RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2100337 - dsconf backend export userroot fails ldap.DECODING_ERROR
Summary: dsconf backend export userroot fails ldap.DECODING_ERROR
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: 389-ds-base
Version: 9.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: 9.1
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-23 06:10 UTC by Marc Sauton
Modified: 2022-11-15 12:40 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-2.1.3-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-15 10:30:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-2360 0 None None None 2022-06-29 15:10:07 UTC
Red Hat Issue Tracker IDMDS-2379 0 None None None 2022-07-11 16:02:03 UTC
Red Hat Issue Tracker RHELPLAN-126060 0 None None None 2022-06-23 06:13:39 UTC
Red Hat Product Errata RHSA-2022:8162 0 None None None 2022-11-15 10:31:04 UTC

Description Marc Sauton 2022-06-23 06:10:49 UTC 
Description of problem:

dsconf backend export userroot fails with ldap.DECODING_ERROR , like if it cannot decode "nsslapd-suffix: cn=changelog" ?

the same command work fine on RHEL-8.x
dsconf ${ldapinstance} backend export userroot --not-folded --ldif /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/ldif/userroot.`date +%F`.ldif


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux release 9.0 (Plow)
Linux ipaserver1.idm.example.test 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Thu Apr 14 12:42:38 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
nss-3.71.0-7.el9.x86_64
nspr-4.32.0-9.el9.x86_64
389-ds-base-2.0.14-1.el9.x86_64
sssd-2.6.2-2.el9.x86_64
ipa-server-4.9.8-7.el9_0.x86_64
pki-ca-11.0.4-1.el9_0.noarch
python3-lib389-2.0.14-1.el9.noarch


How reproducible:
on demand


Steps to Reproduce:
1. has IPA up and running

id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@ipaserver1 ~]# 

2.
dsconf -v -D 'cn=Directory Manager' -w password ldap://ipaserver1.idm.example.test backend export userroot
or
dsconf ${ldapinstance} backend export userroot --not-folded --ldif /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/ldif/userroot.`date +%F`.ldif


Actual results:

either
Error:

or in verbose mode:

DEBUG: The 389 Directory Server Configuration Tool
DEBUG: Inspired by works of: ITS, The University of Adelaide
DEBUG: dsrc path: /root/.dsrc
DEBUG: dsrc container path: /data/config/container.inf
DEBUG: dsrc instances: []
DEBUG: dsrc no such section: slapd-ldap://ipaserver1.idm.example.test
DEBUG: Called with: Namespace(instance='ldap://ipaserver1.idm.example.test', verbose=True, binddn='cn=Directory Manager', bindpw='password', prompt=False, pwdfile=None, basedn=None, starttls=False, json=False, be_names=['userroot'], ldif=None, use_id2entry=False, encrypted=False, min_base64=False, no_seq_num=False, replication=False, no_dump_uniq_id=False, not_folded=False, include_suffixes=None, exclude_suffixes=None, func=<function backend_export at 0x7fbc96b638b0>)
DEBUG: Instance details: {'uri': 'ldap://ipaserver1.idm.example.test', 'basedn': None, 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldap://ipaserver1.idm.example.test', 'root-dn': 'cn=Directory Manager'}}
DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://ipaserver1.idm.example.test
DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None
DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None
DEBUG: Allocate <class 'lib389.DirSrv'> with ldap://ipaserver1.idm.example.test
DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None
DEBUG: Allocate <class 'lib389.DirSrv'> with ipaserver1.idm.example.test:None
DEBUG: open(): Connecting to uri ldap://ipaserver1.idm.example.test
DEBUG: open(): bound as cn=Directory Manager
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn: 
vendorVersion: 389-Directory/2.0.14 B2022.028.0000

]
DEBUG: list filter = (&(objectclass=nsBackendInstance))
DEBUG: cn=changelog,cn=ldbm database,cn=plugins,cn=config getVal('cn')
DEBUG: cn=changelog,cn=ldbm database,cn=plugins,cn=config getVal('nsslapd-suffix')
DEBUG: 
Traceback (most recent call last):
  File "/usr/sbin/dsconf", line 138, in <module>
    result = args.func(inst, None, log, args)
  File "/usr/lib/python3.9/site-packages/lib389/cli_conf/backend.py", line 282, in backend_export
    dn = _search_backend_dn(inst, be_name)
  File "/usr/lib/python3.9/site-packages/lib389/cli_conf/backend.py", line 97, in _search_backend_dn
    if cn == del_be_name or str2dn(suffix) == str2dn(del_be_name):
  File "/usr/lib64/python3.9/site-packages/ldap/dn.py", line 52, in str2dn
    return ldap.functions._ldap_function_call(None,_ldap.str2dn,dn,flags)
  File "/usr/lib64/python3.9/site-packages/ldap/functions.py", line 55, in _ldap_function_call
    result = func(*args,**kwargs)
ldap.DECODING_ERROR
ERROR: Error: 
[root@ipaserver1 ~]# 
[root@ipaserver1 ~]# 
[root@ipaserver1 ~]# [23/Jun/2022:06:02:13.509851849 +0000] conn=101 fd=120 slot=120 connection from 192.168.122.116 to 192.168.122.116
[23/Jun/2022:06:02:13.510170900 +0000] conn=101 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[23/Jun/2022:06:02:13.510314210 +0000] conn=101 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000209602 optime=0.000149375 etime=0.000357655 dn="cn=directory manager"
[23/Jun/2022:06:02:13.516535809 +0000] conn=101 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorVersion"
[23/Jun/2022:06:02:13.517498030 +0000] conn=101 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000058818 optime=0.000964051 etime=0.001021957
[23/Jun/2022:06:02:13.520091356 +0000] conn=101 op=2 SRCH base="cn=ldbm database,cn=plugins,cn=config" scope=2 filter="(&(objectClass=nsBackendInstance))" attrs="distinguishedName"
[23/Jun/2022:06:02:13.520667960 +0000] conn=101 op=2 RESULT err=0 tag=101 nentries=3 wtime=0.000060359 optime=0.000577842 etime=0.000637028
[23/Jun/2022:06:02:13.521053037 +0000] conn=101 op=3 SRCH base="cn=changelog,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="cn"
[23/Jun/2022:06:02:13.521148899 +0000] conn=101 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000042310 optime=0.000097596 etime=0.000138793
[23/Jun/2022:06:02:13.521410465 +0000] conn=101 op=4 SRCH base="cn=changelog,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix"
[23/Jun/2022:06:02:13.521504285 +0000] conn=101 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000038985 optime=0.000095563 etime=0.000133459
[23/Jun/2022:06:02:13.522959697 +0000] conn=101 op=5 UNBIND
[23/Jun/2022:06:02:13.522974832 +0000] conn=101 op=5 fd=120 closed error - U1

[root@ipaserver1 ~]# 


Expected results:


Additional info:

dse.ldif

dn: cn=changelog,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: changelog
creatorsName: cn=Retro Changelog Plugin,cn=plugins,cn=config
modifiersName: cn=Retro Changelog Plugin,cn=plugins,cn=config
createTimestamp: 20220623021007Z
modifyTimestamp: 20220623021007Z
numSubordinates: 4
nsslapd-suffix: cn=changelog
nsslapd-cachesize: -1
nsslapd-cachememsize: 201326592
nsslapd-readonly: off
nsslapd-require-index: off
nsslapd-require-internalop-index: off
nsslapd-dncachememsize: 67108864
nsslapd-directory: /var/lib/dirsrv/slapd-IDM-EXAMPLE-TEST/db/changelog
Comment 1 mreynolds 2022-06-23 16:48:30 UTC 
I can reproduce the issue, and it's because we are not checking if the be_name is a DN before calling str2dn.  be_name can be a backend name (userroot) or the suffix (dc=example,dc=com), but the code logic breaks when there are multiple backends.  I'll open an upstream ticket...
Comment 2 mreynolds 2022-06-29 14:57:01 UTC 
https://github.com/389ds/389-ds-base/issues/5353
Comment 3 mreynolds 2022-07-11 16:36:57 UTC 
Reproducer:

[1]  Create a second backend

    # dsconf -D 'cn=Directory Manager' -w password ldap://localhost backend create --be-name testRoot --suffix o=test


[2]  Attempt to export the database (it should not fail)

    # dsconf -D 'cn=Directory Manager' -w password ldap://localhost backend export userroot
Comment 9 errata-xmlrpc 2022-11-15 10:30:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: 389-ds-base security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8162
Note You need to log in before you can comment on or make changes to this bug.