LDAP server (in this case AD DC) can return referrals. Our wrapper around python-ldap is not ready for that and fails which leads to dubious errors like this.
This can cause a regression like this one:
[root@vm-155 yum.repos.d]# ipa group-add-member ad_admins_external --external 'AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad admins external map Failed members: member user: member group: AD\Domain Admins: trusted domain object not found
Debugging shows that the command fails due to the referral entry, which is not of the form (dn, attrs) but of the form (None, referred_ldap_uri).
[Wed Jul 24 23:11:00.095849 2013] [:error] [pid 29973] ipa: INFO: raw ldap result : [('CN=Domain Admins,CN=Users,DC=AD,DC=EXAMPLE,DC=COM', {'objectSid': ['\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xf8(\\x80\\xbd\\xa2Xb\\x93\\x18!\\xa7T\\x00\\x02\\x00\\x00']})] [Wed Jul 24 23:11:00.101747 2013] [:error] [pid 29973] ipa: INFO: raw ldap result : [(None, ['ldap://ForestDnsZones.AD.EXAMPLE.COM/DC=ForestDnsZones,DC=AD,DC=EXAMPLE,DC=COM'])] [Wed Jul 24 23:11:00.104495 2013] [:error] [pid 29973] ipa: ERROR: non-public: TypeError: must be str,unicode,tuple, or RDN, got NoneType instead [Wed Jul 24 23:11:00.104928 2013] [:error] [pid 29973] ipa: INFO: admin@IPATEST.EXAMPLE.COM: group_add_member(u'ad_admins_external', ipaexternalmember=(u'AD\\\\Domain Admins',), all=False, raw=False, version=u'2.62', no_members=False): TypeError
Regression in 3.3 development, moving to appropriate milestone.
master: 2268101
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.3 - 2013/07
Login to comment on this ticket.