Bug 1690024 - ipa role-mod DatabaseError changing cn[ZStream Clone]
Summary: ipa role-mod DatabaseError changing cn[ZStream Clone]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On: 1678517 1683259
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-18 15:33 UTC by Oneata Mircea Teodor
Modified: 2019-06-11 13:24 UTC (History)
19 users (show)

Fixed In Version: 389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1678517
Environment:
Last Closed: 2019-05-07 04:17:53 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0965 None None None 2019-05-07 04:17:54 UTC

Comment 5 Sumedh Sidhaye 2019-04-10 08:06:39 UTC
Builds used for verification:

[root@ipaqavmd ~]# rpm -qa 389-ds-base
389-ds-base-1.4.0.20-8.module+el8.0.0+2945+edba0d70.x86_64
[root@ipaqavmd ~]# rpm -qa ipa-server
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64
[root@ipaqavmd ~]# 

Verification procedure as 

[root@ipaqavmd ~]# ipa user-add --first=user --last=one userA
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera@TESTRELM.TEST
  Principal alias: usera@TESTRELM.TEST
  Email address: usera@testrelm.test
  UID: 934000001
  GID: 934000001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ipaqavmd ~]# ipa group-add groupA
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 934000003
[root@ipaqavmd ~]# ipa group-add-member groupA --users=userA
  Group name: groupa
  GID: 934000003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
[root@ipaqavmd ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
[root@ipaqavmd ~]# ipa privilege-add privA --desc=privA
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
[root@ipaqavmd ~]# ipa privilege-add-permission privA --permission=permA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
[root@ipaqavmd ~]# ipa role-add roleA --desc=roleA
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
[root@ipaqavmd ~]# ipa role-add-privilege roleA --privileges=privA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
[root@ipaqavmd ~]# ipa role-add-member roleA --users=userA --all
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
[root@ipaqavmd ~]# ipa permission-mod permA --attrs=description --attrs=member
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
[root@ipaqavmd ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTRELM.TEST', cookie: 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;'
ipa: DEBUG: trying https://master.testrelm.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139640742333352
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://master.testrelm.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (master.testrelm.test)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=dq%2bDpSH5615k0YHnGdUo1jt8eK6x6i56y42cN5IT3SE2WVI01b7PzkR79ksG%2buW1iUupyALkzyAQEXv17h2MdwoKunfxIxmQPbY4lizB7ocNK3PTI1Ev1DCSYj2zMyTcwzCs%2bXfheplDDhC8gLmRrRwyKV5Pht%2bb2nCxWt3ilTu4hEpyTqkBhXKSRUOBE5qH;' for principal admin@TESTRELM.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_139640742333352
ipa: ERROR: Operations error: 
[root@ipaqavmd ~]#

Comment 13 Sumedh Sidhaye 2019-04-11 10:16:20 UTC
Build used for verification:
[root@yttrium ~]# rpm -qa 389-ds-base
389-ds-base-1.4.0.20-9.module+el8.0.0+2995+a5112768.x86_64
[root@yttrium ~]# rpm -qa ipa-server
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64


Steps used for verification:

1. install ipa server
2. setup rbac rules like this:

ipa user-add --first=user --last=one userA
ipa group-add groupA
ipa group-add-member groupA --users=userA
ipa permission-add permA --right=write --targetgroup=groupA --attr=description
ipa privilege-add privA --desc=privA
ipa privilege-add-permission privA --permission=permA
ipa role-add roleA --desc=roleA
ipa role-add-privilege roleA --privileges=privA
ipa role-add-member roleA --users=userA --all
ipa permission-mod permA --attrs=description --attrs=member
ipa --debug role-mod roleA --setattr='cn=roleAb' --all


[root@yttrium ~]# ipa user-add --first=user --last=one userA
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera@TESTRELM.TEST
  Principal alias: usera@TESTRELM.TEST
  Email address: usera@testrelm.test
  UID: 925000001
  GID: 925000001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@yttrium ~]# ipa group-add groupA
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 925000003
[root@yttrium ~]# ipa group-add-member groupA --users=userA
  Group name: groupa
  GID: 925000003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
[root@yttrium ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
[root@yttrium ~]# ipa privilege-add privA --desc=privA
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
[root@yttrium ~]# ipa privilege-add-permission privA --permission=permA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
[root@yttrium ~]# ipa role-add roleA --desc=roleA
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
[root@yttrium ~]# ipa role-add-privilege roleA --privileges=privA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
[root@yttrium ~]# ipa role-add-member roleA --users=userA --all
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
[root@yttrium ~]# ipa permission-mod permA --attrs=description --attrs=member
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
[root@yttrium ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTRELM.TEST', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;'
ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140006886972272
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin@TESTRELM.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_140006886972272
---------------------
Modified role "roleA"
---------------------
  dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleAb
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
[root@yttrium ~]# 


Also tried the ipa privilege-mod 'HBAC Administrator' --rename 'hbacadmins' command


[root@yttrium ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$6c90a617...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$6c90a617.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTRELM.TEST', cookie: 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;'
ipa: DEBUG: trying https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140400883836296
ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://yttrium.idmqe.lab.eng.bos.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (yttrium.idmqe.lab.eng.bos.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=%2fkOGJHtKILlnrvQycJeltv%2bKtS5UxDZbc%2f%2ftY7906ArvfhKVws30wcknzoUk3CB%2folU%2bBPf7rovjW%2fKlu6I1%2bAEjxmHdXynFWIW%2b%2fGFyW%2fLgpRpUkalKdG11hqT9a5apiYnu7icreOwJYe8AF02JI3lzW%2bRr9Lat0c30yLifY4bERIrKw5kwP8wnX9aua7tc;' for principal admin@TESTRELM.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_140400883836296
---------------------------------------
Modified privilege "HBAC Administrator"
---------------------------------------
  Privilege name: hbacadmins
  Description: HBAC Administrator
  Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System:
               Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups,
               System: Manage HBAC Service Group Membership
  Granting privilege to roles: IT Security Specialist
[root@yttrium ~]# 


Note: Automated regression will be executed later

Comment 14 Sumedh Sidhaye 2019-04-25 08:54:22 UTC
Build used for verification:

[root@vm-idm-026 ~]# rpm -qa 389-ds-base; rpm -qa ipa-server
389-ds-base-1.4.0.20-10.module+el8.0.0+3096+101825d5.x86_64
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64
[root@vm-idm-026 ~]# 


Steps used for verification:

1. install ipa server
2. setup rbac rules like this:

ipa user-add --first=user --last=one userA
ipa group-add groupA
ipa group-add-member groupA --users=userA
ipa permission-add permA --right=write --targetgroup=groupA --attr=description
ipa privilege-add privA --desc=privA
ipa privilege-add-permission privA --permission=permA
ipa role-add roleA --desc=roleA
ipa role-add-privilege roleA --privileges=privA
ipa role-add-member roleA --users=userA --all
ipa permission-mod permA --attrs=description --attrs=member
ipa --debug role-mod roleA --setattr='cn=roleAb' --all

[root@vm-idm-026 ~]# ./test_bz_1690024.sh 
------------------
Added user "usera"
------------------
  User login: usera
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/usera
  GECOS: user one
  Login shell: /bin/sh
  Principal name: usera@TESTRELM.TEST
  Principal alias: usera@TESTRELM.TEST
  Email address: usera@testrelm.test
  UID: 1255800001
  GID: 1255800001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
--------------------
Added group "groupa"
--------------------
  Group name: groupa
  GID: 1255800003
  Group name: groupa
  GID: 1255800003
  Member users: usera
-------------------------
Number of members added 1
-------------------------
------------------------
Added permission "permA"
------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
-----------------------
Added privilege "privA"
-----------------------
  Privilege name: privA
  Description: privA
  Privilege name: privA
  Description: privA
  Permissions: permA
-----------------------------
Number of permissions added 1
-----------------------------
------------------
Added role "roleA"
------------------
  Role name: roleA
  Description: roleA
  Role name: roleA
  Description: roleA
  Privileges: privA
----------------------------
Number of privileges added 1
----------------------------
  dn: cn=roleA,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleA
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
-------------------------
Number of members added 1
-------------------------
---------------------------
Modified permission "permA"
---------------------------
  Permission name: permA
  Granted rights: write
  Effective attributes: description, member
  Bind rule type: permission
  Subtree: dc=testrelm,dc=test
  Target DN: cn=groupa,cn=groups,cn=accounts,dc=testrelm,dc=test
  Target group: groupa
  Permission flags: SYSTEM, V2
  Granted to Privilege: privA
  Indirect Member of roles: roleA
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTRELM.TEST', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;'
ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139709427301288
ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.230')
ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin@TESTRELM.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_139709427301288
---------------------
Modified role "roleA"
---------------------
  dn: cn=roleAb,cn=roles,cn=accounts,dc=testrelm,dc=test
  Role name: roleAb
  Description: roleA
  Member users: usera
  Privileges: privA
  objectclass: groupofnames, nestedgroup, top
[root@vm-idm-026 ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$9af13900...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$9af13900.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTRELM.TEST', cookie: 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;'
ipa: DEBUG: trying https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_139933000615360
ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.230')
ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://vm-idm-026.lab.eng.pnq.redhat.com/ipa/session/json'
ipa: DEBUG: New HTTP connection (vm-idm-026.lab.eng.pnq.redhat.com)
ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=nHS0MZsBQ2NowK0usbtkYk6CcnOlLp3yhzgJvLm20k6XvrJYX8rtiOxiKF%2b2an6LRmQPjSbvLS4xaWWJEzPHq%2bBc36EDQ7N3cE5uxPEBDMGEEjYRQjJqykV2N57ZbEzuD8QSDDRzcpc3DGE41yoeNZRhWnkLwGaGvYE%2bm4u%2b4EdUe96eBjhSeEHCaoqVf2dO;' for principal admin@TESTRELM.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_139933000615360
---------------------------------------
Modified privilege "HBAC Administrator"
---------------------------------------
  Privilege name: hbacadmins
  Description: HBAC Administrator
  Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System:
               Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups,
               System: Manage HBAC Service Group Membership
  Granting privilege to roles: IT Security Specialist
[root@vm-idm-026 ~]#

Comment 17 errata-xmlrpc 2019-05-07 04:17:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0965


Note You need to log in before you can comment on or make changes to this bug.