#7967 error trying to do --addattr=owner
Opened a month ago by hedrick. Modified a month ago

In centos 7.6, IPA 4.6.4

/bin/ipa group-mod clh-group1 --addattr=owner="uid=dmotto,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu"
ipa: ERROR: invalid 'owner': must be Unicode text

We use the owner to delegate control of groups to users.

This is new. We just did "yum update." The problem wasn't there before.

I think the upgrade was
old: ipa-server-4.6.4-10.el7.centos.x86_64
new: ipa-server-4.6.4-10.el7.centos.3.x86_64


I can't reproduce this.

You might try: ipa -vvv <command> to see what the JSON looks like going to the server to confirm that special characters aren't being inserted. I doubt that you'll get much info from the server side as this is basic data type validation and typically not logged anywhere.

The message comes from this failing:

    if type(value) in self.allowed_types:
        return value

allowed_types in this case is (unicode,)

I have a plugin, intended to make --owner work, since we use this a lot. Here's the section:

group.group.takes_params = group.group.takes_params + (
Str('owner*',
cli_name='owners',
label=_('Owners'),
normalizer=lambda value: value if ',' in value else 'uid=' + value + ',cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu',
),
)

group.group.default_attributes.append('owner')

This worked before the update, but causes this problem now. The problem is the params, not the default_attributes. Commenting out the normalizer doesn't fix it. Unfortunately owners is hardcoded in a way that makes it difficult to do this, but this did work before.

It's not essential to fix this. With my code, we have a parameters --owners, which works fine. My webapp was using -addattr, so it didn't depend upon my plugin, but for now I fixed the webapp to use --owners.

The code in baseldap that processes --addattr/--delattr/--setattr options, tries to validate their arguments in ipaserver/plugins/baseldap.py:BaseLDAPCommand.process_attr_options().

As result, --addattr=owner=DN would be subject to normalizer of your Str('owner*') param object.

I concur with @rcritten -- we need to see more debug details here, both client and server.

I'm not sure what logging to do. I added a log statement before every reference to self.allowed_types in parameters.py. Nothing interesting. The error seems to be happening in Str, since that's where the error message is. I changed the text of the error message, and got the new text. I put logging in it, and got nothing useful.
def _convert_scalar(self, value, index=None):
"""
Convert a single scalar value.
"""
mylog(value)
if type(value) in self.allowed_types:
mylog('ok 1')
return value
mylog("point 2")
if type(value) in (float, decimal.Decimal) + six.integer_types:
return self.type(value)
mylog('fail 6')
if type(value) in (tuple, list):
raise ConversionError(name=self.name,
error=ugettext(self.scalar_error))
raise ConversionError(name=self.name, error=ugettext(self.type_error))
'
point 2 was never reached. All calls were ok 1.

def _rule_noextrawhitespace(self, _, value):
    """                                                                                                                                                                                                       
    Do not allow leading/trailing spaces.                                                                                                                                                                     
    """
    mylog(value)
    mylog('before assert 1')
    assert type(value) is unicode
    mylog('assert 1 ok')

and similar for the other rule methods. They don't seem to have been called at all.

Here's logging:

ipa -vvv group-mod clh-group1 --addattr=owner=uid=dmotto,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu
ipa: INFO: trying https://krb1.cs.rutgers.edu/ipa/session/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
send: u'POST /ipa/session/json HTTP/1.1\r\nHost: krb1.cs.rutgers.edu\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://krb1.cs.rutgers.edu/ipa/xml\r\nCookie: ipa_session=MagBearerToken=l1J5d5DVVkpvWS2OTj9QFdQeqioBofYGUsZPBZt3vyeCGWepRGvYJOBEl%2fTaDRywe3uMQnL8XpCdUoZRS%2btIbOFwTYjNyQmAzVcQu%2bsv0x35ESg%2bpSrOvStlmYkKQXAEpVwBukuOIST%2bN%2biCEbu42%2f1pFhIuUHi7j2pq2gxwEGVVWCwVI0Ia8Xw3nrcOz8jHjsIpcAwzsYKBHTBnAJqwBP3FHMJEQXdJeIR5LH3UrAo%3d;\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 86\r\n\r\n{\n "id": 0, \n "method": "ping", \n "params": [\n [], \n {}\n ]\n}'
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Thu, 06 Jun 2019 16:48:17 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
header: Set-Cookie: ipa_session=MagBearerToken=l1J5d5DVVkpvWS2OTj9QFdQeqioBofYGUsZPBZt3vyeCGWepRGvYJOBEl%2fTaDRywe3uMQnL8XpCdUoZRS%2btIbOFwTYjNyQmAzVcQu%2bsv0x35ESg%2bpSrOvStlmYkKQXAEpVwBukuOIST%2bN%2biCEbu42%2f1pFhIuUHi7j2pq2gxwEGVVWCwVI0Ia8Xw3nrcOz8jHjsIpcAwzsYKBHTBnAJqwBP3FHMJEQXdJeIR5LH3UrAo%3d;path=/ipa;httponly;secure;
header: X-Frame-Options: DENY
header: Content-Security-Policy: frame-ancestors 'none'
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Cache-Control: no-cache
header: Content-Length: 270
header: Content-Type: application/json; charset=utf-8
body: '{"result": {"messages": [{"type": "warning", "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server\'s API version, 2.230", "code": 13001, "data": {"server_version": "2.230"}, "name": "VersionMissing"}], "summary": "IPA server version 4.6.4. API version 2.230"}, "version": "4.6.4", "error": null, "id": 0, "principal": "hedrick.admin@CS.RUTGERS.EDU"}'
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "hedrick.admin@CS.RUTGERS.EDU",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.230"
},
"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.230",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.6.4. API version 2.230"
},
"version": "4.6.4"
}
ipa: INFO: [try 1]: Forwarding 'group_mod/1' to json server 'https://krb1.cs.rutgers.edu/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "group_mod/1",
"params": [
[
"clh-group1"
],
{
"addattr": [
"owner=uid=dmotto,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu"
],
"version": "2.230"
}
]
}
send: u'POST /ipa/session/json HTTP/1.1\r\nHost: krb1.cs.rutgers.edu\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://krb1.cs.rutgers.edu/ipa/xml\r\nCookie: ipa_session=MagBearerToken=l1J5d5DVVkpvWS2OTj9QFdQeqioBofYGUsZPBZt3vyeCGWepRGvYJOBEl%2fTaDRywe3uMQnL8XpCdUoZRS%2btIbOFwTYjNyQmAzVcQu%2bsv0x35ESg%2bpSrOvStlmYkKQXAEpVwBukuOIST%2bN%2biCEbu42%2f1pFhIuUHi7j2pq2gxwEGVVWCwVI0Ia8Xw3nrcOz8jHjsIpcAwzsYKBHTBnAJqwBP3FHMJEQXdJeIR5LH3UrAo%3d;\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 288\r\n\r\n{\n "id": 0, \n "method": "group_mod/1", \n "params": [\n [\n "clh-group1"\n ], \n {\n "addattr": [\n "owner=uid=dmotto,cn=users,cn=accounts,dc=cs,dc=rutgers,dc=edu"\n ], \n "version": "2.230"\n }\n ]\n}'
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Thu, 06 Jun 2019 16:48:17 GMT
header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
header: Set-Cookie: ipa_session=MagBearerToken=l1J5d5DVVkpvWS2OTj9QFdQeqioBofYGUsZPBZt3vyeCGWepRGvYJOBEl%2fTaDRywe3uMQnL8XpCdUoZRS%2btIbOFwTYjNyQmAzVcQu%2bsv0x35ESg%2bpSrOvStlmYkKQXAEpVwBukuOIST%2bN%2biCEbu42%2f1pFhIuUHi7j2pq2gxwEGVVWCwVI0Ia8Xw3nrcOz8jHjsIpcAwzsYKBHTBnAJqwBP3FHMJEQXdJeIR5LH3UrAo%3d;path=/ipa;httponly;secure;
header: X-Frame-Options: DENY
header: Content-Security-Policy: frame-ancestors 'none'
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Cache-Control: no-cache
header: Content-Length: 191
header: Content-Type: application/json; charset=utf-8
body: '{"result": null, "version": "4.6.4", "error": {"message": "invalid \'owner\': must be Unicode text x", "code": 3008, "data": {"name": "owner", "error": "must be Unicode text x"}, "name": "ConversionError"}, "id": 0, "principal": "hedrick.admin@CS.RUTGERS.EDU"}'
ipa: INFO: Response: {
"error": {
"code": 3008,
"data": {
"error": "must be Unicode text x",
"name": "owner"
},
"message": "invalid 'owner': must be Unicode text x",
"name": "ConversionError"
},
"id": 0,
"principal": "hedrick.admin@CS.RUTGERS.EDU",
"result": null,
"version": "4.6.4"
}
ipa: ERROR: invalid 'owner': must be Unicode text x

Can we see the related httpd error log entry for this request?

Login to comment on this ticket.

Metadata