https://bugzilla.redhat.com/show_bug.cgi?id=804807 (Red Hat Enterprise Linux 6)
Description of problem: Specifying a basedn starting at sublevel ou ipa migrate-ds --user-container="BostonUsers" --base-dn="ou=People,dc=example,dc=com" --with-compat ldap://dhcp-187-227.bos.redhat.com:389 ipa: ERROR: cannot connect to u'http://dhcp-186-147.testrelm.com/ipa/xml': Internal Server Error Attempting a migration for users in a sub OU of ou=People httpd error log: [Mon Mar 19 15:50:48 2012] [error] ipa: INFO: admin@TESTRELM.COM: migrate_ds(u'ldap://dhcp-187-227.bos.redhat.com:389', u'********', binddn=u'cn=directory manager', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=False, basedn=u'ou=People,dc=example,dc=com', compat=True, exclude_groups=None, exclude_users=None): NotFound [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] mod_wsgi (pid=10480): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] Traceback (most recent call last): [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/share/ipa/wsgi.py", line 49, in application [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return api.Backend.wsgi_dispatch(environ, start_response) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 229, in __call__ [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return self.route(environ, start_response) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 241, in route [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return app(environ, start_response) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 411, in __call__ [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] response = super(xmlserver, self).__call__(environ, start_response) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 356, in __call__ [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] response = self.wsgi_execute(environ) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 315, in wsgi_execute [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] result = self.Command[name](*args, **options) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__ [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] ret = self.run(*args, **options) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 696, in run [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return self.execute(*args, **options) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 697, in execute [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] ldap, config, ds_ldap, ds_base_dn, options [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 562, in migrate [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] search_refs=True # migrated DS may contain search references [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 190, in new_f [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return f(*new_args, **kwargs) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipalib/encoder.py", line 201, in new_f [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return args[0].decode(f(*args, **kwargs)) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 701, in find_entries [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] base_dn = self.normalize_dn(base_dn) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 503, in normalize_dn [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] rdns = explode_dn(dn) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib64/python2.6/site-packages/ldap/dn.py", line 79, in explode_dn [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] dn_decomp = str2dn(dn,flags) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib64/python2.6/site-packages/ldap/dn.py", line 53, in str2dn [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] return ldap.functions._ldap_function_call(_ldap.str2dn,dn,flags) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] File "/usr/lib64/python2.6/site-packages/ldap/functions.py", line 57, in _ldap_function_call [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] result = func(*args,**kwargs) [Mon Mar 19 15:51:13 2012] [error] [client 10.16.186.147] DECODING_ERROR Version-Release number of selected component (if applicable): ipa-server-2.2.0-4.el6.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Moving to next month iteration.
The internal fault occurs because of invalid user input, the user-container RDN is malformed (there is no type, i.e. the LHS of type=value).
We should validate all user input, including DN's and RDN's, prior to it ever reaching our internal code.
Fortunately the dn module I added last fall is capable of validating DN's and RDN's. I believe all we need to do is add a validation function to the parameters taking a DN or RDN for the command.
Actually the validation is nothing more than creating a RDN object from the string the user supplied. Too bad we'll throw this away because at some point soon we'll be passing DN and RDN objects around instead of simple strings, but that's a fix for another day.
after adding the validator function and executing the above ipa command you now get this:
ipa: ERROR: invalid 'user_container': malformed RDN string = "BostonUsers"
patch submitted
[PATCH 72] Validate DN & RDN parameters for migrate command
master: d317c2a[[BR]] ipa-2-2: 46391e9
Metadata Update from @mkosek: - Issue assigned to jdennis - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.