Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8897
### Issue
ansible-freeipa automember test https://github.com/freeipa/ansible-freeipa/blob/master/tests/automember/test_automember.yml fails with IPA 4.9.4.
The error message is `automember_add_condition: testgroup: 'objectclass'`.
The error is not happening if the ldap cache is turned off or is the module is not run within server context. The issue is also not reproducible on the server directly. It is only triggered using the ansible-freeipa module.
#### Steps to Reproduce
1. Run ansible-freeipa automember test
#### Actual behavior
fatal: [ipaserver.test.local]: FAILED! => {"changed": false, "failed_when_result": true, "msg": "automember_add_condition: testgroup: 'objectclass'"}
#### Expected behavior
No failure
#### Version/Release/Distribution
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.4-1.fc34.x86_64
freeipa-client-4.9.4-1.fc34.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.0.5-1.fc34.x86_64
pki-ca-10.10.6-1.fc34.noarch
krb5-server-1.19.1-3.fc34.x86_64
#### Additional info:
This is the traceback:
Traceback (most recent call last):
File "/tmp/ansible_ipaautomember_payload_za0tz354/ansible_ipaautomember_payload.zip/ansible/modules/ipaautomember.py", line 366, in main
File "/tmp/ansible_ipaautomember_payload_za0tz354/ansible_ipaautomember_payload.zip/ansible/module_utils/ansible_freeipa_module.py", line 207, in api_command
return api.Command[command](name, **args)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
return self.__do_call(*args,**options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
return self.execute(*args, **options)
File "/usr/lib/python3.9/site-packages/ipaserver/plugins/automember.py", line 417, in execute
result = super(automember_add_condition, self).execute(*keys, **options)
File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 1511, in execute
entry_attrs.dn = callback(
File "/usr/lib/python3.9/site-packages/ipaserver/plugins/automember.py", line 389, in pre_callback
if not isinstance(entry_attrs[regex], (list, tuple)):
File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 516, in __getitem__
return self._get_nice(name)
File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 483, in _get_nice
name = self._get_attr_name(name)
File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 479, in _get_attr_name
name = self._names[name]
File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 656, in __getitem__
return super(CIDict,self).__getitem__(key.lower()) KeyError: 'objectclass'
Here is a shorter version of the test playbook to trigger the issue:
---
- name: Test automember with ldap cache
hosts: ipaserver
become: true
tasks:
# CLEANUP TEST ITEMS
- name: Ensure group testgroup is absent
ipagroup:
ipaadmin_password: SomeADMINpassword
name: testgroup
state: absent
- name: Ensure group automember rule testgroup is absent
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
state: absent
automember_type: group
# CREATE TEST ITEMS
# TESTS
- name: Ensure testgroup group is present
ipagroup:
ipaadmin_password: SomeADMINpassword
name: testgroup
- name: Ensure testgroup group automember rule is present
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
description: testgroup automember rule.
automember_type: group
register: result
failed_when: not result.changed or result.failed
- name: Change testgroup group automember rule description
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
description: testgroup automember rule description.
automember_type: group
register: result
failed_when: not result.changed or result.failed
- name: Ensure testgroup group automember rule has conditions
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
automember_type: group
inclusive:
- key: 'uid'
expression: 'uid'
- key: 'uidnumber'
expression: 'uidnumber'
exclusive:
- key: 'uid'
expression: 'uid'
register: result
failed_when: not result.changed or result.failed
- name: Add testgroup group automember rule member condition
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
automember_type: group
action: member
inclusive:
- key: 'manager'
expression: 'uid=mscott'
register: result
failed_when: not result.changed or result.failed
- name: Ensure testgroup group automember rule has conditions
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
automember_type: group
inclusive:
- key: 'uid'
expression: 'uid'
- key: 'uidnumber'
expression: 'uidnumber'
- key: 'manager'
expression: 'uid=mscott'
exclusive:
- key: 'uid'
expression: 'uid'
register: result
failed_when: result.changed or result.failed
- name: Remove testgroup group automember rule member condition
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: testgroup
automember_type: group
action: member
state: absent
inclusive:
- key: 'manager'
expression: 'uid=mscott'
register: result
failed_when: not result.changed or result.failed
# CLEANUP TEST ITEMS
- name: Ensure group testgroup is absent
ipagroup:
ipaadmin_password: SomeADMINpassword
name: testgroup
state: absent
- name: Ensure group automember rule testgroup is absent
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
name: testgroup
state: absent
Comment 1Alexander Bokovoy
2021-06-29 11:57:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:4230