1925410 – Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

Summary: Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-05 07:06 UTC by Kai
Modified:	2021-05-18 15:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.9.2-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:48:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kai 2021-02-05 07:06:35 UTC

Description of problem:
Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot."

Version-Release number of selected component (if applicable):
FreeIPA, version: 4.8.7

How reproducible:
Yes.

Steps to Reproduce:
1. Add sudocmd with . at the end
2. allow add the command with error 

Actual results:
[admin@idm ~]$ ipa sudocmd-find
----------------------
1 Sudo Command matched
----------------------
  Sudo Command: /usr/sbin/reboot.
----------------------------
Number of entries returned 1
----------------------------
[admin@idm ~]$ ipa sudocmd-del "/usr/sbin/reboot."
ipa: ERROR: /usr/sbin/reboot.: sudo command not found
[admin@idm ~]$ ipa sudocmd-del /usr/sbin/reboot.
ipa: ERROR: /usr/sbin/reboot.: sudo command not found


Expected results:
can delete the command or check the command valid before add.

Additional info:
NA

Comment 1 Alexander Bokovoy 2021-02-05 07:27:55 UTC

Please provide ldap server's logs from this time period to see what searches and delete operations were done

Comment 2 Kai 2021-02-05 07:50:03 UTC

Issue fixed by 

[admin@idm ~]$ ipa sudocmd-find --all
----------------------
1 Sudo Command matched
----------------------
  dn: ipaUniqueID=53f2e872-677d-11eb-92e1-566f86f60005,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com
  Sudo Command: /usr/sbin/reboot.
  ipauniqueid: 53f2e872-677d-11eb-92e1-566f86f60005
  objectclass: ipaobject, ipasudocmd
----------------------------
Number of entries returned 1
----------------------------

[admin@idm ~]$ ipa sudocmd-del 53f2e872-677d-11eb-92e1-566f86f60005
ipa: ERROR: 53f2e872-677d-11eb-92e1-566f86f60005: sudo command not found
[admin@idm ~]$ ldapdelete ipaUniqueID=53f2e872-677d-11eb-92e1-566f86f60005,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin.COM
SASL SSF: 256
SASL data security layer installed.
[admin@idm ~]$

Comment 3 Kai 2021-02-05 07:57:08 UTC

ldap server logs

[Fri Feb 05 07:23:02.927530 2021] [wsgi:error] [pid 2958:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: [jsonserver_session] admin.COM: sudocmd_show('/usr/sbin/reboot.', rights=True, all=True, version='2.239'): NotFound
[Fri Feb 05 07:23:04.991087 2021] [:warn] [pid 2959:tid 139892000528128] [client 192.168.155.116:33706] failed to set perms (3140) on file (/run/ipa/ccaches/admin.COM)!, referer: https://idm.lab.example.com/ipa/ui/
[Fri Feb 05 07:23:05.006146 2021] [wsgi:error] [pid 2957:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: [jsonserver_session] admin.COM: sudocmd_show('/usr/sbin/reboot.', rights=True, all=True, version='2.239'): NotFound
[Fri Feb 05 07:23:05.822056 2021] [:warn] [pid 2959:tid 139892181227264] [client 192.168.155.116:33706] failed to set perms (3140) on file (/run/ipa/ccaches/admin.COM)!, referer: https://idm.lab.example.com/ipa/ui/
[Fri Feb 05 07:23:05.834932 2021] [wsgi:error] [pid 2958:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: [jsonserver_session] admin.COM: sudocmd_show('/usr/sbin/reboot.', rights=True, all=True, version='2.239'): NotFound
[Fri Feb 05 07:23:14.952644 2021] [:warn] [pid 2959:tid 139892164441856] [client 192.168.155.116:33706] failed to set perms (3140) on file (/run/ipa/ccaches/admin.COM)!, referer: https://idm.lab.example.com/ipa/ui/
[Fri Feb 05 07:23:14.969669 2021] [wsgi:error] [pid 2957:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: admin.COM: batch: sudocmd_del(('/usr/sbin/reboot.',)): NotFound
[Fri Feb 05 07:23:14.969857 2021] [wsgi:error] [pid 2957:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: [jsonserver_session] admin.COM: batch(sudocmd_del(('/usr/sbin/reboot.',))): SUCCESS
[Fri Feb 05 07:23:18.000554 2021] [:warn] [pid 2959:tid 139892042491648] [client 192.168.155.116:33706] failed to set perms (3140) on file (/run/ipa/ccaches/admin.COM)!, referer: https://idm.lab.example.com/ipa/ui/
[Fri Feb 05 07:23:18.014229 2021] [wsgi:error] [pid 2956:tid 139892062689024] [remote 192.168.155.116:33706] ipa: INFO: [jsonserver_session] admin.COM: sudocmd_find('', sizelimit=0, version='2.239', pkey_only=True): SUCCESS

Comment 4 Alexander Bokovoy 2021-02-05 09:08:12 UTC

These are'nt LDAP server logs. Please provide /var/log/dirsrv/slapd-LAB-EXAMPLE-COM/access.

Comment 5 Rob Crittenden 2021-02-05 14:10:56 UTC

This is very easily reproduced.

The trailing dot (.) is being dropped in the search:

[05/Feb/2021:09:09:14.884444050 -0500] conn=15 fd=86 slot=86 connection from 192.168.166.203 to 192.168.166.203
[05/Feb/2021:09:09:14.886028052 -0500] conn=15 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[05/Feb/2021:09:09:14.887190798 -0500] conn=15 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000184237 optime=0.001166503 etime=0.001349591 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=test"
[05/Feb/2021:09:09:14.888556329 -0500] conn=15 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=example,dc=test" scope=0 filter="(objectClass=*)" attrs=ALL
[05/Feb/2021:09:09:14.889561130 -0500] conn=15 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000188926 optime=0.001016794 etime=0.001203256
[05/Feb/2021:09:09:14.890358017 -0500] conn=15 op=2 SRCH base="cn=sudocmds,cn=sudo,dc=example,dc=test" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[05/Feb/2021:09:09:14.890702698 -0500] conn=15 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000080981 optime=0.000349339 etime=0.000427795 notes=U details="Partially Unindexed Filter"
[05/Feb/2021:09:09:14.891024076 -0500] conn=15 op=3 SRCH base="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=example,dc=test" scope=0 filter="(objectClass=*)" attrs=""
[05/Feb/2021:09:09:14.891277957 -0500] conn=15 op=3 RESULT err=32 tag=101 nentries=0 wtime=0.000056069 optime=0.000259185 etime=0.000313009
[05/Feb/2021:09:09:14.891619315 -0500] conn=15 op=4 SRCH base="cn=sudocmds,cn=sudo,dc=example,dc=test" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[05/Feb/2021:09:09:14.891787961 -0500] conn=15 op=4 RESULT err=0 tag=101 nentries=0 wtime=0.000065743 optime=0.000171372 etime=0.000235296 notes=U details="Partially Unindexed Filter"
[05/Feb/2021:09:09:14.892166866 -0500] conn=15 op=5 SRCH base="cn=sudorules,cn=sudo,dc=example,dc=test" scope=2 filter="(&(|(memberAllowCmd=sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=example,dc=test)(memberDenyCmd=sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=example,dc=test))(objectClass=ipasudorule))" attrs="cn"
[05/Feb/2021:09:09:14.892391531 -0500] conn=15 op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000081034 optime=0.000230074 etime=0.000308701
[05/Feb/2021:09:09:14.892633046 -0500] conn=15 op=6 DEL dn="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=example,dc=test"
[05/Feb/2021:09:09:14.892791914 -0500] conn=15 op=6 RESULT err=32 tag=107 nentries=0 wtime=0.000054298 optime=0.000163623 etime=0.000216045
[05/Feb/2021:09:09:14.896289348 -0500] conn=15 op=7 UNBIND
[05/Feb/2021:09:09:14.896310090 -0500] conn=15 op=7 fd=86 closed error - U1

I randomly tested a few other object types, hbacrule and sudorule, and it doesn't affect those so there may be some kind of normalization done to the sudo command.

Comment 6 Rob Crittenden 2021-02-05 14:17:27 UTC

get_dn() explicitly strips off trailing dots in a command and has since inception.

https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/sudocmd.py#L128

It only does it when constructing the DN subsequent to creation. It doesn't enforce this on the command during the ADD. (e.g. sudocmd-show /usr/sbin/reboot. also fails).

Comment 7 Kai 2021-02-08 00:53:43 UTC

/var/log/dirsrv/slapd-LAB-EXAMPLE-COM/access
...
[08/Feb/2021:00:49:44.063020645 +0000] conn=2520 op=9 RESULT err=0 tag=101 nentries=0 wtime=0.000084354 optime=0.000138813 etime=0.000220896 notes=P details="Paged Search pr_idx=0 pr_cookie=-1
[08/Feb/2021:00:49:44.063366969 +0000] conn=2520 op=8 RESULT err=0 tag=101 nentries=1 wtime=0.000203994 optime=0.000563097 etime=0.000765365
[08/Feb/2021:00:49:44.063393412 +0000] conn=2520 op=10 SRCH base="cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostCategory=ALL)(memberHost=fqdn=fay-flatau.lab.example.com,cn=computers,cn=accounts,dc=lab,dc=example,dc=com))(entryusn>=2340))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[08/Feb/2021:00:49:44.063825042 +0000] conn=2520 op=10 RESULT err=0 tag=101 nentries=0 wtime=0.000121599 optime=0.000434984 etime=0.000554957 notes=P details="Paged Search pr_idx=0 pr_cookie=-1
[08/Feb/2021:00:49:44.104516507 +0000] conn=2520 op=11 SRCH base="cn=accounts,dc=lab,dc=example,dc=com" scope=2 filter="(&(objectClass=ipaHost)(fqdn=fay-flatau.lab.example.com))" attrs="cn objectClass"
[08/Feb/2021:00:49:44.105204642 +0000] conn=2520 op=11 RESULT err=0 tag=101 nentries=1 wtime=0.000103127 optime=0.000691324 etime=0.000792689 notes=P details="Paged Search pr_idx=0 pr_cookie=-1
[08/Feb/2021:00:49:44.105636504 +0000] conn=2520 op=12 SRCH base="cn=default,cn=views,cn=accounts,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaDomainResolutionOrder"
[08/Feb/2021:00:49:44.105828243 +0000] conn=2520 op=12 RESULT err=0 tag=101 nentries=0 wtime=0.000096865 optime=0.000195076 etime=0.000290283
[08/Feb/2021:00:49:44.127453967 +0000] conn=2520 op=13 SRCH base="cn=etc,dc=lab,dc=example,dc=com" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaDomainResolutionOrder"
[08/Feb/2021:00:49:44.127848288 +0000] conn=2520 op=13 RESULT err=0 tag=101 nentries=1 wtime=0.000146283 optime=0.000399477 etime=0.000543367
[08/Feb/2021:00:49:58.071776556 +0000] conn=2521 fd=128 slot=128 connection from 192.168.40.10 to 192.168.40.10
[08/Feb/2021:00:49:58.073927028 +0000] conn=2521 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[08/Feb/2021:00:49:58.075618527 +0000] conn=2521 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000201885 optime=0.001694666 etime=0.001895060 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com"
[08/Feb/2021:00:49:58.076848531 +0000] conn=2521 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Feb/2021:00:49:58.077634253 +0000] conn=2521 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000115099 optime=0.000787881 etime=0.000901357
[08/Feb/2021:00:49:58.078604911 +0000] conn=2521 op=2 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[08/Feb/2021:00:49:58.078863869 +0000] conn=2521 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000123841 optime=0.000261609 etime=0.000383761 notes=U details="Partially Unindexed Filter
[08/Feb/2021:00:49:58.079384703 +0000] conn=2521 op=3 SRCH base="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=""
[08/Feb/2021:00:49:58.079539354 +0000] conn=2521 op=3 RESULT err=32 tag=101 nentries=0 wtime=0.000067875 optime=0.000157703 etime=0.000224017
[08/Feb/2021:00:49:58.079944208 +0000] conn=2521 op=4 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[08/Feb/2021:00:49:58.080111868 +0000] conn=2521 op=4 RESULT err=0 tag=101 nentries=0 wtime=0.000064724 optime=0.000169694 etime=0.000232821 notes=U details="Partially Unindexed Filter
[08/Feb/2021:00:49:58.080543244 +0000] conn=2521 op=5 SRCH base="cn=sudorules,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(|(memberAllowCmd=sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com)(memberDenyCmd=sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com))(objectClass=ipasudorule))" attrs="cn"
[08/Feb/2021:00:49:58.080711746 +0000] conn=2521 op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000073387 optime=0.000171119 etime=0.000243000
[08/Feb/2021:00:49:58.080991406 +0000] conn=2521 op=6 DEL dn="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com"
[08/Feb/2021:00:49:58.081153753 +0000] conn=2521 op=6 RESULT err=32 tag=107 nentries=0 wtime=0.000051236 optime=0.000164438 etime=0.000214006
[08/Feb/2021:00:49:58.083799120 +0000] conn=2521 op=7 UNBIND
[08/Feb/2021:00:49:58.083816825 +0000] conn=2521 op=7 fd=128 closed - U1
[08/Feb/2021:00:49:59.964854959 +0000] conn=2522 fd=128 slot=128 connection from 192.168.40.10 to 192.168.40.10
[08/Feb/2021:00:49:59.966948104 +0000] conn=2522 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[08/Feb/2021:00:49:59.968633425 +0000] conn=2522 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000203405 optime=0.001688704 etime=0.001890696 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com"
[08/Feb/2021:00:49:59.969938902 +0000] conn=2522 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Feb/2021:00:49:59.970692671 +0000] conn=2522 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000089290 optime=0.000756359 etime=0.000843996
[08/Feb/2021:00:49:59.971554815 +0000] conn=2522 op=2 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=1 filter="(&(objectClass=ipaobject)(objectClass=ipasudocmd))" attrs="sudoCmd"
[08/Feb/2021:00:49:59.971909403 +0000] conn=2522 op=2 RESULT err=0 tag=101 nentries=2 wtime=0.000086558 optime=0.000357074 etime=0.000442054
[08/Feb/2021:00:49:59.972963175 +0000] conn=2522 op=3 UNBIND
[08/Feb/2021:00:49:59.972977013 +0000] conn=2522 op=3 fd=128 closed - U1
[08/Feb/2021:00:49:59.981833448 +0000] conn=2523 fd=128 slot=128 connection from 192.168.40.10 to 192.168.40.10
[08/Feb/2021:00:49:59.983903930 +0000] conn=2523 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[08/Feb/2021:00:49:59.985631401 +0000] conn=2523 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000187076 optime=0.001730480 etime=0.001916188 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com"
[08/Feb/2021:00:49:59.987110174 +0000] conn=2523 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[08/Feb/2021:00:49:59.987916012 +0000] conn=2523 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000082737 optime=0.000808148 etime=0.000889222
[08/Feb/2021:00:49:59.988835878 +0000] conn=2523 op=2 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(sudoCmd=/bin/yum)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[08/Feb/2021:00:49:59.989150984 +0000] conn=2523 op=2 RESULT err=0 tag=101 nentries=1 wtime=0.000094844 optime=0.000317215 etime=0.000410387 notes=U details="Partially Unindexed Filter
[08/Feb/2021:00:49:59.989518819 +0000] conn=2523 op=3 SRCH base="ipaUniqueID=5bc3a79c-678e-11eb-a5f6-566f86f60005,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=""
[08/Feb/2021:00:49:59.989654674 +0000] conn=2523 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000052016 optime=0.000141769 etime=0.000192243
[08/Feb/2021:00:49:59.990124848 +0000] conn=2523 op=4 SRCH base="ipaUniqueID=5bc3a79c-678e-11eb-a5f6-566f86f60005,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="sudoCmd description"
[08/Feb/2021:00:49:59.990260732 +0000] conn=2523 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000102797 optime=0.000138842 etime=0.000240012
[08/Feb/2021:00:49:59.991186668 +0000] conn=2523 op=5 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[08/Feb/2021:00:49:59.991388110 +0000] conn=2523 op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000064947 optime=0.000212785 etime=0.000276096 notes=U details="Partially Unindexed Filter
[08/Feb/2021:00:49:59.991827900 +0000] conn=2523 op=6 SRCH base="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=""
[08/Feb/2021:00:49:59.991980355 +0000] conn=2523 op=6 RESULT err=32 tag=101 nentries=0 wtime=0.000076758 optime=0.000154939 etime=0.000230154
[08/Feb/2021:00:49:59.992434218 +0000] conn=2523 op=7 SRCH base="cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=2 filter="(&(sudoCmd=/usr/sbin/reboot)(&(objectClass=ipaobject)(objectClass=ipasudocmd)))" attrs=""
[08/Feb/2021:00:49:59.992602136 +0000] conn=2523 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000064359 optime=0.000170023 etime=0.000232744 notes=U details="Partially Unindexed Filter
[08/Feb/2021:00:49:59.992959454 +0000] conn=2523 op=8 SRCH base="sudocmd=/usr/sbin/reboot,cn=sudocmds,cn=sudo,dc=lab,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="sudoCmd description"
[08/Feb/2021:00:49:59.993108210 +0000] conn=2523 op=8 RESULT err=32 tag=101 nentries=0 wtime=0.000058100 optime=0.000151263 etime=0.000207861
[08/Feb/2021:00:49:59.993877955 +0000] conn=2523 op=9 UNBIND
[08/Feb/2021:00:49:59.993892808 +0000] conn=2523 op=9 fd=128 closed - U1

Comment 8 Rob Crittenden 2021-02-12 19:25:47 UTC

https://github.com/freeipa/freeipa/pull/5538

Comment 9 Alexander Bokovoy 2021-02-15 08:00:17 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/d6c5a9260940c4e132469439a7155e62553c72b7
https://pagure.io/freeipa/c/89135830cc95e3fefb5106d4680631f782dc7baf

Comment 10 Alexander Bokovoy 2021-02-15 11:53:44 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/602a4fa321560c69407d1c6d0a04f190a5350038
https://pagure.io/freeipa/c/029daa5ffad5ee5f7be9c3661d88c98fe20398cb

Comment 11 anuja 2021-02-17 13:59:11 UTC

Pre-verified using :
compose: rhel-8.4.0-mbs/9973-1386-idm/

2021-02-17T12:50:17+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-02-17T12:50:17+0000   msg:
2021-02-17T12:50:17+0000   - arch: x86_64
2021-02-17T12:50:17+0000     epoch: null
2021-02-17T12:50:17+0000     name: ipa-server
2021-02-17T12:50:17+0000     release: 1.module+el8.4.0+9973+3d202164
2021-02-17T12:50:17+0000     source: rpm
2021-02-17T12:50:17+0000     version: 4.9.2

Test logs:
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-280.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 79 items

test_integration/test_sudo.py::TestSudo::test_admins_group_does_not_have_sudo_permission PASSED [  1%]
test_integration/test_sudo.py::TestSudo::test_advise_script_enable_sudo_admins PASSED [  2%]
test_integration/test_sudo.py::TestSudo::test_nisdomainname PASSED       [  3%]
test_integration/test_sudo.py::TestSudo::test_add_sudo_commands PASSED   [  5%]
test_integration/test_sudo.py::TestSudo::test_add_sudo_command_groups PASSED [  6%]
test_integration/test_sudo.py::TestSudo::test_create_allow_all_rule PASSED [  7%]
test_integration/test_sudo.py::TestSudo::test_add_sudo_rule PASSED       [  8%]
...
...
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_allow_group PASSED [ 92%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_deny PASSED [ 93%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_deny_group PASSED [ 94%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasuser PASSED [ 96%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasuser_group PASSED [ 97%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasgroup PASSED [ 98%]
test_integration/test_sudo.py::TestSudo::test_domain_resolution_order PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================= 79 passed in 1010.14 seconds =========================


Test is passing:
test_integration/test_sudo.py::TestSudo::test_add_sudo_commands PASSED   [  5%]

Comment 14 anuja 2021-02-19 10:51:27 UTC

Verified using nightly compose:
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-287.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 79 items

test_integration/test_sudo.py::TestSudo::test_admins_group_does_not_have_sudo_permission PASSED [  1%]
test_integration/test_sudo.py::TestSudo::test_advise_script_enable_sudo_admins PASSED [  2%]
test_integration/test_sudo.py::TestSudo::test_nisdomainname PASSED       [  3%]
test_integration/test_sudo.py::TestSudo::test_add_sudo_commands PASSED   [  5%]
...
...
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_allow_group PASSED [ 92%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_deny PASSED [ 93%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_command_deny_group PASSED [ 94%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasuser PASSED [ 96%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasuser_group PASSED [ 97%]
test_integration/test_sudo.py::TestSudo::test_category_all_validation_runasgroup PASSED [ 98%]
test_integration/test_sudo.py::TestSudo::test_domain_resolution_order PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================= 79 passed in 1055.98 seconds =========================

Test is passing:
test_integration/test_sudo.py::TestSudo::test_add_sudo_commands PASSED   [  5%]

Comment 16 errata-xmlrpc 2021-05-18 15:48:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.