Bug 1731963 - ipa migrate-ds fails with internal error.
Summary: ipa migrate-ds fails with internal error.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Christian Heimes
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-22 12:40 UTC by Sudhir Menon
Modified: 2019-11-05 20:53 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:53:27 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3348 None None None 2019-11-05 20:53:37 UTC

Description Sudhir Menon 2019-07-22 12:40:32 UTC 
Description of problem: ipa migrate-ds fails with internal error.


Version-Release number of selected component (if applicable):
ipa-server-4.8.0-4.module+el8.1.0+3696+eb4a1e69.x86_64

How reproducible: 
Always


Steps to Reproduce:
1. Install IPA server
2. Run ipa migrate-ds  command


Actual results:
Internal error is seen.

[Mon Jul 22 18:07:33.180155 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746] ipa: DEBUG: migrate_ds('ldap://master.rhel81.test:3389', '********', binddn=ipapython.dn.DN('cn=directory manager'), usercontainer=ipapython.dn.DN('ou=People'), groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=('person',), groupobjectclass=('groupOfUniqueNames', 'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema='RFC2307bis', continue=False, compat=True, use_def_group=True, scope='onelevel', version='2.233', exclude_users=None, exclude_groups=None)
[Mon Jul 22 18:07:33.182543 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-RHEL81-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efcdbed69e8>
[Mon Jul 22 18:07:33.393732 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746] ipa: ERROR: non-public: ValueError: simple_bind over insecure LDAP connection
[Mon Jul 22 18:07:33.393752 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746] Traceback (most recent call last):
[Mon Jul 22 18:07:33.393758 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Mon Jul 22 18:07:33.393763 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     result = command(*args, **options)
[Mon Jul 22 18:07:33.393768 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
[Mon Jul 22 18:07:33.393774 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     return self.__do_call(*args, **options)
[Mon Jul 22 18:07:33.393779 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
[Mon Jul 22 18:07:33.393784 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     ret = self.run(*args, **options)
[Mon Jul 22 18:07:33.393789 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
[Mon Jul 22 18:07:33.393794 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     return self.execute(*args, **options)
[Mon Jul 22 18:07:33.393799 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/migration.py", line 917, in execute
[Mon Jul 22 18:07:33.393804 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     ds_ldap.simple_bind(options['binddn'], bindpw)
[Mon Jul 22 18:07:33.393809 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]   File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1215, in simple_bind
[Mon Jul 22 18:07:33.393814 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746]     raise ValueError('simple_bind over insecure LDAP connection')
[Mon Jul 22 18:07:33.393822 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote 10.65.206.140:47746] ValueError: simple_bind over insecure LDAP connection

Expected results:
The command should execute without any error.

Additional info:
Comment 3 Christian Heimes 2019-07-22 16:41:40 UTC 
Commit https://pagure.io/freeipa/c/5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 added additional security checks to protect password bind (simple bind). The check prohibit to send the password unencrypted over a clear text line.

Temporary workaround: Use ipa migrate-ds with a ldaps:// URL when possible.

I'll work on a patch that allows to use insecure connections for migration.
Comment 5 Christian Heimes 2019-08-13 15:21:35 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8040
Comment 6 Christian Heimes 2019-08-13 17:25:43 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/a36556e1064900af7a75ca6f07aba66212cf321a
Comment 10 errata-xmlrpc 2019-11-05 20:53:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348
Note You need to log in before you can comment on or make changes to this bug.