FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#3814 Ignore referrals when converting to LDAPEntry

Created 3 years ago by tbabej
Modified 4 months ago

LDAP server (in this case AD DC) can return referrals. Our wrapper around python-ldap is not ready for that and fails which leads to dubious errors like this.

This can cause a regression like this one:

[root@vm-155 yum.repos.d]# ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
[member user]: 
[member group]: 
  Group name: ad_admins_external
  Description: ad admins external map
  Failed members: 
    member user: 
    member group: AD\Domain Admins: trusted domain object not found

Debugging shows that the command fails due to the referral entry, which is not of the form (dn, attrs) but of the form (None, referred_ldap_uri).

[Wed Jul 24 23:11:00.095849 2013] [:error] [pid 29973] ipa: INFO: raw ldap result : [('CN=Domain Admins,CN=Users,DC=AD,DC=EXAMPLE,DC=COM', {'objectSid': ['\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xf8(\\x80\\xbd\\xa2Xb\\x93\\x18!\\xa7T\\x00\\x02\\x00\\x00']})]
[Wed Jul 24 23:11:00.101747 2013] [:error] [pid 29973] ipa: INFO: raw ldap result : [(None, ['ldap://ForestDnsZones.AD.EXAMPLE.COM/DC=ForestDnsZones,DC=AD,DC=EXAMPLE,DC=COM'])]
[Wed Jul 24 23:11:00.104495 2013] [:error] [pid 29973] ipa: ERROR: non-public: TypeError: must be str,unicode,tuple, or RDN, got NoneType instead
[Wed Jul 24 23:11:00.104928 2013] [:error] [pid 29973] ipa: INFO: admin@IPATEST.EXAMPLE.COM: group_add_member(u'ad_admins_external', ipaexternalmember=(u'AD\\\\Domain Admins',), all=False, raw=False, version=u'2.62', no_members=False): TypeError

Regression in 3.3 development, moving to appropriate milestone.

4 months ago

Metadata Update from @tbabej:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3 - 2013/07

Login to comment on this ticket.