreynolds
Component:	389-ds-base	Assignee:	thierry bordaz <tbordaz>
Status:	CLOSED ERRATA	QA Contact:	Viktor Ashirov <vashirov>
Severity:	unspecified	Docs Contact:	Marc Muehlfeld <mmuehlfe>
Priority:	unspecified
Version:	7.4	CC:	amsharma, lmiksik, nkinder, rmeggins, tbordaz
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	389-ds-base-1.3.7.5-13	Doc Type:	Bug Fix
Doc Text:	The memberOf plug-in now logs all update attempts of the memberOf attribute In certain situations, Directory Server fails to update the "memberOf" attribute of a user entry. In this case, the memberOf plug-in logs an error message and forces the update. In the previous Directory Server version, the second try was not logged if it was successful. Consequently, the log entries were misleading, because only the failed attempt was logged. With this update, the memberOf plug-in also logs the successful update if the first try failed. As a result, the plug-in now logs the initial failure, and the subsequent successful retry as well.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-10 14:23:50 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description mreynolds 2018-01-11 16:32:41 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49523

#### Issue Description
When memberof is enabled it adds 'memberof' attribute to members entries. If a member entry has not the appropriate objectclass to support 'memberof' attribute an ERR is logged.

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed


This is confusing because memberof will catch this violation and may try to repair it. So although this message is alarming, the target entry may finally have the 'memberof' attribute.

This is especially confusing since https://pagure.io/389-ds-base/issue/48985 where the repair operation is done by default (if schema is violated)

We can not (and should not) eliminate the schema violation message. But memberof should log a additional warning (beside the schema violation msg) stating it repaired the violation.


#### Package Version and Platform
Any version


#### Steps to reproduce

1. Run the attached testcase

#### Actual results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed


#### Expected results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
    [05/Jan/2018:12:46:22.803032331 +0100] - WARN - memberof-plugin - Entry "cn=user_1,ou=People,dc=example,dc=com" schema violation caugth - repair operation succeeded

Comment 3 Amita Sharma 2018-01-29 07:59:23 UTC

[root@qeos-13 memberof_plugin]# pytest -s -v regression_test.py::test_scheme_violation_errors_logged================================================================ test session starts =================================================================
platform linux -- Python 3.6.3, pytest-3.3.2, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-837.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.3.2', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-14.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-12.el7
svrcore: 4.1.3-2.el7


INFO:regression_test:pattern = .*oc_check_allowed_sv.*uid=user_,ou=People,dc=example,dc=com.*memberOf.*not allowed.*
PASSED                                                                                 [100%]

============================================================= 1 passed in 44.70 seconds ==============================================================
[root@qeos-13 memberof_plugin]# tail-f /var/log/dirsrv/slapd-master1/errors
bash: tail-f: command not found
[root@qeos-13 memberof_plugin]# tail -f /var/log/dirsrv/slapd-master1/errors
[29/Jan/2018:02:54:18.493721519 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[29/Jan/2018:02:54:18.502513485 -0500] - NOTICE - ldbm_back_start - found 1882792k physical memory
[29/Jan/2018:02:54:18.503637342 -0500] - NOTICE - ldbm_back_start - found 1475504k available
[29/Jan/2018:02:54:18.504185702 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 47069k
[29/Jan/2018:02:54:18.504747775 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (1 total): 131072k
[29/Jan/2018:02:54:18.505698919 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (1 total): 65536k
[29/Jan/2018:02:54:18.506490075 -0500] - NOTICE - ldbm_back_start - total cache size: 239886172 B; 
[29/Jan/2018:02:54:18.596097668 -0500] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 39001 for LDAP requests
[29/Jan/2018:02:54:18.692715170 -0500] - ERR - oc_check_allowed_sv - Entry "uid=user_,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
[29/Jan/2018:02:54:18.694605131 -0500] - WARN - memberof-plugin - Entry uid=user_,ou=People,dc=example,dc=com - schema violation caught - repair operation succeeded

Hence marking as verified.

Comment 7 errata-xmlrpc 2018-04-10 14:23:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811