Bug 1976288

Summary: ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: abokovoy, ipa-qe, ksiddiqu, mpolovka, rcritten, tscherf, twoerner
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.6-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1976286 Environment:
Last Closed: 2021-12-07 21:30:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976286    
Bug Blocks:    

Description Rob Crittenden 2021-06-25 17:09:57 UTC 
+++ This bug was initially created as a clone of Bug #1976286 +++

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8897

### Issue
ansible-freeipa automember test https://github.com/freeipa/ansible-freeipa/blob/master/tests/automember/test_automember.yml fails with IPA 4.9.4.
The error message is `automember_add_condition: testgroup: 'objectclass'`.
The error is not happening if the ldap cache is turned off or is the module is not run within server context. The issue is also not reproducible on the server directly. It is only triggered using the ansible-freeipa module.

#### Steps to Reproduce
1.  Run ansible-freeipa automember test

#### Actual behavior
fatal: [ipaserver.test.local]: FAILED! => {"changed": false, "failed_when_result": true, "msg": "automember_add_condition: testgroup: 'objectclass'"}

#### Expected behavior
No failure

#### Version/Release/Distribution
   $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.4-1.fc34.x86_64
freeipa-client-4.9.4-1.fc34.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.0.5-1.fc34.x86_64
pki-ca-10.10.6-1.fc34.noarch
krb5-server-1.19.1-3.fc34.x86_64

#### Additional info:
This is the traceback:

    Traceback (most recent call last):
       File "/tmp/ansible_ipaautomember_payload_za0tz354/ansible_ipaautomember_payload.zip/ansible/modules/ipaautomember.py", line 366, in main
       File "/tmp/ansible_ipaautomember_payload_za0tz354/ansible_ipaautomember_payload.zip/ansible/module_utils/ansible_freeipa_module.py", line 207, in api_command
         return api.Command[command](name, **args)
       File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
         return self.__do_call(*args,**options)
       File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
         ret = self.run(*args, **options)
       File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
         return self.execute(*args, **options)
       File "/usr/lib/python3.9/site-packages/ipaserver/plugins/automember.py", line 417, in execute
         result = super(automember_add_condition, self).execute(*keys, **options)
       File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 1511, in execute
         entry_attrs.dn = callback(
       File "/usr/lib/python3.9/site-packages/ipaserver/plugins/automember.py", line 389, in pre_callback
         if not isinstance(entry_attrs[regex], (list, tuple)):
       File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 516, in __getitem__
         return self._get_nice(name)
       File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 483, in _get_nice
         name = self._get_attr_name(name)
       File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 479, in _get_attr_name
         name = self._names[name]
       File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 656, in __getitem__
         return super(CIDict,self).__getitem__(key.lower()) KeyError: 'objectclass'

Here is a shorter version of the test playbook to trigger the issue:

    ---
    - name: Test automember with ldap cache
      hosts: ipaserver
      become: true

      tasks:

      # CLEANUP TEST ITEMS

      - name: Ensure group testgroup is absent
        ipagroup:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          state: absent

      - name: Ensure group automember rule testgroup is absent
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          state: absent
          automember_type: group

      # CREATE TEST ITEMS

      # TESTS
      - name: Ensure testgroup group is present
        ipagroup:
          ipaadmin_password: SomeADMINpassword
          name: testgroup

      - name: Ensure testgroup group automember rule is present
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          description: testgroup automember rule.
          automember_type: group
        register: result
        failed_when: not result.changed or result.failed

      - name: Change testgroup group automember rule description
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          description: testgroup automember rule description.
          automember_type: group
        register: result
        failed_when: not result.changed or result.failed

      - name: Ensure testgroup group automember rule has conditions
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          automember_type: group
          inclusive:
            - key: 'uid'
              expression: 'uid'
            - key: 'uidnumber'
              expression: 'uidnumber'
          exclusive:
            - key: 'uid'
              expression: 'uid'
        register: result
        failed_when: not result.changed or result.failed

      - name: Add testgroup group automember rule member condition
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          automember_type: group
          action: member
          inclusive:
            - key: 'manager'
              expression: 'uid=mscott'
        register: result
        failed_when: not result.changed or result.failed

      - name: Ensure testgroup group automember rule has conditions
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          automember_type: group
          inclusive:
            - key: 'uid'
              expression: 'uid'
            - key: 'uidnumber'
              expression: 'uidnumber'
            - key: 'manager'
              expression: 'uid=mscott'
          exclusive:
            - key: 'uid'
              expression: 'uid'
        register: result
        failed_when: result.changed or result.failed

      - name: Remove testgroup group automember rule member condition
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          automember_type: group
          action: member
          state: absent
          inclusive:
            - key: 'manager'
              expression: 'uid=mscott'
        register: result
        failed_when: not result.changed or result.failed

      # CLEANUP TEST ITEMS

      - name: Ensure group testgroup is absent
        ipagroup:
          ipaadmin_password: SomeADMINpassword
          name: testgroup
          state: absent

      - name: Ensure group automember rule testgroup is absent
        ipaautomember:
          ipaadmin_password: SomeADMINpassword
          automember_type: group
          name: testgroup
          state: absent
Comment 1 Alexander Bokovoy 2021-06-29 11:57:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/19d5b3b621dbdfe96b290ac2f7af63008d01aa80
Comment 2 Rob Crittenden 2021-06-29 15:06:57 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/ae4478de1f0e9e35098d1bbbfae1b3506bcf3672
Comment 7 Michal Polovka 2021-07-29 15:36:43 UTC 
Verified using existing automation on RHEL9 machine with ipa-server-4.9.6-2.el9.x86_64


# (...host config...) pytest tests/test_playbook_runs.py::automember::test_automember
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.6, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
rootdir: /root/ansible-freeipa, configfile: pytest.ini
plugins: testinfra-6.4.0, split-tests-1.0.9, sourceorder-0.5.1
collected 1 item                                                                                                                                                                             

tests/test_playbook_runs.py .                                                                                                                                                          [100%]

================================================================================ 1 passed in 92.62s (0:01:32) ================================================================================


Therefore marking as verified.