Bug 1456769 - ipaAnchorUUID index incorrectly configured and then not indexed
Summary: ipaAnchorUUID index incorrectly configured and then not indexed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Mohammad Rizwan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-30 10:31 UTC by Martin Bašti 🖰
Modified: 2017-08-01 09:51 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:51:24 UTC
Target Upstream Version:


Attachments (Terms of Use)
console logs (3.14 KB, text/plain)
2017-06-09 06:10 UTC, Mohammad Rizwan
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Bašti 🖰 2017-05-30 10:31:51 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6975

Detection of the bug: configuration invalid and indexed search fails

check that the index configuration of ipaAnchorUUID is invalid


    ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w xxxxx -b "cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    cn: ipaOriginalUid      <<< buggy value
    cn: ipaAnchorUUID
    nsIndexType: eq
    nsIndexType: pres
    nsSystemIndex: false
    objectClass: top
    objectClass: nsIndex


Verify it is not working --> **'notes=U'**


    ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w xxxxx -b "<suffix>" "(ipaAnchorUUID=*)" dn
    [24/May/2017:16:31:53.392012887 +0200] conn=27 op=1 SRCH base="<suffix>" scope=2 filter="(ipaAnchorUUID=*)" attrs="distinguishedName"
    [24/May/2017:16:31:53.430503561 +0200] conn=27 op=1 RESULT err=0 tag=101 nentries=0 etime=0 notes=U


Workaround is to fix the config and reindex

fix the configuration


    ldapmodify -h localhost -p 389 -D "cn=directory manager" -w xxxxx
    dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    delete: cn
    cn: ipaOriginalUid
    
    ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w xxxxx -b "cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    cn: ipaAnchorUUID
    nsIndexType: eq
    nsIndexType: pres
    nsSystemIndex: false
    objectClass: top
    objectClass: nsIndex


reindex ipaAnchorUUID


    ipactl stop
    db2index -Z TEST-COM -n userRoot -s "<suffix>" -t ipaAnchorUUID
    ipactl start


Check workaround worked


    ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w xxxxx -b "<suffix>" "(ipaAnchorUUID=*)" dn
    [24/May/2017:16:41:08.779602212 +0200] conn=26 op=1 SRCH base="<suffix>" scope=2 filter="(ipaAnchorUUID=*)" attrs="distinguishedName"
    [24/May/2017:16:41:08.785696976 +0200] conn=26 op=1 RESULT err=0 tag=101 nentries=0 etime=0

Comment 5 Mohammad Rizwan 2017-06-08 11:00:41 UTC
Can we have steps for verification for this bug?

Comment 6 Martin Bašti 🖰 2017-06-08 12:30:32 UTC
Use ldapsearch 

ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w Secret123 "(ipaAnchorUUID=*)"

and check /var/log/dirsrv/slapd-*/access log. There shouldn't be "notes=U" in log entry of that search

Comment 7 Martin Bašti 🖰 2017-06-08 12:40:04 UTC
or you can check

ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

if contains exactly

dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: ipaAnchorUUID
nsIndexType: eq
nsIndexType: pres
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

Comment 8 Mohammad Rizwan 2017-06-09 06:10:54 UTC
Created attachment 1286304 [details]
console logs

Comment 9 Mohammad Rizwan 2017-06-09 06:11:38 UTC
Verified using steps provided in comment #6 and #7.

version:
ipa-server-4.5.0-16.el7.x86_64
 
console logs are attached.

Comment 10 errata-xmlrpc 2017-08-01 09:51:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.