RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1533571 - memberof: schema violation error message is confusing as memberof will likely repair target entry
Summary: memberof: schema violation error message is confusing as memberof will likely...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: thierry bordaz
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-11 16:32 UTC by mreynolds
Modified: 2022-03-13 14:37 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-13
Doc Type: Bug Fix
Doc Text:
The *memberOf* plug-in now logs all update attempts of the *memberOf* attribute In certain situations, Directory Server fails to update the "memberOf" attribute of a user entry. In this case, the *memberOf* plug-in logs an error message and forces the update. In the previous Directory Server version, the second try was not logged if it was successful. Consequently, the log entries were misleading, because only the failed attempt was logged. With this update, the *memberOf* plug-in also logs the successful update if the first try failed. As a result, the plug-in now logs the initial failure, and the subsequent successful retry as well.
Clone Of:
Environment:
Last Closed: 2018-04-10 14:23:50 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2582 0 None closed memberof: schema violation error message is confusing as memberof will likely repair target entry 2020-11-16 07:45:34 UTC
Red Hat Product Errata RHBA-2018:0811 0 None None None 2018-04-10 14:24:44 UTC

Description mreynolds 2018-01-11 16:32:41 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49523

#### Issue Description
When memberof is enabled it adds 'memberof' attribute to members entries. If a member entry has not the appropriate objectclass to support 'memberof' attribute an ERR is logged.

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed


This is confusing because memberof will catch this violation and may try to repair it. So although this message is alarming, the target entry may finally have the 'memberof' attribute.

This is especially confusing since https://pagure.io/389-ds-base/issue/48985 where the repair operation is done by default (if schema is violated)

We can not (and should not) eliminate the schema violation message. But memberof should log a additional warning (beside the schema violation msg) stating it repaired the violation.


#### Package Version and Platform
Any version


#### Steps to reproduce

1. Run the attached testcase

#### Actual results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed


#### Expected results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
    [05/Jan/2018:12:46:22.803032331 +0100] - WARN - memberof-plugin - Entry "cn=user_1,ou=People,dc=example,dc=com" schema violation caugth - repair operation succeeded
Comment 3 Amita Sharma 2018-01-29 07:59:23 UTC 
[root@qeos-13 memberof_plugin]# pytest -s -v regression_test.py::test_scheme_violation_errors_logged================================================================ test session starts =================================================================
platform linux -- Python 3.6.3, pytest-3.3.2, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-837.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.3.2', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-14.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-12.el7
svrcore: 4.1.3-2.el7


INFO:regression_test:pattern = .*oc_check_allowed_sv.*uid=user_,ou=People,dc=example,dc=com.*memberOf.*not allowed.*
PASSED                                                                                 [100%]

============================================================= 1 passed in 44.70 seconds ==============================================================
[root@qeos-13 memberof_plugin]# tail-f /var/log/dirsrv/slapd-master1/errors
bash: tail-f: command not found
[root@qeos-13 memberof_plugin]# tail -f /var/log/dirsrv/slapd-master1/errors
[29/Jan/2018:02:54:18.493721519 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[29/Jan/2018:02:54:18.502513485 -0500] - NOTICE - ldbm_back_start - found 1882792k physical memory
[29/Jan/2018:02:54:18.503637342 -0500] - NOTICE - ldbm_back_start - found 1475504k available
[29/Jan/2018:02:54:18.504185702 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 47069k
[29/Jan/2018:02:54:18.504747775 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (1 total): 131072k
[29/Jan/2018:02:54:18.505698919 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (1 total): 65536k
[29/Jan/2018:02:54:18.506490075 -0500] - NOTICE - ldbm_back_start - total cache size: 239886172 B; 
[29/Jan/2018:02:54:18.596097668 -0500] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 39001 for LDAP requests
[29/Jan/2018:02:54:18.692715170 -0500] - ERR - oc_check_allowed_sv - Entry "uid=user_,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
[29/Jan/2018:02:54:18.694605131 -0500] - WARN - memberof-plugin - Entry uid=user_,ou=People,dc=example,dc=com - schema violation caught - repair operation succeeded

Hence marking as verified.
Comment 7 errata-xmlrpc 2018-04-10 14:23:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811
Note You need to log in before you can comment on or make changes to this bug.