RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1859225 - suffix management in backends incorrect
Summary: suffix management in backends incorrect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.4
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 1894575
TreeView+ depends on / blocked
 
Reported: 2020-07-21 13:40 UTC by mreynolds
Modified: 2021-05-18 15:45 UTC (History)
6 users (show)

Fixed In Version: 389-ds-1.4-8040020201112160023.866effaa
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:45:18 UTC
Type: ---
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2526 0 None closed suffix management in backends incorrect 2021-01-12 10:48:12 UTC

Description mreynolds 2020-07-21 13:40:32 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49467

A suffix is defined in the mapping tree and points to a backend implementin this suffix.

In the backend is a nsslapd-suffix attribute, which is multivalued and is mainained in a be_suffixlist.

But this handling id flawed in several ways. Probably once a backend was supposed to contain multiple suffixes, but this no longer works - and we should keep the 1:1 relationship and correct errors.

1] if the dse.ldif contains multiple nsslaps-suffix attributes only the first is used, the others ar ignored silently. The attempt to add another value via ldapmodify is rejected with err=53

2] more severe: the nsslapd-suffix attribute can have any value, there is no check that it matches the suffix in the mapping tree, so it is possible to have a suffix "dc=example,dc=com" pointing to the backend "userroot", but in the backend definition the nsslapd-suffix attr can be "o=tralalala" - and it seem to work, even if the calls to slapi_be_issuffix() return the unexpected result - these calls need extra investigation.

What to do:
- clearly document the "one backend - one suffix" rule
- reject multivalued configs with specific error message
- change implementation from be_suffixlist to be_suffix
- check that suffix in mapping tree and backend match
Comment 3 Viktor Ashirov 2020-11-10 13:19:41 UTC 
Build tested: 389-ds-base-1.4.3.14-1.module+el8.4.0+8664+a8ec484f.x86_64

This build is missing https://github.com/389ds/389-ds-base/commit/e6145361ea06c005f645f7683e3619810dfccfa2
And many tests are failing with error 53.

Moving to ASSIGNED.
Comment 4 Akshay Adhikari 2020-11-26 14:52:24 UTC 
Build tested: 389-ds-base-1.4.3.16-3.module+el8.4.0+8869+55706461.x86_64

============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.1.2, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-240.10.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.1.2', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '2.1.1', 'metadata': '1.10.0'}}
389-ds-base: 1.4.3.16-3.module+el8.4.0+8869+55706461
nss: 3.53.1-11.el8_2
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: html-2.1.1, metadata-1.10.0
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/mapping_tree/acceptance_test.py::test_invalid_mt FAILED                                                                                      [100%]

================================================================================= FAILURES ======================================================================
______________________________________________________________________________ test_invalid_mt ______________________________________________________________________________

The test is failing with Failed: DID NOT RAISE <class 'ldap.UNWILLING_TO_PERFORM'>

Moving to ASSIGNED.
Comment 6 sgouvern 2020-11-30 08:41:18 UTC 
Failed QA for ITM 4
-> moving to ITM 6
Comment 7 mreynolds 2020-12-01 15:04:30 UTC 
The validation check was removed in 1.4.3, and the test case itself was removed in 1.4.3.15

https://github.com/389ds/389-ds-base/commit/3cf9fad93ed7cee26f659f3b958e78a9ee8619a7

But the test case was added back to 1.4.3 via:

https://github.com/389ds/389-ds-base/pull/4425

So I will need to remove this testcase again in the next build.
Comment 8 Akshay Adhikari 2020-12-10 14:05:29 UTC 
Build tested: 389-ds-base-1.4.3.16-5.module+el8.4.0+9096+da32555e.x86_64

============================================================================ test session starts ================================================================
platform linux -- Python 3.6.8, pytest-6.1.2, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-240.10.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.1.2', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '2.1.1', 'metadata': '1.10.0'}}
389-ds-base: 1.4.3.16-5.module+el8.4.0+9096+da32555e
nss: 3.53.1-11.el8_2
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini
plugins: html-2.1.1, metadata-1.10.0
collected 44 items                                                                                                                                                          

dirsrvtests/tests/suites/basic/basic_test.py::test_basic_ops PASSED                                                                                                   [  2%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export PASSED                                                                                         [  4%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_backup PASSED                                                                                                [  6%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_db2index PASSED                                                                                              [  9%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_acl PASSED                                                                                                   [ 11%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_searches PASSED                                                                                              [ 13%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs0-cn-False] PASSED                                                                           [ 15%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs1-cn-True] PASSED                                                                            [ 18%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs2-nsUniqueId-True] PASSED                                                                    [ 20%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs3-cn-True] PASSED                                                                            [ 22%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_req_attrs[attrs4-cn-True] PASSED                                                                            [ 25%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_referrals PASSED                                                                                             [ 27%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_systemctl PASSED                                                                                             [ 29%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_ldapagent PASSED                                                                                             [ 31%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_dse_survives_kill9 PASSED                                                                                    [ 34%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[namingContexts] PASSED                                                                            [ 36%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedLDAPVersion] PASSED                                                                      [ 38%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedControl] PASSED                                                                          [ 40%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedExtension] PASSED                                                                        [ 43%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[supportedSASLMechanisms] PASSED                                                                   [ 45%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[vendorName] PASSED                                                                                [ 47%]
dirsrvtests/tests/suites/basic/basic_test.py::test_def_rootdse_attr[vendorVersion] PASSED                                                                             [ 50%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[namingContexts] PASSED                                                                        [ 52%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedLDAPVersion] PASSED                                                                  [ 54%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedControl] PASSED                                                                      [ 56%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedExtension] PASSED                                                                    [ 59%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[supportedSASLMechanisms] PASSED                                                               [ 61%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[vendorName] PASSED                                                                            [ 63%]
dirsrvtests/tests/suites/basic/basic_test.py::test_mod_def_rootdse_attr[vendorVersion] PASSED                                                                         [ 65%]
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_anonymous_search PASSED                                                                                      [ 68%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_original_type PASSED                                                                                        [ 70%]
dirsrvtests/tests/suites/basic/basic_test.py::test_search_ou PASSED                                                                                                   [ 72%]
dirsrvtests/tests/suites/basic/basic_test.py::test_connection_buffer_size PASSED                                                                                      [ 75%]
dirsrvtests/tests/suites/basic/basic_test.py::test_critical_msg_on_empty_range_idl PASSED                                                                             [ 77%]
dirsrvtests/tests/suites/basic/basic_test.py::test_ldbm_modification_audit_log PASSED                                                                                 [ 79%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate PASSED                                                                                                    [ 81%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_ldapi PASSED                                                                                              [ 84%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_multiple_dashes_name PASSED                                                                               [ 86%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[c=uk] PASSED                                                                           [ 88%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[cn=test_user] PASSED                                                                   [ 90%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[dc=example,dc=com] PASSED                                                              [ 93%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[o=south] PASSED                                                                        [ 95%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[ou=sales] PASSED                                                                       [ 97%]
dirsrvtests/tests/suites/basic/basic_test.py::test_dscreate_with_different_rdn[wrong=some_value] PASSED                                                               [100%]

=============================================================== 44 passed, 152 warnings in 300.32s (0:05:00) ====================================================

-> Marking as verified: tested
Comment 9 sgouvern 2020-12-14 14:55:50 UTC 
Missed the ITM 6 milestone -> moving to ITM 7
Comment 12 sgouvern 2020-12-21 17:21:22 UTC 
With build 389-ds-base-1.4.3.16-6.module+el8.4.0+9207+729bbaca.x86_64/vim


# PYTHONPATH=src/lib389/ py.test -s -v  dirsrvtests/tests/suites/basic/basic_test.py
re-exec with libfaketime dependencies
========================================================== test session starts ===========================================================
platform linux -- Python 3.6.8, pytest-6.2.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-260.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '6.2.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'libfaketime': '0.1.2'}}
389-ds-base: 1.4.3.16-6.module+el8.4.0+9207+729bbaca
nss: 3.53.1-13.el8_3
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-16.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, libfaketime-0.1.2
collected 42 items           

============================================== 42 passed, 150 warnings in 259.48s (0:04:19) ==============================================

Marking as VERIFIED
Comment 14 errata-xmlrpc 2021-05-18 15:45:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1835
Note You need to log in before you can comment on or make changes to this bug.