Issue #3927: invalid manager dn can cause entire migration to fail - freeipa

freeipa

#3927 invalid manager dn can cause entire migration to fail

Closed: duplicate 5 years ago Opened 10 years ago by rcritten.

User has existing Sun DS LDAP server which contains an entry for manager of " " (a space). This is causing the migration to fail completely, rather than failing just for that one entry.

User is running RHEL 6.4, 3.0.0-26.

It fails during the data load stage which is why the --ignore* options didn't help.

It would be nice to be able to pass some option to the lower-level LDAP routines to not fail on bad data, though what we would do with the result I'm not sure. How do we know what attribute failed and how fatal it is?

It would also be useful if, when failing, the DN of the failed entry is displayed.

Traceback is:

[Thu Sep 12 09:23:26 2013] [error] ipa: INFO: admin@MYDOMAIN.COM: ping(): SUCCESS
[Thu Sep 12 09:24:11 2013] [error] ipa: ERROR: unable to convert the attribute "manager" value " " to type <class 'ipapython.dn.DN'>
[Thu Sep 12 09:24:11 2013] [error] ipa: ERROR: non-public: ValueError: unable to convert the attribute "manager" value " " to type <class 'ipapython.dn.DN'>
[Thu Sep 12 09:24:11 2013] [error] Traceback (most recent call last):
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
[Thu Sep 12 09:24:11 2013] [error]     result = self.Command[name](*args, **options)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
[Thu Sep 12 09:24:11 2013] [error]     ret = self.run(*args, **options)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
[Thu Sep 12 09:24:11 2013] [error]     return self.execute(*args, **options)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 889, in execute
[Thu Sep 12 09:24:11 2013] [error]     ldap, config, ds_ldap, ds_base_dn, options
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py", line 706, in migrate
[Thu Sep 12 09:24:11 2013] [error]     search_refs=True    # migrated DS may contain search references
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 1089, in find_entries
[Thu Sep 12 09:24:11 2013] [error]     (objtype, res_list) = self.conn.result(id, 0)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 557, in result
[Thu Sep 12 09:24:11 2013] [error]     resp_data = self.convert_result(resp_data)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 469, in convert_result
[Thu Sep 12 09:24:11 2013] [error]     ipa_attrs[attr.lower()] = self.convert_value_list(attr, target_type, original_values)
[Thu Sep 12 09:24:11 2013] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 435, in convert_value_list
[Thu Sep 12 09:24:11 2013] [error]     raise ValueError(msg)
[Thu Sep 12 09:24:11 2013] [error] ValueError: unable to convert the attribute "manager" value " " to type <class 'ipapython.dn.DN'>
[Thu Sep 12 09:24:11 2013] [error] ipa: INFO: admin@MYDOMAIN.COM: migrate_ds(u'ldap://dev-ldap.okla.mydomain.com:389', u'********', binddn=u'uid=511855,ou=People,o=mydomain.com,o=SDS', usercontainer=u'ou=people', groupcontainer=u'ou=groups', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=(u'manager',), groupignoreobjectclass=None, groupignoreattribute=(u'manager',), groupoverwritegid=False, schema=u'RFC2307bis', continue=False, basedn=u'o=mydomain.com,o=SDS', compat=False, exclude_groups=None, exclude_users=None): ValueError

mkosek commented 10 years ago

We should just log and ignore errors in single entries (no option)

rcritten commented 10 years ago

For migration only or for all entries, including those in the IPA server?

I wonder if this could get wierd with mods. I suspect that our mod code would still work for the most part, and add and delete values as needed, but it wouldn't touch the bad data already there. This could be a problem with single-value attributes.

Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: Future Releases

7 years ago

rcritten commented 5 years ago

Let's go with the newer ticket, closing as duplicate of https://pagure.io/freeipa/issue/7749

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Future Releases

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Migration

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#3927 invalid manager dn can cause entire migration to fail Closed: duplicate 5 years ago Opened 10 years ago by rcritten.

Metadata

#3927 invalid manager dn can cause entire migration to fail

Closed: duplicate 5 years ago Opened 10 years ago by rcritten.