Bug 1731963 - ipa migrate-ds fails with internal error.
Summary: ipa migrate-ds fails with internal error.
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Christian Heimes
QA Contact: ipa-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-22 12:40 UTC by Sudhir Menon
Modified: 2019-11-05 20:53 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-05 20:53:27 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3348 None None None 2019-11-05 20:53:37 UTC

Description Sudhir Menon 2019-07-22 12:40:32 UTC
Description of problem: ipa migrate-ds fails with internal error.

Version-Release number of selected component (if applicable):

How reproducible: 

Steps to Reproduce:
1. Install IPA server
2. Run ipa migrate-ds  command

Actual results:
Internal error is seen.

[Mon Jul 22 18:07:33.180155 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote] ipa: DEBUG: migrate_ds('ldap://master.rhel81.test:3389', '********', binddn=ipapython.dn.DN('cn=directory manager'), usercontainer=ipapython.dn.DN('ou=People'), groupcontainer=ipapython.dn.DN('ou=groups'), userobjectclass=('person',), groupobjectclass=('groupOfUniqueNames', 'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema='RFC2307bis', continue=False, compat=True, use_def_group=True, scope='onelevel', version='2.233', exclude_users=None, exclude_groups=None)
[Mon Jul 22 18:07:33.182543 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-RHEL81-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7efcdbed69e8>
[Mon Jul 22 18:07:33.393732 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote] ipa: ERROR: non-public: ValueError: simple_bind over insecure LDAP connection
[Mon Jul 22 18:07:33.393752 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote] Traceback (most recent call last):
[Mon Jul 22 18:07:33.393758 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Mon Jul 22 18:07:33.393763 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     result = command(*args, **options)
[Mon Jul 22 18:07:33.393768 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
[Mon Jul 22 18:07:33.393774 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     return self.__do_call(*args, **options)
[Mon Jul 22 18:07:33.393779 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
[Mon Jul 22 18:07:33.393784 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     ret = self.run(*args, **options)
[Mon Jul 22 18:07:33.393789 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
[Mon Jul 22 18:07:33.393794 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     return self.execute(*args, **options)
[Mon Jul 22 18:07:33.393799 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/migration.py", line 917, in execute
[Mon Jul 22 18:07:33.393804 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     ds_ldap.simple_bind(options['binddn'], bindpw)
[Mon Jul 22 18:07:33.393809 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]   File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1215, in simple_bind
[Mon Jul 22 18:07:33.393814 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote]     raise ValueError('simple_bind over insecure LDAP connection')
[Mon Jul 22 18:07:33.393822 2019] [wsgi:error] [pid 28555:tid 139624469780224] [remote] ValueError: simple_bind over insecure LDAP connection

Expected results:
The command should execute without any error.

Additional info:

Comment 3 Christian Heimes 2019-07-22 16:41:40 UTC
Commit https://pagure.io/freeipa/c/5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 added additional security checks to protect password bind (simple bind). The check prohibit to send the password unencrypted over a clear text line.

Temporary workaround: Use ipa migrate-ds with a ldaps:// URL when possible.

I'll work on a patch that allows to use insecure connections for migration.

Comment 5 Christian Heimes 2019-08-13 15:21:35 UTC
Upstream ticket:

Comment 6 Christian Heimes 2019-08-13 17:25:43 UTC
Fixed upstream

Comment 10 errata-xmlrpc 2019-11-05 20:53:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.