Bug 1647133

Summary: Log warn instead of ERR when aci target does not exist.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: aadhikar, cpelland, lkrispen, nkinder, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rc   
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-6.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:59:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2018-11-06 17:54:50 UTC 
Description of problem:

This is something we have very often in IPA context and customers are very often asking why there are errors in the logs:

[31/Oct/2018:05:52:23.436616394 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=cgparente,dc=local does not exist
[31/Oct/2018:05:52:23.438951763 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=cgparente,dc=local does not exist
[31/Oct/2018:05:52:23.441254396 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=cgparente,dc=local does not exist
[31/Oct/2018:05:52:23.443171065 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=cgparente,dc=local does not exist

Version-Release number of selected component (if applicable):


How reproducible:



Steps to Reproduce:

1. Just define an aci that has a target that does not exist in the database.

Actual results:

[31/Oct/2018:05:52:23.443171065 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=cgparente,dc=local does not exist

Expected results:

[31/Oct/2018:05:52:23.443171065 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=cgparente,dc=local does not exist

Additional info:
Comment 3 Akshay Adhikari 2019-05-09 12:33:56 UTC 
I think this fix is not back-ported, I am able to reproduce this on the latest build: 389-ds-base-1.3.9.1-5.el7.x86_64

Steps:

1)

[root@aadhikar ~]# ldapmodify -x -p 389 -h `hostname` -D "cn=Directory Manager" -w password << EOF
dn: dc=example,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///cn=akshay,dc=example,dc=com")(targetattr=*)(version 3.0;acl "manager-write"; allow (all) userattr = "manager#USERDN";)
EOF

modifying entry "dc=example,dc=com"


Error log: 

[09/May/2019:08:10:17.611628429 -0400] - ERR - NSACLPlugin - acl_parse - The ACL target cn=akshay,dc=example,dc=com does not exist

I think a warning was expected.
Comment 4 Akshay Adhikari 2019-05-15 12:02:18 UTC 
Build Tested: 389-ds-base-1.3.9.1-6.el7.x86_64

Steps:

1)
[root@aadhikar ~]# ldapmodify -x -p 389 -h `hostname` -D "cn=Directory Manager" -w password << EOF
dn: dc=example,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///cn=akshay,dc=example,dc=com")(targetattr=*)(version 3.0;acl "manager-write"; allow (all) userattr = "manager#USERDN";)
EOF

modifying entry "dc=example,dc=com"


Error log: 

[15/May/2019:07:55:15.442831593 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=akshay,dc=example,dc=com does not exist
Comment 6 errata-xmlrpc 2019-08-06 12:59:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152