RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1678517 - ipa role-mod DatabaseError changing cn
Summary: ipa role-mod DatabaseError changing cn
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On: 1683259
Blocks: 1690024
TreeView+ depends on / blocked
 
Reported: 2019-02-19 01:06 UTC by Scott Poore
Modified: 2020-11-14 17:24 UTC (History)
15 users (show)

Fixed In Version: 389-ds-base-1.4.1.3-5.module+el8.1.0+3776+ece1ae4c
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1690024 (view as bug list)
Environment:
Last Closed: 2019-11-05 21:00:18 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
dirsrv logs for privilege mod with trace enabled (764.45 KB, application/gzip)
2019-02-19 22:04 UTC, Scott Poore
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3401 0 None None None 2019-11-05 21:01:32 UTC

Description Scott Poore 2019-02-19 01:06:45 UTC
Description of problem:

ipa role-mod is returning an operations error when changing cn.  In httpd/error_log I see:

[Mon Feb 18 18:42:24.493802 2019] [:warn] [pid 20449:tid 140667955111680] [client 192.168.122.87:37560] failed to set perms (3140) on file (/run/ipa/ccaches/admin)!, referer: https://master.testrelm.test/ipa/xml
[Mon Feb 18 18:42:24.541646 2019] [wsgi:error] [pid 20446:tid 140668215265024] [remote 192.168.122.87:37560] ipa: INFO: [jsonserver_session] admin: role_mod/1('roleA', setattr=('cn=roleAb',), all=True, version='2.230'): DatabaseError

in dirsrv/slapd errors log I see:


[18/Feb/2019:18:42:24.536311877 -0600] - ERR - memberof-plugin - memberof_postop_modrdn - Update failed for (cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test), error (1)


Version-Release number of selected component (if applicable):
ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64


How reproducible:
always

Steps to Reproduce:
1. install ipa server
2. setup rbac rules like this:

ipa user-add --first=user --last=one userA
ipa group-add groupA
ipa group-add-member groupA --users=userA
ipa permission-add permA --right=write --targetgroup=groupA --attr=description
ipa privilege-add privA --desc=privA
ipa privilege-add-permission privA --permission=permA
ipa role-add roleA --desc=roleA
ipa role-add-privilege roleA --privileges=privA
ipa role-add-member roleA --users=userA --all
ipa permission-mod permA --attrs=description --attrs=member
ipa --debug role-mod roleA --setattr='cn=roleAb' --all



Actual results:
[root@master ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=vTZ%2b3ROriux7ShRlL9t96CuPUYHRckW0D%2fj8ftgwUA1xb6HmNBbsp%2f%2bkVPqYMRNjNfZLPiB%2b9d3EY0pUfEfhHrbYExxLb7fLYrW2RhVstHNymXI05CReqNDgsVbeixtfbUvc%2feK4lbLuN3L4x9qMEXQIRqy5TGI5HDMns9fXpo8Sl7%2fYZ30DhD0zntmN8zV9'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=vTZ%2b3ROriux7ShRlL9t96CuPUYHRckW0D%2fj8ftgwUA1xb6HmNBbsp%2f%2bkVPqYMRNjNfZLPiB%2b9d3EY0pUfEfhHrbYExxLb7fLYrW2RhVstHNymXI05CReqNDgsVbeixtfbUvc%2feK4lbLuN3L4x9qMEXQIRqy5TGI5HDMns9fXpo8Sl7%2fYZ30DhD0zntmN8zV9;'
ipa: DEBUG: trying https://master.testrelm.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139944100222064
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://master.testrelm.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (master.testrelm.test)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=vTZ%2b3ROriux7ShRlL9t96CuPUYHRckW0D%2fj8ftgwUA1xb6HmNBbsp%2f%2bkVPqYMRNjNfZLPiB%2b9d3EY0pUfEfhHrbYExxLb7fLYrW2RhVstHNymXI05CReqNDgsVbeixtfbUvc%2feK4lbLuN3L4x9qMEXQIRqy5TGI5HDMns9fXpo8Sl7%2fYZ30DhD0zntmN8zV9;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=vTZ%2b3ROriux7ShRlL9t96CuPUYHRckW0D%2fj8ftgwUA1xb6HmNBbsp%2f%2bkVPqYMRNjNfZLPiB%2b9d3EY0pUfEfhHrbYExxLb7fLYrW2RhVstHNymXI05CReqNDgsVbeixtfbUvc%2feK4lbLuN3L4x9qMEXQIRqy5TGI5HDMns9fXpo8Sl7%2fYZ30DhD0zntmN8zV9;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_139944100222064
ipa: ERROR: Operations error: 


Expected results:
cn is changed

Additional info:

Comment 1 Rob Crittenden 2019-02-19 18:06:53 UTC
Thierry, what data should we gather for this? I suspect it is a bug in 389.

Comment 2 Scott Poore 2019-02-19 18:58:39 UTC
I'm not sure if this helps but, I re-ran the test with ACI summary and plugin debugging enabled and I see this:

[root@master slapd-TESTRELM-TEST]# grep 12:21:42 *
access:[19/Feb/2019:12:21:42.214505986 -0600] conn=38 op=1 RESULT err=1 tag=109 nentries=0 etime=0.1176775035
access:[19/Feb/2019:12:21:42.216843595 -0600] conn=38 op=2 UNBIND
access:[19/Feb/2019:12:21:42.216892479 -0600] conn=38 op=2 fd=106 closed - U1
errors:[19/Feb/2019:12:21:42.005295408 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:modifiersname,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:12:21:42.011204958 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:modifiersname,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:12:21:42.017033877 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:modifiersname,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:12:21:42.022794024 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.028625821 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.034314711 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.040182006 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.048650844 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.053833029 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.059597142 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.065030877 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.108468678 -0600] - DEBUG - schema-compat-plugin - renamed "cn=roleb,cn=roles,cn=accounts,dc=testrelm,dc=test" to "cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test"
errors:[19/Feb/2019:12:21:42.112578245 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - REPLACE cn=roleb,cn=roles,cn=accounts,dc=testrelm,dc=test in uid=userb,cn=users,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:12:21:42.116592712 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.120574229 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.124308479 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.128114203 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.131893761 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.135929137 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.140612696 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.146250758 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.151759643 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.157417374 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.163278600 -0600] - ERR - memberof-plugin - memberof_postop_modrdn - Update failed for (cn=roleB,cn=roles,cn=accounts,dc=testrelm,dc=test), error (1)
errors:[19/Feb/2019:12:21:42.168789170 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.174476342 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.180302984 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.185864632 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.191434613 -0600] - DEBUG - schema-compat-plugin - post-modrdn entry is NULL
errors:[19/Feb/2019:12:21:42.197212265 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.202796720 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.208214776 -0600] - DEBUG - roles-plugin - <-- roles_post_op

I tried also running with ACL processing (128) but, when I do, I get ipa timeout exceeded errors

Comment 3 Scott Poore 2019-02-19 20:40:00 UTC
FYI, I also saw similar with an "ipa privilege-mod --rename" command:

[root@master slapd-TESTRELM-TEST]# ipa privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: ERROR: Operations error: 

[root@master slapd-TESTRELM-TEST]# less /var/log/httpd/error_log 

[root@master slapd-TESTRELM-TEST]# grep 14:36:47 *
errors:[19/Feb/2019:14:36:47.005874133 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.011784939 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.017889265 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.024003603 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.029694977 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.035757609 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.045234220 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.050907126 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.056471446 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.061990726 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.071592385 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.077576128 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.083824412 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.090074775 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.097281027 -0600] - DEBUG - schema-compat-plugin - modified "cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.102859991 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.108377824 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.114141853 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.119805368 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.125793162 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.131795587 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.138140596 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.144006643 -0600] - DEBUG - schema-compat-plugin - interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.150155421 -0600] - DEBUG - schema-compat-plugin - updating deref_r[0] references for "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.156184511 -0600] - DEBUG - schema-compat-plugin - searching for references to "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.162056662 -0600] - DEBUG - schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.168323211 -0600] - DEBUG - schema-compat-plugin - searching from "cn=users,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.174693807 -0600] - DEBUG - schema-compat-plugin - no more references to chase (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.180617163 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.186746717 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.192667818 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.198712348 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.204486735 -0600] - DEBUG - schema-compat-plugin - interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.210529937 -0600] - DEBUG - schema-compat-plugin - updating deref_r[0] references for "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.216611765 -0600] - DEBUG - schema-compat-plugin - searching for references to "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.222617380 -0600] - DEBUG - schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.228913518 -0600] - DEBUG - schema-compat-plugin - searching from "cn=users,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.234961213 -0600] - DEBUG - schema-compat-plugin - no more references to chase (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.240824972 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.246612074 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.253299712 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - ADD cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test in cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.259168262 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - Descending into group cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.265268806 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - ADD cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test in cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.277695210 -0600] - DEBUG - memberof-plugin - memberof_fix_memberof_callback: free cached values for cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.284693513 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.290826252 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.297022597 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.302922402 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.310074386 -0600] - DEBUG - schema-compat-plugin - modified "cn=IT Security Specialist,cn=roles,cn=accounts,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.316209897 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.321907092 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.327314137 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.332851044 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.338558617 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.344255559 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.349880139 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.355800304 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.361753006 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.367820603 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.373738695 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.379734576 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.385814881 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.391121474 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.396775802 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.402508308 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.407995833 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.414067760 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.419812857 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.434115705 -0600] - DEBUG - memberof-plugin - add_ancestors_cbdata: Ancestors of cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test contained 9 groups. 9 added. 
errors:[19/Feb/2019:14:36:47.440803537 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.446602798 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.453002965 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.459039805 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.465671988 -0600] - DEBUG - schema-compat-plugin - modified "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.472072264 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.477766291 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.483828158 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.489778929 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.495524421 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.501204939 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.506993671 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.512915076 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.518962175 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.525032346 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.530987807 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.537015419 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.543779330 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.551314250 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.557105988 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.562974814 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.568982782 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.574993197 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.581190569 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.594254071 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.599866842 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.605666542 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.611420292 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.637204049 -0600] - DEBUG - schema-compat-plugin - renamed "cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test" to "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.643377139 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - REPLACE cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test in cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.649891256 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.656026183 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.662052522 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.667881698 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.673747944 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.680402165 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.686332205 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.692342492 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.697859998 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.703512229 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.709242056 -0600] - ERR - memberof-plugin - memberof_postop_modrdn - Update failed for (cn=HBAC Administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test), error (1)
errors:[19/Feb/2019:14:36:47.714938834 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.720268459 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.725826499 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.731746083 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.738002644 -0600] - DEBUG - schema-compat-plugin - post-modrdn entry is NULL
errors:[19/Feb/2019:14:36:47.743587535 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.750806474 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.756985650 -0600] - DEBUG - roles-plugin - <-- roles_post_op

Comment 4 Scott Poore 2019-02-19 21:14:28 UTC
I can't (yet anyway) seem to reproduce this with users/groups.

[root@master ~]# ipa user-mod testuser --rename=user1
------------------------
Modified user "testuser"
------------------------
  User login: user1
  First name: test
  Last name: user
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1, testuser
  Email address: testuser
  UID: 954800003
  GID: 954800003
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa group-mod testgroup --setattr='cn=testgroup1'
--------------------------
Modified group "testgroup"
--------------------------
  Group name: testgroup1
  GID: 954800005
[root@master ~]# ipa group-show testgroup1
  Group name: testgroup1
  GID: 954800005

Comment 5 Scott Poore 2019-02-19 22:04:15 UTC
Created attachment 1536527 [details]
dirsrv logs for privilege mod with trace enabled

Comment 6 Scott Poore 2019-02-20 15:04:34 UTC
FYI,version:
389-ds-base-1.4.0.20-7.module+el8+2750+1f4079fb.x86_64

Comment 7 mreynolds 2019-02-25 14:49:21 UTC
We need an exception for this bug, as it causes incorrect error codes to be returned, which incorrectly causes normal operations to fail.  But worse it also corrupts the entry cache, and causes invalid entries to be returned to clients, and valid entries can become hidden to clients.

Comment 8 mreynolds 2019-02-25 14:58:47 UTC
https://pagure.io/389-ds-base/issue/50236   --> this is the cause of the error 1, which then triggered ticket 50238

https://pagure.io/389-ds-base/issue/50238   --> this is the cause of the error 32 following the modrdn failure

Comment 17 Viktor Ashirov 2019-08-19 13:50:30 UTC
Build tested: 389-ds-base-1.4.1.3-5.module+el8.1.0+3776+ece1ae4c.x86_64


I executed reproducer from the description:
[root@ci-vm-10-0-138-8 ~]# ipa user-add --first=user --last=one userA
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera
  Principal alias: usera
  Email address: usera
  UID: 1112400001
  GID: 1112400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ci-vm-10-0-138-8 ~]# ipa group-add groupA
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 1112400003
[root@ci-vm-10-0-138-8 ~]# ipa group-add-member groupA --users=userA
  Group name: groupa
  GID: 1112400003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-138-8 ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=ipa,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=ipa,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
[root@ci-vm-10-0-138-8 ~]# ipa privilege-add privA --desc=privA
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
[root@ci-vm-10-0-138-8 ~]# ipa privilege-add-permission privA --permission=permA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
[root@ci-vm-10-0-138-8 ~]# ipa role-add roleA --desc=roleA
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
[root@ci-vm-10-0-138-8 ~]# ipa role-add-privilege roleA --privileges=privA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
[root@ci-vm-10-0-138-8 ~]# ipa role-add-member roleA --users=userA --all
  dn: cn=roleA,cn=roles,cn=accounts,dc=ipa,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-138-8 ~]# ipa permission-mod permA --attrs=description --attrs=member
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=ipa,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=ipa,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
[root@ci-vm-10-0-138-8 ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$8d45a670...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$8d45a670.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;'
ipa: DEBUG: trying https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140655540021064
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.233')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.233')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_140655540021064
---------------------
Modified role "roleA"
---------------------
  dn: cn=roleAb,cn=roles,cn=accounts,dc=ipa,dc=test
  Role name: roleAb
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
[root@ci-vm-10-0-138-8 ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$8d45a670...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$8d45a670.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;'
ipa: DEBUG: trying https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140610891309520
ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.233')
ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.233')
ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_140610891309520
---------------------------------------
Modified privilege "HBAC Administrator"
---------------------------------------
  Privilege name: hbacadmins
  Description: HBAC Administrator
  Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System: Add HBAC Services,
               System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups, System: Manage HBAC Service Group Membership
  Granting privilege to roles: IT Security Specialist



ipa role-mod doesn't fail, marking as VERIFIED.

Comment 19 errata-xmlrpc 2019-11-05 21:00:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3401


Note You need to log in before you can comment on or make changes to this bug.