Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Identity Management (IdM) ID Views under cn=compat broken starting with
slapi-nis-0.56.5-3.el7_9.x86_64. The only item in the changelog from the
previous (working) version, slapi-nis-0.56.5-2.el7.x86_64, was a fix for
BZ 1866113, which addressed a memory leak.
Version-Release number of selected component (if applicable):
* slapi-nis-0.56.5-3.el7_9.x86_64
* slapi-nis-0.56.5-4.el7_9.x86_64
* Bug is still present in upstream, so RHEL 8 is probably also affected
(https://pagure.io/slapi-nis/history/src/back-sch.c)
How reproducible:
Queries for any account or group under cn=views,cn=compat,dc=DOMAIN will
return LDAP error code 32 (NO_SUCH_OBJECT).
Steps to Reproduce:
1. Create any view, such as "myview". It doesn't even need to contain
any attribute overrides.
2. Perform an LDAP query for any known user against cn=views,cn=compat
using the named view you just created. (Assumes local query from an
IdM replica using GSSAPI authentication and the local Unix socket.)
ldapsearch -LLLQ -b 'cn=myview,cn=views,cn=compat,dc=DOMAIN' 'uid=admin' uid
Actual results:
result: 32 No such object
matchedDN: dc=DOMAIN
Expected results:
dn: uid=admin,cn=users,cn=compat,dc=DOMAIN
uid: admin
Additional info:
Queries against just cn=compat (not cn=views,cn=compat) are not affected.
Only queries meant to apply an ID View are affected.
Comment 3Florence Blanc-Renaud
2021-07-06 14:41:55 UTC
The issue looks similar to BZ#1958909 for which a fix was recently found.
@tbordaz could you check if this is the same issue? Thanks
Difficult to be sure without debugging but I think it is a different issue.
#1958909 was triggered by an incorrect test if the target base search is a subtree of IDview. This with the target base search being a child of IDview base and scope being 'base'
Here the base search is the IDview itself and the scope subtree, so it should work (IIUC).
An option to be sure is to test with idm-client-8050020210701113027.de73ecb2 that fixes 1958909.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (slapi-nis bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:7336