Bug 2178999 - After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore [NEEDINFO]
Summary: After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 qu...
Keywords:
Status: CLOSED DUPLICATE of bug 2168893
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: slapi-nis
Version: 7.9
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: pre-dev-freeze
: ---
Assignee: Alexander Bokovoy
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-16 12:15 UTC by tim.de.bruijn
Modified: 2023-07-17 08:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-17 08:26:26 UTC
Target Upstream Version:
Embargoed:
abokovoy: needinfo? (tbordaz)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure slapi-nis issue 49 0 None None None 2023-03-16 12:15:41 UTC
Red Hat Issue Tracker FREEIPA-9565 0 None None None 2023-03-16 14:07:09 UTC
Red Hat Issue Tracker RHELPLAN-152088 0 None None None 2023-03-16 14:07:14 UTC

Description tim.de.bruijn 2023-03-16 12:15:42 UTC 
Description of problem:
After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore

Version-Release number of selected component (if applicable):
0.60.0-1.el7_9.x86_64

How reproducible:
before update:
[root@server ~]# ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H ldaps://REDACTED -D "uid=ro_bind_user,cn=sysaccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# pdu-admin, groups, compat, tst.dcn.REDACTED.net
dn: cn=pdu-admin,cn=groups,cn=compat,dc=tst,dc=dcn,dc=REDACTED,dc=net
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 376400045
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
ipaAnchorUUID:: REDACTED
cn: pdu-admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After update:

ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H REDACTED -D "uid=ro_bind_user,cn=sy
saccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Steps to Reproduce:
See above

Actual results:
See above

Expected results:
See above

Additional info:
I think this issue is not only on RHEL/CentOS7 but also on RHEL8 and higer(uses same package)
https://pagure.io/slapi-nis/issue/49
Comment 4 Florence Blanc-Renaud 2023-05-26 09:46:32 UTC 
This bugs seems to be a duplicate of Bug 2168893 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-7.9.z].
The release for this 7.9 fix is currently in progress.

If you are able to test on other releases, the patch was included
- in RHEL 9.2 with the fix for Bug 2183950 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-9.2.0.z] 
- in RHEL 8.8 with the fix for Bug 2183953 - slapi-nis-0.60.0-1.el7_9.x86_64 causes ldap netgroup queries to fail [rhel-8.8.0.z]

The relevant upstream patch is 
https://pagure.io/slapi-nis/c/73058645eac86b40913deec01807854e0a8bda0d?branch=master Identify the container without search base check

@
Comment 5 Florence Blanc-Renaud 2023-06-07 11:51:05 UTC 
@tim.de.bruijn 
An update for slapi-nis is available in https://access.redhat.com/errata/RHBA-2023:3482 (slapi-nis-0.60.0-3.el7_9) and I have good confidence that it would solve your issue. Can you update and let me know?
If that is indeed solving your issue, we can close this BZ as a duplicate of BZ #2168893
Comment 6 tim.de.bruijn 2023-06-13 07:39:46 UTC 
Hi,

Thank you for the update, but at the moment I don't see the slapi-nis-0.60.0-3.el7_9 update as available on CentOS 7(the OS for the test systems).
The latest package for that system is: slapi-nis-0.60.0-1.el7_9.x86_64

I'm not able to test this when the package is not available for CentOS7.
Comment 7 Alexander Bokovoy 2023-06-20 13:19:53 UTC 
The errata https://access.redhat.com/errata/RHBA-2023:3482 was released, so bug https://bugzilla.redhat.com/show_bug.cgi?id=2168893 is fixed and this one would be closed if you'd test packages from that errata. 

My team has no control over the packages in CentOS 7 so we cannot really estimate when they appear there.
Comment 8 Florence Blanc-Renaud 2023-06-26 19:17:17 UTC 
The latest slapi-nis package is now available for CentOS 7: http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-3.el7_9.x86_64.rpm

@tim.de.bruijn can you try the update and let us know if it solves the issue? Thanks
Comment 9 tim.de.bruijn 2023-07-11 08:21:29 UTC 
(In reply to Florence Blanc-Renaud from comment #8)
> The latest slapi-nis package is now available for CentOS 7:
> http://mirror.centos.org/centos-7/7/updates/x86_64/Packages/slapi-nis-0.60.0-
> 3.el7_9.x86_64.rpm
> 
> @tim.de.bruijn can you try the update and let us know if it solves
> the issue? Thanks

Yes, it did fix the issue, thank you!
Comment 10 Florence Blanc-Renaud 2023-07-17 08:26:26 UTC 
Closing as duplicate of Bug #2168893

*** This bug has been marked as a duplicate of bug 2168893 ***
Note You need to log in before you can comment on or make changes to this bug.