Project

General

Profile

Bug #7565

LDAP configuration issue on production

Added by Dave Vieglais over 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ben Leinfelder
Category:
d1_identity_manager
Target version:
CCI-2.2.0
Start date:
2015-12-28
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

Looks like there's an issue with the accounts tree in LDAP on production. Looks fine on stage and sandbox.

curl "https://cn.dataone.org/cn/v1/accounts"
<?xml version="1.0" encoding="UTF-8"?>

Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]

Possibly related: during installation on production, there was an issue noted with os-core update that failed on UCSB even though it worked fine on ORC and UNM. After running "dpkg-reconfigure -a" and then running "apt-get upgrade" again, the install continued fine.

Related issues

Duplicated by CN REST - Bug #7857: CnIdentityLDAPImpl.createGroup() allows non-existent uniqueMember, disabling the service entirely Closed 2016-08-03

History

#1 Updated by Ben Leinfelder over 8 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

Robert found a group member entry that did not have a corresponding DN identity registered (cn=Christopher Jones A583,o=Google,c=US,dc=cilogon,dc=org) se we deleted that from the group (cn=dataone-coredev,dc=dataone,dc=org) and now the account listing works as expected.

#2 Updated by Rob Nahf about 8 years ago

  • Status changed from Closed to In Progress
  • % Done changed from 100 to 30

Same problem has re-appeared, all three CNs:

rnahf$ curl "https://cn.dataone.org/cn/v1/accounts"
<?xml version="1.0" encoding="UTF-8"?>

Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]

rnahf$ curl "https://cn-ucsb-1.dataone.org/cn/v1/accounts"
<?xml version="1.0" encoding="UTF-8"?>

Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]

rnahf$ curl "https://cn-unm-1.dataone.org/cn/v1/accounts"
<?xml version="1.0" encoding="UTF-8"?>

Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]

rnahf$ curl "https://cn-orc-1.dataone.org/cn/v1/accounts"
<?xml version="1.0" encoding="UTF-8"?>

Problem listing entries at base: dc=org : Problem looking up group membership at base: dc=org : [LDAP: error code 32 - No Such Object]

rnahf$

#3 Updated by Ben Leinfelder about 8 years ago

There was a uniqueMember entry (uid=Karthik Ram,dc=dataone,dc=org) on the CN=ropensci,DC=dataone,DC=org group. I removed the non-existent user and account listing is back to normal.

#4 Updated by Ben Leinfelder about 8 years ago

I've added a unit test to identify the issue and now we allow the use of unregistered subjects in group membership lists.

#5 Updated by Dave Vieglais about 8 years ago

  • Target version changed from CCI-2.0.3 to CCI-2.2.0

#6 Updated by Robert Waltz almost 8 years ago

  • % Done changed from 30 to 100
  • Status changed from In Progress to Closed

#7 Updated by Ben Leinfelder over 7 years ago

  • Duplicated by Bug #7857: CnIdentityLDAPImpl.createGroup() allows non-existent uniqueMember, disabling the service entirely added

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)