Bug 2178999

Summary: After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore
Product: Red Hat Enterprise Linux 7 Reporter: tim.de.bruijn
Component: slapi-nisAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: frenaud, idm-ds-dev-bugs, tbordaz, vashirov
Target Milestone: pre-dev-freezeFlags: abokovoy: needinfo? (tbordaz)
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-17 08:26:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description tim.de.bruijn 2023-03-16 12:15:42 UTC 
Description of problem:
After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore

Version-Release number of selected component (if applicable):
0.60.0-1.el7_9.x86_64

How reproducible:
before update:
[root@server ~]# ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H ldaps://REDACTED -D "uid=ro_bind_user,cn=sysaccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# pdu-admin, groups, compat, tst.dcn.REDACTED.net
dn: cn=pdu-admin,cn=groups,cn=compat,dc=tst,dc=dcn,dc=REDACTED,dc=net
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 376400045
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
ipaAnchorUUID:: REDACTED
cn: pdu-admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After update:

ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H REDACTED -D "uid=ro_bind_user,cn=sy
saccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Steps to Reproduce:
See above

Actual results:
See above

Expected results:
See above

Additional info:
I think this issue is not only on RHEL/CentOS7 but also on RHEL8 and higer(uses same package)
https://pagure.io/slapi-nis/issue/49
Comment 4 Florence Blanc-Renaud 2023-05-26 09:46:32 UTC 
This bugs seems to be a duplicate of Bug 2168893 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-7.9.z].
The release for this 7.9 fix is currently in progress.

If you are able to test on other releases, the patch was included
- in RHEL 9.2 with the fix for Bug 2183950 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-9.2.0.z] 
- in RHEL 8.8 with the fix for Bug 2183953 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-8.8.0.z]

The relevant upstream patch is 
https://pagure.io/slapi-nis/c/73058645eac86b40913deec01807854e0a8bda0d?branch=master Identify the container without search base check

@
Comment 5 Florence Blanc-Renaud 2023-06-07 11:51:05 UTC 
@tim.de.bruijn 
An update for slapi-nis is available in https://access.redhat.com/errata/RHBA-2023:3482 (slapi-nis-0.60.0-3.el7_9) and I have good confidence that it would solve your issue. Can you update and let me know?
If that is indeed solving your issue, we can close this BZ as a duplicate of BZ #2168893
Comment 6 tim.de.bruijn 2023-06-13 07:39:46 UTC 
Hi,

Thank you for the update, but at the moment I don't see the slapi-nis-0.60.0-3.el7_9 update as available on CentOS 7(the OS for the test systems).
The latest package for that system is: slapi-nis-0.60.0-1.el7_9.x86_64

I'm not able to test this when the package is not available for CentOS7.
Comment 7 Alexander Bokovoy 2023-06-20 13:19:53 UTC 
The errata https://access.redhat.com/errata/RHBA-2023:3482 was released, so bug https://bugzilla.redhat.com/show_bug.cgi?id=2168893 is fixed and this one would be closed if you'd test packages from that errata. 

My team has no control over the packages in CentOS 7 so we cannot really estimate when they appear there.
Comment 8 Florence Blanc-Renaud 2023-06-26 19:17:17 UTC 
The latest slapi-nis package is now available for CentOS 7: http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-3.el7_9.x86_64.rpm

@tim.de.bruijn can you try the update and let us know if it solves the issue? Thanks
Comment 9 tim.de.bruijn 2023-07-11 08:21:29 UTC 
(In reply to Florence Blanc-Renaud from comment #8)
> The latest slapi-nis package is now available for CentOS 7:
> http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-
> 3.el7_9.x86_64.rpm
> 
> @tim.de.bruijn can you try the update and let us know if it solves
> the issue? Thanks

Yes, it did fix the issue, thank you!
Comment 10 Florence Blanc-Renaud 2023-07-17 08:26:26 UTC 
Closing as duplicate of Bug #2168893

*** This bug has been marked as a duplicate of bug 2168893 ***