Description of problem: When trying to configure the PTA plugin by adding an URL, the dsconf command fails. Version-Release number of selected component (if applicable): # cat /etc/redhat-release Red Hat Enterprise Linux release 8.3 (Ootpa) # # rpm -qa | grep 389-ds-base-1 389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64 # How reproducible: Always. Steps to Reproduce: Launch the command in verbose mode. It fails since it considers the DN as invalid: # dsconf --verbose -D "cn=Directory Manager" ldap://localhost:10389 plugin pass-through-auth url add "ldap://localhost:7389/o=redhat" ... DEBUG: Subtree is an invalid DN Traceback (most recent call last): File "/usr/sbin/dsconf", line 134, in <module> result = args.func(inst, None, log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_conf/plugins/passthroughauth.py", line 88, in pta_add new_url_l = _validate_url(args.URL.lower()) File "/usr/lib/python3.6/site-packages/lib389/cli_conf/plugins/passthroughauth.py", line 58, in _validate_url raise ValueError("Subtree is an invalid DN") ValueError: Subtree is an invalid DN ERROR: Error: Subtree is an invalid DN # Actual results: The command fails. Expected results: The command should work. Additional info
Upstream ticket: https://github.com/389ds/389-ds-base/issues/4719
I can confirm this bug. We are trying to configure a bind passthru to another LDAP to a DN subtree that doesn't exist in this RHDS and always get the same error of Invalid DN: # cat /etc/redhat-release Red Hat Enterprise Linux release 8.1 (Ootpa) # rpm -qa | grep 389-ds-base-1 389-ds-base-1.4.3.21-3.module+el8dsrv+10401+3d549418.x86_64 # dsconf --verbose -D "cn=Directory Manager" ldap://localhost:10389 plugin pass-through-auth url add ldap://ldaporig:10389/ou=People,c=arg,O=BBVA DEBUG: The 389 Directory Server Configuration Tool DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: [] DEBUG: dsrc no such section: slapd-ldap://localhost:10389 DEBUG: Called with: Namespace(URL='ldap://ldaporig:10389/ou=People,c=arg,O=BBVA', basedn=None, binddn='cn=Directory Manager', bindpw=None, func=<function pta_add at 0x7f68e927e8c8>, instance='ldap://localhost:10389', json=False, prompt=> DEBUG: Instance details: {'uri': 'ldap://localhost:10389', 'basedn': None, 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': Fa> DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://localhost:10389 DEBUG: Allocate <class 'lib389.DirSrv'> with localhost:389 DEBUG: Allocate <class 'lib389.DirSrv'> with localhost:389 Enter password for cn=Directory Manager on ldap://localhost:10389: DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://localhost:10389 DEBUG: Allocate <class 'lib389.DirSrv'> with localhost:389 DEBUG: Allocate <class 'lib389.DirSrv'> with localhost:389 DEBUG: open(): Connecting to uri ldap://localhost:10389 DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using /etc/openldap/ldap.conf certificate policy DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2 DEBUG: open(): bound as cn=Directory Manager DEBUG: Retrieving entry with [('',)] DEBUG: Retrieved entry [dn: vendorVersion: 389-Directory/1.4.3.21 B2021.077.1932 ] DEBUG: Subtree is an invalid DN Traceback (most recent call last): File "/usr/sbin/dsconf", line 134, in <module> result = args.func(inst, None, log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_conf/plugins/passthroughauth.py", line 88, in pta_add new_url_l = _validate_url(args.URL.lower()) File "/usr/lib/python3.6/site-packages/lib389/cli_conf/plugins/passthroughauth.py", line 58, in _validate_url raise ValueError("Subtree is an invalid DN") ValueError: Subtree is an invalid DN ERROR: Error: Subtree is an invalid DN
If I comment out the raise error there the url adds without any issue and the PTA works like a expected
Fixed this in https://github.com/389ds/389-ds-base/pull/4774
Fix pushed upstream => POST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3955
*** Bug 1947457 has been marked as a duplicate of this bug. ***