Description of problem: Defined by schema, groupname follows "cn" syntax, which is "1.3.6.1.4.1.1466.115.121.1.15 refers to the Directory String syntax" (RFC 4519) This means groupname could be 8-bit char string. Feeding 8bit string with ipa config-mod --defaultgroup=6üP Does success, but after this setting, create a new user cause IPA throws "internal error" Version-Release number of selected component (if applicable): [yi@works4me ipa-config]$ rpm -qa | grep ipa-server ipa-server-selinux-1.91-0.2010090920gitf87bd57.fc13.i686 ipa-server-1.91-0.2010090920gitf87bd57.fc13.i686 How reproducible: always Steps to Reproduce: 1.ipa config-mod --defaultgroup="6üP" 2.echo pw24406 | ipa user-add testuser4680 --first=test14161 --last=ipa17041 --password 2>&1 >/dev/null ipa: ERROR: an internal error has occurred -------------- 1 user matched -------------- dn: uid=testuser4680,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com uid: testuser4680 givenname: test14161 sn: ipa17041 homedirectory: /home/testuser4680 gecos: testuser4680 loginshell: /bin/sh krbprincipalname: testuser4680.COM uidnumber: 1539722897 cn: test14161 ipa17041 gidnumber: 1539722897 ipauniqueid: 60d9ee42-f1ce-11df-94a5-5254001a2a53 krblastpwdchange: 20101116221053Z krbpasswordexpiration: 20101116221053Z mepmanagedentry: cn=testuser4680,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: radiusprofile objectclass: ipaobject objectclass: mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- Actual results: /var/log/httpd/error_log [Tue Nov 16 14:11:24 2010] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 4: ordinal not in range(128) [Tue Nov 16 14:11:24 2010] [error] Traceback (most recent call last): [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 206, in wsgi_execute [Tue Nov 16 14:11:24 2010] [error] result = self.Command[name](*args, **options) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 401, in __call__ [Tue Nov 16 14:11:24 2010] [error] ret = self.run(*args, **options) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 674, in run [Tue Nov 16 14:11:24 2010] [error] return self.execute(*args, **options) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 316, in execute [Tue Nov 16 14:11:24 2010] [error] dn = callback(ldap, dn, entry_attrs, *keys, **options) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/user.py", line 204, in post_callback [Tue Nov 16 14:11:24 2010] [error] ldap.add_entry_to_group(dn, group_dn) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 750, in add_entry_to_group [Tue Nov 16 14:11:24 2010] [error] (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr]) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 548, in get_entry [Tue Nov 16 14:11:24 2010] [error] return self.find_entries(None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, size_limit=size_limit, normalize=normalize)[0][0] [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 188, in new_f [Tue Nov 16 14:11:24 2010] [error] return f(*new_args, **kwargs) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 199, in new_f [Tue Nov 16 14:11:24 2010] [error] return args[0].decode(f(*args, **kwargs)) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 488, in find_entries [Tue Nov 16 14:11:24 2010] [error] base_dn = self.normalize_dn(base_dn) [Tue Nov 16 14:11:24 2010] [error] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 318, in normalize_dn [Tue Nov 16 14:11:24 2010] [error] if not dn.endswith(self.base_dn): [Tue Nov 16 14:11:24 2010] [error] UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 4: ordinal not in range(128) Expected results: Additional info: The group "6üP" does not exist when test was run. I am not clear whether the "internal error" caused by 8-bits char string or the non-existence of group name. It appears caused by the char handling.
In addition to above behave, I just observed this one: IPA reports internal error but allow new user to be created. This indicates there might be another bug. When verify this bug, please don't forget do this test as well -- reminding for myself :) [yi@works4me tools]$ ipa user-add test123435 --first=test --last=22333 --email=thisisme ipa: ERROR: an internal error has occurred [yi@works4me tools]$ [yi@works4me tools]$ ipa user-add test123435 --first=test --last=22333 --email=thisisme ipa: ERROR: This entry already exists [yi@works4me tools]$ ipa user-find test123435 -------------- 1 user matched -------------- User login: test123435 First name: test Last name: 22333 Home directory: /home/test123435 Login shell: /bin/sh ---------------------------- Number of entries returned 1 ---------------------------- [yi@works4me tools]$ ipa user-find test123435 --all --raw -------------- 1 user matched -------------- dn: uid=test123435,cn=users,cn=accounts,dc=sjc,dc=redhat,dc=com uid: test123435 givenname: test sn: 22333 homedirectory: /home/test123435 gecos: test123435 loginshell: /bin/sh krbprincipalname: test123435.COM mail: thisisme uidnumber: 1539722900 cn: test 22333 gidnumber: 1539722900 ipauniqueid: 1620b9a6-f1d7-11df-a7eb-5254001a2a53 mepmanagedentry: cn=test123435,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: radiusprofile objectclass: ipaobject objectclass: mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- [yi@works4me tools]$
https://fedorahosted.org/freeipa/ticket/504
I just tested this issue with exactly the same data you provided and I get another error message: ipa: ERROR: no such entry When trying to add user to group 6üP, ipa asks the DS for the group record. During this operation the group id is correct, but the group doesn't exist. Also the right group name is stored in the config record in LDAP, so I guess the issue with encoding must have been fixed already and what I see is a result of group 6üP not existing. To complicate things a little more I tried to set the default user group to 6üP and I tried to add that group. That failed with this message: >>> Gettext('Group name', domain='ipa', localedir=None): may only include letters, numbers, _, -, . and $ The question now is what to do with this inconsistency and is it even worth the effort?
If it does not blow up as described we should close this issue and document that the default group configured in cn=config in LDAP must contain group with only valid characters. I do not think it is worth fixing the inconsistency that can be created by adding wrong data.
Agreed. Patch is already in the mailing list. I'm going to leave the bug open until the patch is accepted, so we can keep track of the patch.
Two patches are in master now - the first one documents the requirement and the second one checks if the group exists.