RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1529444 - ObjectclassViolation seen while adding idview with domain-resolution-order option.
Summary: ObjectclassViolation seen while adding idview with domain-resolution-order op...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-28 06:33 UTC by Sudhir Menon
Modified: 2018-04-10 16:50 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.4-8.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 16:49:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 0 None None None 2018-04-10 16:50:16 UTC

Description Sudhir Menon 2017-12-28 06:33:48 UTC 
Description of problem: ObjectclassViolation seen while adding idview with domain-resolution-order option.


Version-Release number of selected component (if applicable):
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install IPA server and establish with Windows AD
2. Run the domain resolution order command
 
#ipa config-mod --domain-resolution-order='testrelm.test:pne.qe' 
Domain resolution order: testrelm.test:pne.qe

3. Add a view with the domain resolution order 
#ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'

Actual results:
[root@master ~]# ipa config-mod --domain-resolution-order='testrelm.test:pne.qe' Domain resolution order: testrelm.test:pne.qe
[root@master ~]# ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'
ipa: ERROR: attribute "ipaDomainResolutionOrder" not allowed

[Wed Dec 27 08:38:06.749234 2017] [:error] [pid 30252] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Dec 27 08:38:06.749382 2017] [:error] [pid 30252] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Dec 27 08:38:06.794961 2017] [:error] [pid 30252] ipa: DEBUG: Created connection context.ldap2_140579793685584
[Wed Dec 27 08:38:06.795154 2017] [:error] [pid 30252] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Dec 27 08:38:06.795242 2017] [:error] [pid 30252] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Dec 27 08:38:06.810186 2017] [:error] [pid 30252] ipa: DEBUG: raw: idview_add(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228')
[Wed Dec 27 08:38:06.810545 2017] [:error] [pid 30252] ipa: DEBUG: idview_add(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', all=False, raw=False, version=u'2.228')
[Wed Dec 27 08:38:06.811450 2017] [:error] [pid 30252] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fdb480fa0e0>
[Wed Dec 27 08:38:07.282325 2017] [:error] [pid 30252] ipa: DEBUG: raw: trust_find(None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.282723 2017] [:error] [pid 30252] ipa: DEBUG: trust_find(None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.304696 2017] [:error] [pid 30252] ipa: DEBUG: raw: trustdomain_find(u'ipaad2016.test', None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.305166 2017] [:error] [pid 30252] ipa: DEBUG: trustdomain_find(u'ipaad2016.test', None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.317303 2017] [:error] [pid 30252] ipa: DEBUG: raw: trustdomain_find(u'pne.qe', None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.317703 2017] [:error] [pid 30252] ipa: DEBUG: trustdomain_find(u'pne.qe', None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.347503 2017] [:error] [pid 30252] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Wed Dec 27 08:38:07.347543 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Wed Dec 27 08:38:07.347549 2017] [:error] [pid 30252]     result = command(*args, **options)
[Wed Dec 27 08:38:07.347555 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Dec 27 08:38:07.347559 2017] [:error] [pid 30252]     return self.__do_call(*args, **options)
[Wed Dec 27 08:38:07.347564 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Dec 27 08:38:07.347569 2017] [:error] [pid 30252]     ret = self.run(*args, **options)
[Wed Dec 27 08:38:07.347573 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Dec 27 08:38:07.347578 2017] [:error] [pid 30252]     return self.execute(*args, **options)
[Wed Dec 27 08:38:07.347582 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1190, in execute
[Wed Dec 27 08:38:07.347587 2017] [:error] [pid 30252]     self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
[Wed Dec 27 08:38:07.347607 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1100, in wrapped
[Wed Dec 27 08:38:07.347613 2017] [:error] [pid 30252]     return func(*call_args, **call_kwargs)
[Wed Dec 27 08:38:07.347618 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1109, in exc_func
[Wed Dec 27 08:38:07.347622 2017] [:error] [pid 30252]     self, keys, options, e, call_func, *args, **kwargs)
[Wed Dec 27 08:38:07.347627 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1253, in exc_callback
[Wed Dec 27 08:38:07.347632 2017] [:error] [pid 30252]     raise exc
[Wed Dec 27 08:38:07.347636 2017] [:error] [pid 30252] ObjectclassViolation: attribute "ipaDomainResolutionOrder" not allowed
[Wed Dec 27 08:38:07.347640 2017] [:error] [pid 30252] 
[Wed Dec 27 08:38:07.347894 2017] [:error] [pid 30252] ipa: INFO: [jsonserver_session] admin: idview_add/1(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): ObjectclassViolation
[Wed Dec 27 08:38:07.349809 2017] [:error] [pid 30252] ipa: DEBUG: Destroyed connection context.ldap2_140579793685584

Expected results:
Objectclass violation error should be fixed and view should be created as in the  example mentioned in the below url.

Additional info:
Tried testcase specified in https://www.freeipa.org/page/V4/AD_User_Short_Names
Comment 3 Sudhir Menon 2017-12-28 07:42:27 UTC 
slapd error log.

[28/Dec/2017:01:31:31.423622106 -0500] - ERR - oc_check_allowed_sv - Entry "cn=special_host_view,cn=views,cn=accounts,dc=testrelm,dc=test" -- attribute "ipaDomainResolutionOrder" not allowed
Comment 4 Florence Blanc-Renaud 2018-01-05 08:49:07 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7350
Comment 5 Christian Heimes 2018-01-09 17:07:51 UTC 
master:

    830866d Idviews: fix objectclass violation on idview-add


4.5 and 4.6 backports didn't apply cleanly. Florence, please backport your fix manually.
Comment 6 Christian Heimes 2018-01-10 08:31:33 UTC 
ipa-4-5:
    53047d6 Idviews: fix objectclass violation on idview-add
ipa-4-6:
    6c89b26 Idviews: fix objectclass violation on idview-add
Comment 8 Sudhir Menon 2018-01-22 08:57:03 UTC 
Fix is seen. Verified using 

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)

ipa-server-4.5.4-8.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64

[root@master ~]# ipa trust-add --two-way=true
Realm name: pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master ~]# id aduser1
uid=1261605281(aduser1) gid=1261605281(aduser1) groups=1261605281(aduser1),1261601629(adgroup2),1261601559(adgroup1),1261600513(domain users),1261602139(adunigroup1)

[root@master ~]# ipa config-mod --domain-resolution-order='testrelm.test:pne.qe'
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: master.testrelm.test
  IPA CA servers: master.testrelm.test
  IPA NTP servers: master.testrelm.test
  IPA CA renewal master: master.testrelm.test
  IPA master capable of PKINIT: master.testrelm.test
  Domain resolution order: testrelm.test:pne.qe

[root@master ~]# ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'
---------------------------------
Added ID View "special_host_view"
---------------------------------
  ID View Name: special_host_view
  Description: ID view
  Domain resolution order: testrelm.test:pne.qe

[Mon Jan 22 03:46:59.822978 2018] [:error] [pid 16710] ipa: INFO: [jsonserver_session] admin: config_mod/1(ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): SUCCESS
[Mon Jan 22 03:49:11.835471 2018] [:error] [pid 16709] ipa: INFO: [jsonserver_session] admin: idview_add/1(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): SUCCESS
Comment 11 errata-xmlrpc 2018-04-10 16:49:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918
Note You need to log in before you can comment on or make changes to this bug.