Thursday, April 25, 2019

[389-devel] Re: Groups are not accessible by filter

what is your problem ? the searches in both access logs produce the same results:


grep nentries /tmp/access_with* | grep tag=101
/tmp/access_with_filter:[25/Apr/2019:08:36:36.560467098 +0000] conn=1 op=148 RESULT err=0 tag=101 nentries=3 etime=0.0000399837
/tmp/access_with_filter:[25/Apr/2019:08:36:36.562926674 +0000] conn=1 op=149 RESULT err=0 tag=101 nentries=9 etime=0.0000452772
/tmp/access_with_filter:[25/Apr/2019:08:36:36.565416724 +0000] conn=1 op=150 RESULT err=0 tag=101 nentries=8 etime=0.0000416033
/tmp/access_with_filter:[25/Apr/2019:08:36:36.567629593 +0000] conn=1 op=151 RESULT err=0 tag=101 nentries=2 etime=0.0000350486
/tmp/access_with_filter:[25/Apr/2019:08:36:36.569782885 +0000] conn=1 op=152 RESULT err=0 tag=101 nentries=4 etime=0.0000350236
/tmp/access_with_filter:[25/Apr/2019:08:36:36.571945045 +0000] conn=1 op=153 RESULT err=0 tag=101 nentries=7 etime=0.0000367961
/tmp/access_with_filter:[25/Apr/2019:08:36:36.577773550 +0000] conn=1 op=154 RESULT err=0 tag=101 nentries=7 etime=0.0004031631
/tmp/access_with_filter:[25/Apr/2019:08:36:36.579866766 +0000] conn=1 op=155 RESULT err=0 tag=101 nentries=3 etime=0.0000274951
/tmp/access_with_filter:[25/Apr/2019:08:36:36.581771337 +0000] conn=1 op=156 RESULT err=0 tag=101 nentries=3 etime=0.0000312338
/tmp/access_with_filter:[25/Apr/2019:08:36:36.583848484 +0000] conn=1 op=157 RESULT err=0 tag=101 nentries=3 etime=0.1999656509
/tmp/access_with_filter:[25/Apr/2019:08:36:36.587570224 +0000] conn=1 op=158 RESULT err=0 tag=101 nentries=121 etime=0.0001897405
/tmp/access_with_filter:[25/Apr/2019:08:36:36.591514384 +0000] conn=1 op=159 RESULT err=0 tag=101 nentries=2 etime=0.0000319819
/tmp/access_with_filter:[25/Apr/2019:08:36:36.593657986 +0000] conn=1 op=160 RESULT err=0 tag=101 nentries=3 etime=0.0000285626
/tmp/access_with_filter:[25/Apr/2019:08:36:36.595880861 +0000] conn=1 op=161 RESULT err=0 tag=101 nentries=4 etime=0.0000356436
/tmp/access_with_filter:[25/Apr/2019:08:36:36.602518935 +0000] conn=1 op=162 RESULT err=0 tag=101 nentries=120 etime=0.0004828401
/tmp/access_with_filter:[25/Apr/2019:08:36:36.611163994 +0000] conn=1 op=163 RESULT err=0 tag=101 nentries=120 etime=0.0004651831
/tmp/access_with_filter:[25/Apr/2019:08:36:36.640014117 +0000] conn=1 op=166 RESULT err=0 tag=101 nentries=2 etime=0.0000711662
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.910324404 +0000] conn=1 op=148 RESULT err=0 tag=101 nentries=3 etime=0.0000351385
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.912317892 +0000] conn=1 op=149 RESULT err=0 tag=101 nentries=9 etime=0.0000358365
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.914679657 +0000] conn=1 op=150 RESULT err=0 tag=101 nentries=8 etime=0.0000430844
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.916847641 +0000] conn=1 op=151 RESULT err=0 tag=101 nentries=2 etime=0.0000332474
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.918878872 +0000] conn=1 op=152 RESULT err=0 tag=101 nentries=4 etime=0.0000341456
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.920965290 +0000] conn=1 op=153 RESULT err=0 tag=101 nentries=7 etime=0.0000374608
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.926723170 +0000] conn=1 op=154 RESULT err=0 tag=101 nentries=7 etime=0.0004056591
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.928637310 +0000] conn=1 op=155 RESULT err=0 tag=101 nentries=3 etime=0.0000299780
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.930719687 +0000] conn=1 op=156 RESULT err=0 tag=101 nentries=3 etime=0.0000296688
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.932751416 +0000] conn=1 op=157 RESULT err=0 tag=101 nentries=3 etime=0.0000318958
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.936312042 +0000] conn=1 op=158 RESULT err=0 tag=101 nentries=121 etime=0.0001861409
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.939996595 +0000] conn=1 op=159 RESULT err=0 tag=101 nentries=2 etime=0.0000340760
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.942122456 +0000] conn=1 op=160 RESULT err=0 tag=101 nentries=3 etime=0.0000309626
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.944215749 +0000] conn=1 op=161 RESULT err=0 tag=101 nentries=4 etime=0.0000340311
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.950446188 +0000] conn=1 op=162 RESULT err=0 tag=101 nentries=120 etime=0.0004499138
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.957921166 +0000] conn=1 op=163 RESULT err=0 tag=101 nentries=120 etime=0.0004453710
/tmp/access_with_search_s:[25/Apr/2019:08:56:30.968401791 +0000] conn=1 op=166 RESULT err=0 tag=101 nentries=2 etime=0.0000215050



On 04/25/2019 10:59 AM, Anuj Borah wrote:
@Ludwig
 
Attached the logs .

I have noticed , it happening due to _get_objectclass_filter() method in filter of DSLdapObjects .

Accounts(topo.standalone, DEFAULT_SUFFIX)._objectclasses
['nsAccount', 'nsPerson', 'simpleSecurityObject', 'organization', 'person', 'account', 'organizationalUnit', 'netscapeServer', 'domain', 'posixAccount', 'shadowAccount', 'posixGroup', 'mailRecipient']


but the cn=Accounting Managers,ou=Groups,dc=example,dc=com has objectClass: groupOfUniqueNames .

This may be the problem . You can  not find any error in access logs as naturally it does not have any error , its just empty results .

Regards
Anuj Borah


On Thu, Apr 25, 2019 at 12:39 PM Ludwig <lkrispen@redhat.com> wrote:

can you provide the access logs to show what searches were really done


On 04/24/2019 12:23 PM, Anuj Borah wrote:
Hi all,

Please consider bellow condition .

UserAccount(topo.standalone, 'cn=Accounting Managers,ou=groups,dc=example,dc=com').add('uniquemember', [      'uid=scarter, ou=People, dc=example,dc=com', 'uid=tmorris, ou=People, dc=example,dc=com', 'uid=kvaughan, ou=People, dc=example,dc=com',      'uid=rdaugherty, ou=People, dc=example,dc=com', 'uid=hmiller, ou=People, dc=example,dc=com'])    UserAccount(topo.standalone, 'cn=HR Managers,ou=groups,dc=example,dc=com').add('uniquemember', [      'uid=kvaughan, ou=People, dc=example,dc=com', 'uid=cschmith, ou=People, dc=example,dc=com'])

And try to add filter:

With Filter: It fails gives 0 result for those involves Group 'cn=Accounting Managers,ou=groups,dc=example,dc=com' .

for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',             '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',            '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',             '(&(objectclass=inetorgperson)(uid=scarter))',            '(&(objectclass=organizationalperson)(uid=scarter))',             '(objectclass=inetorgperson)',             '(&(objectclass=organizationalPerson)(sn=Jensen))',            '(&(mail=*)(objectclass=organizationalPerson))',             '(mail=*)',             '(&(sn=Rentz)(objectclass=organizationalPerson))',            '(&(sn=Ward)(sn=Ward))',             '(sn=Jensen)',             '(sn=*)',             '(sn=*utz)']:      assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)

with search_s(Old Way): I gives correct results .

for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',            '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',            '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',            '(&(objectclass=inetorgperson)(uid=scarter))',            '(&(objectclass=organizationalperson)(uid=scarter))',            '(objectclass=inetorgperson)',            '(&(objectclass=organizationalPerson)(sn=Jensen))',            '(&(mail=*)(objectclass=organizationalPerson))',            '(mail=*)',            '(&(sn=Rentz)(objectclass=organizationalPerson))',            '(&(sn=Ward)(sn=Ward))',            '(sn=Jensen)',            '(sn=*)',            '(sn=*utz)']:      assert topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, i)


I have attached the test script too . Test test_various_combinations_of_filters_and_idlistscanlimit

Regards
Anuj Borah





_______________________________________________  389-devel mailing list -- 389-devel@lists.fedoraproject.org  To unsubscribe send an email to 389-devel-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

_______________________________________________
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)