On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
>
> If 'ipa stageuser-find' doesn't find it, you can enable server-side
> debugging and retry, then you should see debug output in error_log.
>
> Create /etc/ipa/server.conf
>
> [global]
> debug = True
>
> and restart httpd, then retry.
Weirdly enough:
[Wed Jun 12 11:03:38.648863 2019] [:error] [pid 17432] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 12 11:03:38.648999 2019] [:error] [pid 17432] ipa: DEBUG: WSGI
jsonserver.__call__:
[Wed Jun 12 11:03:38.649064 2019] [:error] [pid 17432] ipa: DEBUG:
KerberosWSGIExecutioner.__call__:
[Wed Jun 12 11:03:38.668898 2019] [:error] [pid 17432] ipa: DEBUG: Created connection
context.ldap2_140302443346704
[Wed Jun 12 11:03:38.669013 2019] [:error] [pid 17432] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Wed Jun 12 11:03:38.676281 2019] [:error] [pid 17432] ipa: DEBUG: raw:
stageuser_find(None, version=u'2.230')
[Wed Jun 12 11:03:38.676646 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find(None,
all=False, raw=False, version=u'2.230', no_members=True, pkey_only=False)
[Wed Jun 12 11:03:38.679558 2019] [:error] [pid 17432] ipa: DEBUG: retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IMS-DCN-TELEKOM-DE.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f9ab4b82ea8>
[Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find:
pre_callback new filter=(objectclass=\\70\\6f\\73\\69\\78\\61\\63\\63\\6f\\75\\6e\\74)
[Wed Jun 12 11:03:39.019307 2019] [:error] [pid 17432] ipa: INFO: [jsonserver_kerb]
admin(a)IMS.DCN.TELEKOM.DE: stageuser_find/1(None, version=u'2.230'): SUCCESS
[Wed Jun 12 11:03:39.020103 2019] [:error] [pid 17432] ipa: DEBUG: Destroyed connection
context.ldap2_140302443346704
Somehow the filter is not replaced...??? still (objectclass=posixaccount):
[Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find:
pre_callback new filter=(objectclass=\\70\\6f\\73\\69\\78\\61\\63\\63\\6f\\75\\6e\\74)
The print above shows binary values. May be that's the problem -- it is
not matching unicode and non-unicode and thus failing?
Can you try the following on IPA master itself:
# kinit admin
Password for admin(a)EXAMPLE.COM:
# ipa -e in_server=True -e debug=True console
[... some debug output ...]
ipa: DEBUG: Created connection context.ldap2_139989835691680
ipa: DEBUG: raw: console(None, version='2.233')
ipa: DEBUG: console(None, version='2.233')
(Custom IPA interactive Python console)
api: IPA API object
pp: pretty printer
>> api.Command.stageuser_find()
ipa: DEBUG: raw:
stageuser_find(None, version='2.233')
ipa: DEBUG: stageuser_find(None, all=False, raw=False, version='2.233',
no_members=True, pkey_only=False)
ipa: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f51ec6db7b8>
ipa: DEBUG: stageuser_find: pre_callback new
filter=(|(objectclass=posixaccount)(objectclass=inetOrgPerson))
{'result': [{'mail': ['foobar1(a)example.com'], 'sn':
['bar'], 'uidnumber': ['-1'], 'loginshell':
['/bin/sh'], 'nsaccountlock': True, 'krbcanonicalname':
[ipapython.kerberos.Principal('foobar1(a)EXAMPLE.COM')], 'givenname':
['ff'], 'uid': ['foobar1'], 'krbprincipalname':
[ipapython.kerberos.Principal('foobar1(a)EXAMPLE.COM')], 'homedirectory':
['/home/foobar1'], 'gidnumber': ['-1'], 'dn':
ipapython.dn.DN('uid=foobar1,cn=staged
users,cn=accounts,cn=provisioning,dc=example,dc=com')}, {'mail':
['tuser(a)example.com'], 'sn': ['user'], 'uidnumber':
['-1'], 'loginshell': ['/bin/sh'], 'nsaccountlock': True,
'krbcanonicalname': [ipapython.kerberos.Principal('tuser(a)EXAMPLE.COM')],
'givenname': ['tim'], 'uid': ['tuser'],
'krbprincipalname': [ipapython.kerberos.Principal('tuser(a)EXAMPLE.COM')],
'homedirectory': ['/home/tuser'], 'gidnumber': ['-1'],
'dn': ipapython.dn.DN('uid=tuser,cn=staged
users,cn=accounts,cn=provisioning,dc=example,dc=com')}], 'count': 2,
'truncated': False, 'messages': [{'type': 'warning',
'name': 'VersionMissing', 'message': "API Version number was
not sent, forward compatibility not guaranteed. Assuming server's API version,
2.233", 'code': 13001, 'data': {'server_version':
'2.233'}}], 'summary': '2 users matched'}
>>
Basically, I'm looking at seeing if Python interactive console will show
you the same garbage in the filter text or not. If yes, then it looks
like there is a bit of uncleaned unicode/str code checks in 4.6.
In the code it looks pretty much hardcoded, so how is that possible that it doesn't
work...?
Btw part of which package is that particular code? I have ipa-server
4.6.4 everywhere (RHEL distribution), but maybe some other package is
wrong..?
It is part of python-ipaserver (or python{2,3}-ipaserver).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland