Bug 915745

Summary: Entire 60basev3 schema is not included in update file, other errors
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.5CC: dpal, mkosek, nsoman, orion, pep, spoore, xdong
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-27.el6 Doc Type: Bug Fix
Doc Text:
Update files, used when upgrading Identity Management server to a higher version, did not contain one new Directory Server schema attributeType (ipaExternalMember) and an objectClass (ipaExternalGroup). Consequently, Identity Management servers, which were updated from a previous version that did not have this attributeType and objectClass in its base installation, missed the attributeType and objectClass in its schema. Both command-line interface (CLI) commands using these schema elements and Web UI as a whole did not function properly. This update adds the missing objectClass and attributeType to the Identity Management update files. Currently, Directory Server schema is updated during the Identity Management update process, and CLI commands and the Web UI function normally.
 Story Points: ---
Clone Of: 910902 Environment:
Last Closed: 2013-11-21 20:51:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 910902    
Bug Blocks: 916535    

Description Martin Kosek 2013-02-26 12:35:48 UTC 
+++ This bug was initially created as a clone of Bug #910902 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3398

In a very brief look I found a number of attributes and objectclasses in 60basev3.ldif that are not in an associated update file. The updates are split between 10-60basev3.update and 60-trusts.update.

missing attributes
 * ipaExternalMember

missing objectclasses
 * ipaExternalGroup

The definition for ipaNTFlatName has a misspelled ORDERING in both the 60basev3.ldif and the update file.

--- Additional comment from Namita Soman on 2013-02-13 15:53:53 EST ---

QE will install ipa 2.1, add objects, upgrade to ipa 3.0 and verify UI is accessible. Is that a good test?

--- Additional comment from Rob Crittenden on 2013-02-14 08:55:00 EST ---

Yes, that should be sufficient.

--- Additional comment from xdong on 2013-02-14 14:03:18 EST ---

Created attachment 697340 [details]
updated from ipa-server-2.1.3-9.el6.x86_64

--- Additional comment from xdong on 2013-02-14 14:05:05 EST ---

Created attachment 697341 [details]
updated to ipa-server-3.0.0-26.el6_4.x86_64 ,WebUI shows error prompt

--- Additional comment from Rob Crittenden on 2013-02-15 09:14:16 EST ---

If you look at /var/log/httpd/error_log you'll see whether you're getting the sam backtrace as originally reported (related to missing ipaExternalMember)

--- Additional comment from xdong on 2013-02-21 16:10:30 EST ---

[Thu Feb 21 15:59:59 2013] [error] ipa: ERROR: non-public: KeyError: 'ipaExternalGroup'
[Thu Feb 21 15:59:59 2013] [error] Traceback (most recent call last):
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
[Thu Feb 21 15:59:59 2013] [error]     result = self.Command[name](*args, **options)
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
[Thu Feb 21 15:59:59 2013] [error]     ret = self.run(*args, **options)
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
[Thu Feb 21 15:59:59 2013] [error]     return self.execute(*args, **options)
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py", line 119, in execute
[Thu Feb 21 15:59:59 2013] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py", line 119, in <genexpr>
[Thu Feb 21 15:59:59 2013] [error]     (o.name, json_serialize(o)) for o in self.api.Object()
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/util.py", line 55, in json_serialize
[Thu Feb 21 15:59:59 2013] [error]     return json_serialize(obj.__json__())
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 644, in __json__
[Thu Feb 21 15:59:59 2013] [error]     attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
[Thu Feb 21 15:59:59 2013] [error]   File "/usr/lib64/python2.6/site-packages/ldap/schema/subentry.py", line 277, in attribute_types
[Thu Feb 21 15:59:59 2013] [error]     object_class = self.sed[ObjectClass][object_class_oid]
[Thu Feb 21 15:59:59 2013] [error] KeyError: 'ipaExternalGroup'
[Thu Feb 21 15:59:59 2013] [error] ipa: INFO: admin.REDHAT.COM: json_metadata(None, None, object=u'all'): KeyError

--- Additional comment from Martin Kosek on 2013-02-22 07:36:27 EST ---

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/49beb8cd3a752322285aa21a94306f7b99bcfae8
ipa-3-1: https://fedorahosted.org/freeipa/changeset/fd1cfd38e2cf0b9b8730f6d68c9fc3283a0872a1
ipa-3-0: https://fedorahosted.org/freeipa/changeset/d6a92b2dece5908eec94b8394ee611a497916648

The missing attributeType and objectClasse is now added to update file. It also replaces misspelled ipant* attributeTypes ORDERING value on new install and upgrades.

--- Additional comment from Martin Kosek on 2013-02-26 03:54:09 EST ---

Upstream ticket reopened, moving to ASSIGNED.
Comment 1 Martin Kosek 2013-02-27 11:55:54 UTC 
Regression (schema parsing error messages) fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/4a6f3cac29d0cbc119b32a4ed41efdeac13791e5
ipa-3-1: https://fedorahosted.org/freeipa/changeset/6832218a6afb38265044b2f0dd6633163bf0e11d
ipa-3-0: https://fedorahosted.org/freeipa/changeset/9c00258f7a4b7f10d83c8f13d2c7508a6820a79b
Comment 4 Xiyang Dong 2013-03-04 18:56:56 UTC 
verified in ipa-server-3.0.0-26.el6_4.2.x86_64

Steps to reproduce:
1.updated 6.2 -> 6.3 -> 6.4

The error didn't show up.All WebUI elements work fine.
Comment 6 Scott Poore 2013-09-05 22:34:09 UTC 
Verified from cli.

Version ::

ipa-server-3.0.0-34.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz915745 - Entire 60basev3 schema is not included in update file, other errors
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 17:32:53 ] ::  Checking Web UI
:: [ 17:32:53 ] ::  Prepare json query in file
:: [ 17:32:53 ] ::  Getting Session ID with:  curl -v --negotiate -u: https://rhel6-1.testrelm.com/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt
:: [   PASS   ] :: Running 'curl  -H "Content-Type:application/json" -H "Referer: https://rhel6-1.testrelm.com/ipa/xml" -H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d  @/tmp/jsoninput -X POST -b "ipa_session=c6c089a2715a830e6573bb3580edfcb1; httponly; Path=/ipa; secure" https://rhel6-1.testrelm.com/ipa/session/json > /tmp/tmpout1 2>&1' (Expected 0, got 0)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
122   420    0   420    0    69   2935    482 --:--:-- --:--:-- --:--:--  3162
{
    "error": null, 
    "id": null, 
    "principal": "admin", 
    "result": {
        "count": 1, 
        "result": [
            {
                "dn": "uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com", 
                "uid": [
                    "admin"
                ]
            }
        ], 
        "summary": "1 user matched", 
        "truncated": false
    }, 
    "version": "3.0.0"
}:: [   PASS   ] :: Running 'cat /tmp/tmpout1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout1' should contain 'uid=admin.*dc=testrelm,dc=com' 
:: [   PASS   ] :: File '/usr/share/ipa/updates/10-60basev3.update' should contain 'ipaExternalMember' 
:: [   PASS   ] :: BZ 915745 not found
Comment 8 errata-xmlrpc 2013-11-21 20:51:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html