Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2178999

Summary: After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore
Product: Red Hat Enterprise Linux 7 Reporter: tim.de.bruijn
Component: slapi-nisAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: frenaud, idm-ds-dev-bugs, tbordaz, vashirov
Target Milestone: pre-dev-freezeFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-17 08:26:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description tim.de.bruijn 2023-03-16 12:15:42 UTC 
Description of problem:
After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore

Version-Release number of selected component (if applicable):
0.60.0-1.el7_9.x86_64

How reproducible:
before update:
[root@server ~]# ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H ldaps://REDACTED -D "uid=ro_bind_user,cn=sysaccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# pdu-admin, groups, compat, tst.dcn.REDACTED.net
dn: cn=pdu-admin,cn=groups,cn=compat,dc=tst,dc=dcn,dc=REDACTED,dc=net
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 376400045
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
ipaAnchorUUID:: REDACTED
cn: pdu-admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After update:

ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H REDACTED -D "uid=ro_bind_user,cn=sy
saccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Steps to Reproduce:
See above

Actual results:
See above

Expected results:
See above

Additional info:
I think this issue is not only on RHEL/CentOS7 but also on RHEL8 and higer(uses same package)
https://pagure.io/slapi-nis/issue/49
Comment 4 Florence Blanc-Renaud 2023-05-26 09:46:32 UTC 
This bugs seems to be a duplicate of Bug 2168893 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-7.9.z].
The release for this 7.9 fix is currently in progress.

If you are able to test on other releases, the patch was included
- in RHEL 9.2 with the fix for Bug 2183950 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-9.2.0.z] 
- in RHEL 8.8 with the fix for Bug 2183953 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-8.8.0.z]

The relevant upstream patch is 
https://pagure.io/slapi-nis/c/73058645eac86b40913deec01807854e0a8bda0d?branch=master Identify the container without search base check

@
Comment 5 Florence Blanc-Renaud 2023-06-07 11:51:05 UTC 
@tim.de.bruijn 
An update for slapi-nis is available in https://access.redhat.com/errata/RHBA-2023:3482 (slapi-nis-0.60.0-3.el7_9) and I have good confidence that it would solve your issue. Can you update and let me know?
If that is indeed solving your issue, we can close this BZ as a duplicate of BZ #2168893
Comment 6 tim.de.bruijn 2023-06-13 07:39:46 UTC 
Hi,

Thank you for the update, but at the moment I don't see the slapi-nis-0.60.0-3.el7_9 update as available on CentOS 7(the OS for the test systems).
The latest package for that system is: slapi-nis-0.60.0-1.el7_9.x86_64

I'm not able to test this when the package is not available for CentOS7.
Comment 7 Alexander Bokovoy 2023-06-20 13:19:53 UTC 
The errata https://access.redhat.com/errata/RHBA-2023:3482 was released, so bug https://bugzilla.redhat.com/show_bug.cgi?id=2168893 is fixed and this one would be closed if you'd test packages from that errata. 

My team has no control over the packages in CentOS 7 so we cannot really estimate when they appear there.
Comment 8 Florence Blanc-Renaud 2023-06-26 19:17:17 UTC 
The latest slapi-nis package is now available for CentOS 7: http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-3.el7_9.x86_64.rpm

@tim.de.bruijn can you try the update and let us know if it solves the issue? Thanks
Comment 9 tim.de.bruijn 2023-07-11 08:21:29 UTC 
(In reply to Florence Blanc-Renaud from comment #8)
> The latest slapi-nis package is now available for CentOS 7:
> http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-
> 3.el7_9.x86_64.rpm
> 
> @tim.de.bruijn can you try the update and let us know if it solves
> the issue? Thanks

Yes, it did fix the issue, thank you!
Comment 10 Florence Blanc-Renaud 2023-07-17 08:26:26 UTC 
Closing as duplicate of Bug #2168893

*** This bug has been marked as a duplicate of bug 2168893 ***
Comment 11 Red Hat Bugzilla 2023-11-15 04:25:13 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days