dwbotsch
commented
3 weeks ago alright, I gleamed on lastlogintime because it was printed there... may be a sorta red herring.
Either way... fuller stack track:
[root@pickle botsch_d]# dsidm -v -j cnf -b "dc=cnf,dc=cornell,dc=edu" account entry-status "ou=provisioning,dc=cnf,dc=cornell,dc=edu" DEBUG: The 389 Directory Server Identity Manager DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: [] DEBUG: dsrc no such section: slapd-cnf DEBUG: Called with: Namespace(basedn='dc=cnf,dc=cornell,dc=edu', binddn=None, bindpw=None, details=False, dn='ou=provisioning,dc=cnf,dc=cornell,dc=edu', func=<function entry_status at 0x7fa5ac8ac158>, instance='cnf', json=True, prompt=False, pwdfile=None, starttls=False, verbose=True) DEBUG: Instance details: {'uri': 'cnf', 'basedn': 'dc=cnf,dc=cornell,dc=edu', 'binddn': None, 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'cnf', 'root-dn': None}} DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-cnf.socket DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-cnf.socket DEBUG: Allocate <class 'lib389.DirSrv'> with pickle.cnf.cornell.edu:389 DEBUG: Allocate <class 'lib389.DirSrv'> with pickle.cnf.cornell.edu:389 DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-cnf.socket DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-cnf.socket DEBUG: Allocate <class 'lib389.DirSrv'> with pickle.cnf.cornell.edu:389 DEBUG: Allocate <class 'lib389.DirSrv'> with pickle.cnf.cornell.edu:389 DEBUG: open(): Connecting to uri ldapi://%2frun%2fslapd-cnf.socket DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-cnf DEBUG: Using external ca certificate /etc/dirsrv/slapd-cnf DEBUG: Using /etc/openldap/ldap.conf certificate policy DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2 DEBUG: open(): Using root autobind ... DEBUG: open(): bound as None DEBUG: Retrieving entry with [('',)] DEBUG: Retrieved entry [dn: vendorVersion: 389-Directory/2.2.9 B2023.340.1155
]
DEBUG: _gen_dn filter = (|(objectclass=nsAccount)(objectclass=nsPerson)(objectclass=simpleSecurityObject)(objectclass=organization)(objectclass=person)(objectclass=account)(objectclass=organizationalUnit)(objectclass=netscapeServer)(objectclass=domain)(objectclass=posixAccount)(objectclass=shadowAccount)(objectclass=posixGroup)(objectclass=mailRecipient))
DEBUG: _gen_dn dn = ou=provisioning,dc=cnf,dc=cornell,dc=edu
DEBUG: cn=Account Policy Plugin,cn=plugins,cn=config getVal('nsslapd-pluginarg0')
DEBUG: list filter = (&(objectclass=nsMappingTree))
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: cn=Account Policy Plugin,cn=plugins,cn=config getVal('nsslapd-pluginEnabled')
DEBUG: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config get_attrs_vals_utf8(['stateattrname', 'altstateattrname', 'specattrname', 'limitattrname'])
DEBUG: list filter = (&(objectclass=nsMappingTree))
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: cn=dc\3Dcnf\2Cdc\3Dcornell\2Cdc\3Dedu,cn=mapping tree,cn=config getVal('cn')
DEBUG: list filter = (&(objectclass=cosTemplate))
DEBUG: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config getVal('')
DEBUG: ou=provisioning,dc=cnf,dc=cornell,dc=edu get_attrs_vals_utf8(['createTimestamp', 'modifyTimeStamp', 'nsAccountLock', 'lastLoginTime'])
DEBUG: ''
Traceback (most recent call last):
File "/sbin/dsidm", line 145, in
`
I am wondering if it is related to the accountpolicy plugin somehow...
and if I disable the accountpolicy plugin, everything works.
and the instructions were followed here.. https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/managing_access_control/assembly_tracking-the-last-login-time-without-setting-a-lockout-policy_managing-access-control#proc_configuring-the-account-policy-plug-in-to-record-the-last-login-time_assembly_tracking-the-last-login-time-without-setting-a-lockout-policy
that is... enable the plugin then run: dsconf -D "cn=Directory Manager" ldap://localhost plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime
and if I run a show instead of get...
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config alwaysrecordlogin: yes cn: config objectClass: top objectClass: extensibleObject stateattrname: lastLoginTime
Issue Description Not sure when this stopped working (since it initally did a few days ago for me to create ACIs on a couple of subOUs... now all OUs including ones I never touched with ACIs... if one browses to them or searches for them and tries to edit... cockpit-ui hangs/blows up... sub entries of the OU work fine (search for a user object, edit it, no problem... search for the parent OU, click edit... cockpit blows up)
Package Version and Platform:
Platform: RHEL8
Package and version:
389-ds-base-libs-2.2.9-2.el8.x86_64 389-ds-base-2.2.9-2.el8.x86_64 python3-lib389-2.2.9-2.el8.noarch cockpit-389-ds-2.2.9-2.el8.noarch
Browser [e.g. chrome, safari] reproduced on both firefox and chrome
Steps to Reproduce Steps to reproduce the behavior:
Additional context looking at the javascript console, I find the following:
Uncaught TypeError: Cannot read properties of undefined (reading 'includes') at Function. (index.js:2:2479525)
at G (cockpit.js:5:5607)
at cockpit.js:5:5802
at k (cockpit.js:5:4658)
index.js:2:2479525 corresponds to:
)).fail((e => { var t = JSON.parse(e); "Root DSE" === i || "" === s || t.desc.includes("Root suffix can't be locked or unlocked") || (console.error("updateEntryRow", "".concat(u ? "role" : "account", " account entry-status operation failed"), t.desc), g = "error: please, check browser logs", s = r.createElement(ln, { className: "ds-pf-red-color ct-exclamation-circle" })) }specicfially the "t.desc.includes" which fails because 't' is ""
So somehow I'm triggering a bug... and it's unclear what.
Looking at ACIs and effective permissions from the commandline, everything appears ok.
Having dug through the code a bit with some debugging, it looks like (and I could be wrong about this) it runs something like: dsidm -j instance -b account entry-status "ou=blah,dc=suffix"
if I run that on the commandline, I get back ""
And as I'm writing this... I'm wondering if it's the last login time, which I did enable in between it working and not working that is the issue.
Just now, I ran: dsidm -v (see above)and it crashed:
DEBUG: '' Traceback (most recent call last): File "/sbin/dsidm", line 145, in <module> result = args.func(inst, dsrc_inst['basedn'], log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_idm/account.py", line 88, in entry_status status = acct.status() File "/usr/lib/python3.6/site-packages/lib389/idm/account.py", line 144, in status last_login_time = self._dict_get_with_ignore_indexerror(account_data, alt_state_attr) File "/usr/lib/python3.6/site-packages/lib389/idm/account.py", line 78, in _dict_get_with_ignore_indexerror return dict[attr][0] KeyError: '' ""Now... an ou is never going to have a lastlogin time, so... what's going on here?