-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
None
-
389-ds-base-3.1.3-2.el10
-
No
-
Low
-
rhel-idm-ds
-
0
-
False
-
False
-
-
None
-
None
-
Pass
-
Automated
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Description of a problem
Filtered role cannot be created using "dsidm role create-filtered" command, as it doesn't accept necessary attribute nsRoleFilter and fails with object class violation.
Version-Release number of the selected component
rpm -q 389-ds-base cockpit-389-ds
389-ds-base-3.0.5-2.el10.x86_64
Steps to reproduce
1. Try to create a new filtered role using "dsidm role create-filtered" 2. Fill in cn when prompted, confirm
Actual results
Fails with object class violation:
# dsidm -v localhost -b dc=example,dc=com role create-filtered
DEBUG: The 389 Directory Server Identity Manager
DEBUG: Inspired by works of: ITS, The University of Adelaide
DEBUG: dsrc path: /root/.dsrc
DEBUG: dsrc container path: /data/config/container.inf
DEBUG: dsrc instances: []
DEBUG: dsrc no such section: slapd-localhost
DEBUG: Called with: Namespace(verbose=True, json=False, instance='localhost', basedn='dc=example,dc=com', binddn=None, bindpw=None, prompt=False, pwdfile=None, starttls=False, cn=None, func=<function create_filtered at 0x7fefb9f28b80>)
DEBUG: Instance details: {'uri': 'localhost', 'basedn': 'dc=example,dc=com', 'binddn': None, 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'localhost', 'root-dn': None}}
DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: open(): Connecting to uri ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-localhost
DEBUG: Using external ca certificate /etc/dirsrv/slapd-localhost
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: open(): Using root autobind ...
DEBUG: open(): bound as None
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn:
vendorVersion: 389-Directory/3.0.5 B2024.351.0000]
Enter value for cn : test_role
DEBUG: Checking "None" under dc=example,dc=com : {'cn': 'test_role'}
DEBUG: Using first property cn: test_role as rdn
DEBUG: Validated dn cn=test_role,dc=example,dc=com
DEBUG: Creating cn=test_role,dc=example,dc=com
DEBUG: updating dn: cn=test_role,dc=example,dc=com
DEBUG: updated dn: cn=test_role,dc=example,dc=com with {'objectclass': [b'nsComplexRoleDefinition', b'nsFilteredRoleDefinition']}
DEBUG: updating dn: cn=test_role,dc=example,dc=com
DEBUG: updated dn: cn=test_role,dc=example,dc=com with {'cn': [b'test_role']}
DEBUG: {'msgtype': 105, 'msgid': 4, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'missing attribute "nsRoleFilter" required by object class "nsFilteredRoleDefinition"\n', 'ldap_request': "add_ext_s((dn: cn=test_role,dc=example,dc=com\ncn: test_role\nobjectclass: nsComplexRoleDefinition\nobjectclass: nsFilteredRoleDefinition\n\n,),{'serverctrls': None, 'clientctrls': None, 'escapehatch': 'i am sure'}) on instance localhost"}
Traceback (most recent call last):
File "/usr/sbin/dsidm", line 139, in <module>
result = args.func(inst, basedn, log, args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/cli_idm/role.py", line 63, in create_filtered
_generic_create(inst, basedn, log.getChild('_generic_create'), FilteredRoles, kwargs, args)
File "/usr/lib/python3.12/site-packages/lib389/cli_base/__init__.py", line 247, in _generic_create
o = mc.create(properties=kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1323, in create
return co.create(rdn, properties, self._basedn)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1076, in create
return self._create(rdn, properties, basedn, ensure=False)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1051, in _create
_add_ext_s(self._instance, e, serverctrls=self._server_controls, clientctrls=self._client_controls, escapehatch='i am sure')
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 83, in _add_ext_s
return _ldap_op_s(inst, inst.add_ext_s, 'add_ext_s', *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 80, in _ldap_op_s
raise e
File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 74, in _ldap_op_s
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 173, in inner
return f(ent.dn, ent.toTupleList(), *args[2:])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 222, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 543, in result3
resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 553, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
result = func(*args,**kwargs)
^^^^^^^^^^^^^^^^^^^^
ldap.OBJECT_CLASS_VIOLATION: {'msgtype': 105, 'msgid': 4, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'missing attribute "nsRoleFilter" required by object class "nsFilteredRoleDefinition"\n', 'ldap_request': "add_ext_s((dn: cn=test_role,dc=example,dc=com\ncn: test_role\nobjectclass: nsComplexRoleDefinition\nobjectclass: nsFilteredRoleDefinition\n\n,),{'serverctrls': None, 'clientctrls': None, 'escapehatch': 'i am sure'}) on instance localhost"}
ERROR: Error: Object class violation
Expected results
Should ask for nsRoleFilter attribute and create the role properly.
- links to
-
RHBA-2025:151590
389-ds-base update