Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1807419

Summary: Unable to create a suffix with countryName either via dscreate or the admin console
Product: Red Hat Enterprise Linux 8 Reporter: Ming Davies <minyu>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: aadhikar, minfrin, mreynolds, pasik, sistemisti-posta, spichugi, tbordaz, vashirov
Target Milestone: pre-dev-freezeFlags: pm-rhel: mirror+
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 Doc Type: Bug Fix
Doc Text:
Cause: Creating a suffix using the country attribute "c" using the CLI tools or the UI. Consequence: This suffix is not allowed to be created Fix: Allow a wider range of attributes for creating suffixes: c, cn, dc, o, and ou Result: Suffixes contains using "c" are allowed to be created in the UI and CLI.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ming Davies 2020-02-26 10:15:52 UTC 
Description of problem:
Unable to create a suffix with countryName either via dscreate or the admin console

Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.10-1.module+el8dsrv+4575+0d8b81fc.x86_64 
389-ds-base-libs-1.4.1.10-1.module+el8dsrv+4575+0d8b81fc.x86_64


How reproducible:
The issue can easily be reproduced


Steps to Reproduce:
1. Install RHDS11 packages
2. Create a file called rhds11-inst2.inf similar to the following using the template:

[general]
config_version = 2
full_machine_name = rhds11.test.net
start = True
[slapd]
instance_name = rhds11-inst2
port = 10389
root_password = xxxxxx
secure_port = 10636
[backend-userroot]
create_suffix_entry = True
suffix = c=uk
[backend-east]
create_suffix_entry = True
suffix = o=east
[backend-west]
create_suffix_entry = True
suffix = o=west
[backend-south]
create_suffix_entry = True
suffix = o=south

3. Run "dscreate -v from-file /var/tmp/rhds11-inst2.inf"

4. The following error is observed on the console where the dscreate command is executed:
ldap.OBJECT_CLASS_VIOLATION: {'desc': 'Object class violation', 'info': 'attribute "c" not allowed\n'}
ERROR: Error: Object class violation - attribute "c" not allowed


The DS' errors log shows:
ERR - oc_check_allowed_sv - Entry "c=it" -- attribute "c" not allowed

The corresponding access log shows:
[20/Feb/2020:12:11:25.913316285 +0000] conn=2 op=5 ADD dn="cn=userroot,cn=ldbm database,cn=plugins,cn=config"
[20/Feb/2020:12:11:25.956021953 +0000] conn=2 op=5 RESULT err=0 tag=105 nentries=0 etime=0.0042828371
[20/Feb/2020:12:11:25.959311952 +0000] conn=2 op=6 ADD dn="cn=c\3Duk,cn=mapping tree,cn=config"
[20/Feb/2020:12:11:25.981209098 +0000] conn=2 op=6 RESULT err=0 tag=105 nentries=0 etime=0.0022313805
[20/Feb/2020:12:11:25.982757970 +0000] conn=2 op=7 ADD dn="c=uk"
[20/Feb/2020:12:11:25.993942590 +0000] conn=2 op=7 RESULT err=65 tag=105 nentries=0 etime=0.0011505819 - attribute "c" not allowed


If attempt to create the suffix with "c=uk" via the admin console, it fails with "Error creating suffix - Suffix RDN is not supported for creating suffix object.  Only 'dc', 'o', 'ou', and 'cn' are supported."

Actual results:


Expected results:


Additional info:
The following workaround can be used to work around the issue:

A. Delete the instance:
# dsctl <instance name> remove --do-it

B. Backup the rhds11-inst2.inf file, then modify as following:
[general]
config_version = 2
full_machine_name = rhds11.test.net
start = True
[slapd]
instance_name = rhds11-inst2
port = 10389
root_password = dirmanager
secure_port = 10636
[backend-userroot]
create_suffix_entry = True  <<<<<<<<<<<<<<<<Remove
suffix = c=uk    <<<<<<<<<<<<<<<<Remove
[backend-east]
create_suffix_entry = True
suffix = o=east
[backend-west]
create_suffix_entry = True
suffix = o=west
[backend-south]
create_suffix_entry = True
suffix = o=south


C. Recreate the instance:
# dscreate -v from-file /var/tmp/rhds11-inst2.inf


D. Create the userroot DB manually:
# ldapmodify -D "cn=directory manager" -W <<EOF
dn: cn=userroot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: userroot
nsslapd-suffix: c=uk
<<EOF


# ldapmodify -D "cn=directory manager" -W <<EOF
dn: cn=c\3Dit,cn=mapping tree,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: c=uk
cn: c\=uk
nsslapd-state: backend
nsslapd-backend: userroot
<<EOF
Comment 2 mreynolds 2020-02-26 12:45:17 UTC 
(In reply to Ming Davies from comment #1)
> Hi,
> 
> Please let me know whether the steps A-D in the workaround is supported.
> 
> Thanks and regards,
> Ming

It absolutely is.  

We added support for various suffix rdn attributes: dc, o, ou, and cn, but not "c".  I'll get this added shortly...
Comment 3 mreynolds 2020-03-03 14:43:21 UTC 
Upstream ticket:

https://pagure.io/389-ds-base/issue/50928
Comment 6 Akshay Adhikari 2020-07-07 14:44:08 UTC 
============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-5.4.3, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-211.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.9.0', 'html': '2.1.1'}}
389-ds-base: 1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-11.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.9.0, html-2.1.1
collected 6 items                                                                                                                                                           

dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[c=uk] PASSED                                                                           [ 16%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[cn=test_user] PASSED                                                                   [ 33%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[dc=example,dc=com] PASSED                                                              [ 50%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[o=south] PASSED                                                                        [ 66%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[ou=sales] PASSED                                                                       [ 83%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[wrong=some_value] PASSED                                                               [100%]

================================================================ 6 passed, 14 warnings in 137.87s (0:02:17) =====================================================

Marking as VERIFIED.
Comment 7 Graham Leggett 2020-09-11 14:25:06 UTC 
Just ran into this bug:

[root@gatekeeper ~]# dsconf ldapi://%2fvar%2frun%2fslapd-default.socket backend create --suffix "dc=yyy,dc=cc,dc=zz" --be-name userroot --create-suffix
Error: 'tuple' object has no attribute 'encode'

This bug was fixed six months ago here:

https://pagure.io/389-ds-base/issue/50921

It appears however this fix has been stuck in testing for approx six months.

Any news on when this fix will be released?
Comment 8 mreynolds 2020-09-11 14:32:20 UTC 
(In reply to Graham Leggett from comment #7)
> Just ran into this bug:
> 
> [root@gatekeeper ~]# dsconf ldapi://%2fvar%2frun%2fslapd-default.socket
> backend create --suffix "dc=yyy,dc=cc,dc=zz" --be-name userroot
> --create-suffix
> Error: 'tuple' object has no attribute 'encode'
> 
> This bug was fixed six months ago here:
> 
> https://pagure.io/389-ds-base/issue/50921
> 
> It appears however this fix has been stuck in testing for approx six months.
> 
> Any news on when this fix will be released?

 
This was fixed and it works fine for me using the exact same command above.  What version of 389-ds-base are you using?
Comment 11 errata-xmlrpc 2020-11-04 03:07:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695