Bug 1533571 - memberof: schema violation error message is confusing as memberof will likely repair target entry
Summary: memberof: schema violation error message is confusing as memberof will likely...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: thierry bordaz
QA Contact: Viktor Ashirov
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-11 16:32 UTC by mreynolds
Modified: 2022-03-13 14:37 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
The *memberOf* plug-in now logs all update attempts of the *memberOf* attribute In certain situations, Directory Server fails to update the "memberOf" attribute of a user entry. In this case, the *memberOf* plug-in logs an error message and forces the update. In the previous Directory Server version, the second try was not logged if it was successful. Consequently, the log entries were misleading, because only the failed attempt was logged. With this update, the *memberOf* plug-in also logs the successful update if the first try failed. As a result, the plug-in now logs the initial failure, and the subsequent successful retry as well.
Clone Of:
Last Closed: 2018-04-10 14:23:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2582 0 None closed memberof: schema violation error message is confusing as memberof will likely repair target entry 2020-11-16 07:45:34 UTC
Red Hat Product Errata RHBA-2018:0811 0 None None None 2018-04-10 14:24:44 UTC

Description mreynolds 2018-01-11 16:32:41 UTC
This bug is created as a clone of upstream ticket:

#### Issue Description
When memberof is enabled it adds 'memberof' attribute to members entries. If a member entry has not the appropriate objectclass to support 'memberof' attribute an ERR is logged.

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed

This is confusing because memberof will catch this violation and may try to repair it. So although this message is alarming, the target entry may finally have the 'memberof' attribute.

This is especially confusing since https://pagure.io/389-ds-base/issue/48985 where the repair operation is done by default (if schema is violated)

We can not (and should not) eliminate the schema violation message. But memberof should log a additional warning (beside the schema violation msg) stating it repaired the violation.

#### Package Version and Platform
Any version

#### Steps to reproduce

1. Run the attached testcase

#### Actual results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed

#### Expected results

    [05/Jan/2018:12:46:22.803032331 +0100] - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
    [05/Jan/2018:12:46:22.803032331 +0100] - WARN - memberof-plugin - Entry "cn=user_1,ou=People,dc=example,dc=com" schema violation caugth - repair operation succeeded

Comment 3 Amita Sharma 2018-01-29 07:59:23 UTC
[root@qeos-13 memberof_plugin]# pytest -s -v regression_test.py::test_scheme_violation_errors_logged================================================================ test session starts =================================================================
platform linux -- Python 3.6.3, pytest-3.3.2, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-837.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.3.2', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-12.el7
svrcore: 4.1.3-2.el7

INFO:regression_test:pattern = .*oc_check_allowed_sv.*uid=user_,ou=People,dc=example,dc=com.*memberOf.*not allowed.*
PASSED                                                                                 [100%]

============================================================= 1 passed in 44.70 seconds ==============================================================
[root@qeos-13 memberof_plugin]# tail-f /var/log/dirsrv/slapd-master1/errors
bash: tail-f: command not found
[root@qeos-13 memberof_plugin]# tail -f /var/log/dirsrv/slapd-master1/errors
[29/Jan/2018:02:54:18.493721519 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[29/Jan/2018:02:54:18.502513485 -0500] - NOTICE - ldbm_back_start - found 1882792k physical memory
[29/Jan/2018:02:54:18.503637342 -0500] - NOTICE - ldbm_back_start - found 1475504k available
[29/Jan/2018:02:54:18.504185702 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 47069k
[29/Jan/2018:02:54:18.504747775 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (1 total): 131072k
[29/Jan/2018:02:54:18.505698919 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (1 total): 65536k
[29/Jan/2018:02:54:18.506490075 -0500] - NOTICE - ldbm_back_start - total cache size: 239886172 B; 
[29/Jan/2018:02:54:18.596097668 -0500] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 39001 for LDAP requests
[29/Jan/2018:02:54:18.692715170 -0500] - ERR - oc_check_allowed_sv - Entry "uid=user_,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
[29/Jan/2018:02:54:18.694605131 -0500] - WARN - memberof-plugin - Entry uid=user_,ou=People,dc=example,dc=com - schema violation caught - repair operation succeeded

Hence marking as verified.

Comment 7 errata-xmlrpc 2018-04-10 14:23:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.