Bug 1859225

Summary: suffix management in backends incorrect
Product: Red Hat Enterprise Linux 8 Reporter: mreynolds
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: aadhikar, pasik, sgouvern, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: 8.4Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8040020201112160023.866effaa Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:45:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894575    

Description mreynolds 2020-07-21 13:40:32 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49467

A suffix is defined in the mapping tree and points to a backend implementin this suffix.

In the backend is a nsslapd-suffix attribute, which is multivalued and is mainained in a be_suffixlist.

But this handling id flawed in several ways. Probably once a backend was supposed to contain multiple suffixes, but this no longer works - and we should keep the 1:1 relationship and correct errors.

1] if the dse.ldif contains multiple nsslaps-suffix attributes only the first is used, the others ar ignored silently. The attempt to add another value via ldapmodify is rejected with err=53

2] more severe: the nsslapd-suffix attribute can have any value, there is no check that it matches the suffix in the mapping tree, so it is possible to have a suffix "dc=example,dc=com" pointing to the backend "userroot", but in the backend definition the nsslapd-suffix attr can be "o=tralalala" - and it seem to work, even if the calls to slapi_be_issuffix() return the unexpected result - these calls need extra investigation.

What to do:
- clearly document the "one backend - one suffix" rule
- reject multivalued configs with specific error message
- change implementation from be_suffixlist to be_suffix
- check that suffix in mapping tree and backend match
Comment 3 Viktor Ashirov 2020-11-10 13:19:41 UTC 
Build tested: 389-ds-base-1.4.3.14-1.module+el8.4.0+8664+a8ec484f.x86_64

This build is missing https://github.com/389ds/389-ds-base/commit/e6145361ea06c005f645f7683e3619810dfccfa2
And many tests are failing with error 53.

Moving to ASSIGNED.
Comment 4 Akshay Adhikari 2020-11-26 14:52:24 UTC 
Build tested: 389-ds-base-1.4.3.16-3.module+el8.4.0+8869+55706461.x86_64

============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.1.2, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-240.10.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.1.2', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '2.1.1', 'metadata': '1.10.0'}}
389-ds-base: 1.4.3.16-3.module+el8.4.0+8869+55706461
nss: 3.53.1-11.el8_2
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: html-2.1.1, metadata-1.10.0
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/mapping_tree/acceptance_test.py::test_invalid_mt FAILED                                                                                      [100%]

================================================================================= FAILURES ======================================================================
______________________________________________________________________________ test_invalid_mt ______________________________________________________________________________

The test is failing with Failed: DID NOT RAISE <class 'ldap.UNWILLING_TO_PERFORM'>

Moving to ASSIGNED.
Comment 6 sgouvern 2020-11-30 08:41:18 UTC 
Failed QA for ITM 4
-> moving to ITM 6
Comment 7 mreynolds 2020-12-01 15:04:30 UTC 
The validation check was removed in 1.4.3, and the test case itself was removed in 1.4.3.15

https://github.com/389ds/389-ds-base/commit/3cf9fad93ed7cee26f659f3b958e78a9ee8619a7

But the test case was added back to 1.4.3 via:

https://github.com/389ds/389-ds-base/pull/4425

So I will need to remove this testcase again in the next build.
Comment 8 Akshay Adhikari 2020-12-10 14:05:29 UTC 
Build tested: 389-ds-base-1.4.3.16-5.module+el8.4.0+9096+da32555e.x86_64

============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.1.2, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-240.10.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.1.2', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '2.1.1', 'metadata': '1.10.0'}}
389-ds-base: 1.4.3.16-5.module+el8.4.0+9096+da32555e
nss: 3.53.1-11.el8_2
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: html-2.1.1, metadata-1.10.0
collected 44 items                                                                                                                                                          

dirsrvtests/tests/suites/basic/basic_test.py::test_basic_ops PASSED                                                                                                   [  2%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export PASSED                                                                                         [  4%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_backup PASSED                                                                                                [  6%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_db2index PASSED                                                                                              [  9%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_acl PASSED                                                                                                   [ 11%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_searches PASSED                                                                                              [ 13%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs0-cn-False] PASSED                                                                           [ 15%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs1-cn-True] PASSED                                                                            [ 18%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs2-nsUniqueId-True] PASSED                                                                    [ 20%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs3-cn-True] PASSED                                                                            [ 22%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs4-cn-True] PASSED                                                                            [ 25%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_referrals PASSED                                                                                             [ 27%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_systemctl PASSED                                                                                             [ 29%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_ldapagent PASSED                                                                                             [ 31%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_dse_survives_kill9 PASSED                                                                                    [ 34%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[namingContexts] PASSED                                                                            [ 36%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedLDAPVersion] PASSED                                                                      [ 38%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedControl] PASSED                                                                          [ 40%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedExtension] PASSED                                                                        [ 43%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedSASLMechanisms] PASSED                                                                   [ 45%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[vendorName] PASSED                                                                                [ 47%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[vendorVersion] PASSED                                                                             [ 50%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[namingContexts] PASSED                                                                        [ 52%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedLDAPVersion] PASSED                                                                  [ 54%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedControl] PASSED                                                                      [ 56%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedExtension] PASSED                                                                    [ 59%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedSASLMechanisms] PASSED                                                               [ 61%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[vendorName] PASSED                                                                            [ 63%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[vendorVersion] PASSED                                                                         [ 65%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_anonymous_search PASSED                                                                                      [ 68%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_original_type PASSED                                                                                        [ 70%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_ou PASSED                                                                                                   [ 72%]
dirsrvtests/tests/suites/basic/basic_test.py::test_connection_buffer_size PASSED                                                                                      [ 75%]
dirsrvtests/tests/suites/basic/basic_test.py::test_critical_msg_on_empty_range_idl PASSED                                                                             [ 77%]
dirsrvtests/tests/suites/basic/basic_test.py::test_ldbm_modification_audit_log PASSED                                                                                 [ 79%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate PASSED                                                                                                    [ 81%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_ldapi PASSED                                                                                              [ 84%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_multiple_dashes_name PASSED                                                                               [ 86%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[c=uk] PASSED                                                                           [ 88%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[cn=test_user] PASSED                                                                   [ 90%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[dc=example,dc=com] PASSED                                                              [ 93%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[o=south] PASSED                                                                        [ 95%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[ou=sales] PASSED                                                                       [ 97%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[wrong=some_value] PASSED                                                               [100%]

=============================================================== 44 passed, 152 warnings in 300.32s (0:05:00) ====================================================

-> Marking as verified: tested
Comment 9 sgouvern 2020-12-14 14:55:50 UTC 
Missed the ITM 6 milestone -> moving to ITM 7
Comment 12 sgouvern 2020-12-21 17:21:22 UTC 
With build 389-ds-base-1.4.3.16-6.module+el8.4.0+9207+729bbaca.x86_64/vim


# PYTHONPATH=src/lib389/ py.test -s -v  dirsrvtests/tests/suites/basic/basic_test.py
re-exec with libfaketime dependencies
========================================================== test session starts ===========================================================
platform linux -- Python 3.6.8, pytest-6.2.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-260.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.2.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'libfaketime': '0.1.2'}}
389-ds-base: 1.4.3.16-6.module+el8.4.0+9207+729bbaca
nss: 3.53.1-13.el8_3
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, libfaketime-0.1.2
collected 42 items           

============================================== 42 passed, 150 warnings in 259.48s (0:04:19) ==============================================

Marking as VERIFIED
Comment 14 errata-xmlrpc 2021-05-18 15:45:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1835