Bug 2100337
| Summary: | dsconf backend export userroot fails ldap.DECODING_ERROR | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Marc Sauton <msauton> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | bsmejkal, gkimetto, ldap-maint, mreynolds, pasik, sgouvern |
| Target Milestone: | rc | Keywords: | TestCaseProvided, Triaged |
| Target Release: | 9.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | 389-ds-base-2.1.3-1.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 10:30:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I can reproduce the issue, and it's because we are not checking if the be_name is a DN before calling str2dn. be_name can be a backend name (userroot) or the suffix (dc=example,dc=com), but the code logic breaks when there are multiple backends. I'll open an upstream ticket... Reproducer:
[1] Create a second backend
# dsconf -D 'cn=Directory Manager' -w password ldap://localhost backend create --be-name testRoot --suffix o=test
[2] Attempt to export the database (it should not fail)
# dsconf -D 'cn=Directory Manager' -w password ldap://localhost backend export userroot
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: 389-ds-base security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8162 |
Description of problem: dsconf backend export userroot fails with ldap.DECODING_ERROR , like if it cannot decode "nsslapd-suffix: cn=changelog" ? the same command work fine on RHEL-8.x dsconf ${ldapinstance} backend export userroot --not-folded --ldif /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/ldif/userroot.`date +%F`.ldif Version-Release number of selected component (if applicable): Red Hat Enterprise Linux release 9.0 (Plow) Linux ipaserver1.idm.example.test 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Thu Apr 14 12:42:38 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux nss-3.71.0-7.el9.x86_64 nspr-4.32.0-9.el9.x86_64 389-ds-base-2.0.14-1.el9.x86_64 sssd-2.6.2-2.el9.x86_64 ipa-server-4.9.8-7.el9_0.x86_64 pki-ca-11.0.4-1.el9_0.noarch python3-lib389-2.0.14-1.el9.noarch How reproducible: on demand Steps to Reproduce: 1. has IPA up and running id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@ipaserver1 ~]# 2. dsconf -v -D 'cn=Directory Manager' -w password ldap://ipaserver1.idm.example.test backend export userroot or dsconf ${ldapinstance} backend export userroot --not-folded --ldif /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/ldif/userroot.`date +%F`.ldif Actual results: either Error: or in verbose mode: DEBUG: The 389 Directory Server Configuration Tool DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: [] DEBUG: dsrc no such section: slapd-ldap://ipaserver1.idm.example.test DEBUG: Called with: Namespace(instance='ldap://ipaserver1.idm.example.test', verbose=True, binddn='cn=Directory Manager', bindpw='password', prompt=False, pwdfile=None, basedn=None, starttls=False, json=False, be_names=['userroot'], ldif=None, use_id2entry=False, encrypted=False, min_base64=False, no_seq_num=False, replication=False, no_dump_uniq_id=False, not_folded=False, include_suffixes=None, exclude_suffixes=None, func=<function backend_export at 0x7fbc96b638b0>) DEBUG: Instance details: {'uri': 'ldap://ipaserver1.idm.example.test', 'basedn': None, 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldap://ipaserver1.idm.example.test', 'root-dn': 'cn=Directory Manager'}} DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://ipaserver1.idm.example.test DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://ipaserver1.idm.example.test DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None DEBUG: open(): Connecting to uri ldap://ipaserver1.idm.example.test DEBUG: open(): bound as cn=Directory Manager DEBUG: Retrieving entry with [('',)] DEBUG: Retrieved entry [dn: vendorVersion: 389-Directory/2.0.14 B2022.028.0000 ] DEBUG: list filter = (&(objectclass=nsBackendInstance)) DEBUG: cn=changelog,cn=ldbm database,cn=plugins,cn=config getVal('cn') DEBUG: cn=changelog,cn=ldbm database,cn=plugins,cn=config getVal('nsslapd-suffix') DEBUG: Traceback (most recent call last): File "/usr/sbin/dsconf", line 138, in <module> result = args.func(inst, None, log, args) File "/usr/lib/python3.9/site-packages/lib389/cli_conf/backend.py", line 282, in backend_export dn = _search_backend_dn(inst, be_name) File "/usr/lib/python3.9/site-packages/lib389/cli_conf/backend.py", line 97, in _search_backend_dn if cn == del_be_name or str2dn(suffix) == str2dn(del_be_name): File "/usr/lib64/python3.9/site-packages/ldap/dn.py", line 52, in str2dn return ldap.functions._ldap_function_call(None,_ldap.str2dn,dn,flags) File "/usr/lib64/python3.9/site-packages/ldap/functions.py", line 55, in _ldap_function_call result = func(*args,**kwargs) ldap.DECODING_ERROR ERROR: Error: [root@ipaserver1 ~]# [root@ipaserver1 ~]# [root@ipaserver1 ~]# [23/Jun/2022:06:02:13.509851849 +0000] conn=101 fd=120 slot=120 connection from 192.168.122.116 to 192.168.122.116 [23/Jun/2022:06:02:13.510170900 +0000] conn=101 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [23/Jun/2022:06:02:13.510314210 +0000] conn=101 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000209602 optime=0.000149375 etime=0.000357655 dn="cn=directory manager" [23/Jun/2022:06:02:13.516535809 +0000] conn=101 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorVersion" [23/Jun/2022:06:02:13.517498030 +0000] conn=101 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000058818 optime=0.000964051 etime=0.001021957 [23/Jun/2022:06:02:13.520091356 +0000] conn=101 op=2 SRCH base="cn=ldbm database,cn=plugins,cn=config" scope=2 filter="(&(objectClass=nsBackendInstance))" attrs="distinguishedName" [23/Jun/2022:06:02:13.520667960 +0000] conn=101 op=2 RESULT err=0 tag=101 nentries=3 wtime=0.000060359 optime=0.000577842 etime=0.000637028 [23/Jun/2022:06:02:13.521053037 +0000] conn=101 op=3 SRCH base="cn=changelog,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="cn" [23/Jun/2022:06:02:13.521148899 +0000] conn=101 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000042310 optime=0.000097596 etime=0.000138793 [23/Jun/2022:06:02:13.521410465 +0000] conn=101 op=4 SRCH base="cn=changelog,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix" [23/Jun/2022:06:02:13.521504285 +0000] conn=101 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000038985 optime=0.000095563 etime=0.000133459 [23/Jun/2022:06:02:13.522959697 +0000] conn=101 op=5 UNBIND [23/Jun/2022:06:02:13.522974832 +0000] conn=101 op=5 fd=120 closed error - U1 [root@ipaserver1 ~]# Expected results: Additional info: dse.ldif dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance cn: changelog creatorsName: cn=Retro Changelog Plugin,cn=plugins,cn=config modifiersName: cn=Retro Changelog Plugin,cn=plugins,cn=config createTimestamp: 20220623021007Z modifyTimestamp: 20220623021007Z numSubordinates: 4 nsslapd-suffix: cn=changelog nsslapd-cachesize: -1 nsslapd-cachememsize: 201326592 nsslapd-readonly: off nsslapd-require-index: off nsslapd-require-internalop-index: off nsslapd-dncachememsize: 67108864 nsslapd-directory: /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/db/changelog