Adding this schema in FreeIPA 4.9.3 API 2.240 breaks the ability to add users.

[xionous]

trafficstars

Hey, i was wondering if you would help me figure out what is causing the issue so it can be corrected.

I am getting an error when trying to create users in FreeIPA after i added this schema, i tested this by installing a brand new VM with FreeIPA and after doing nothing but adding this schema i can replicate the results.

Specifically i think it has to do with the python scripts because i can add users when i remove those and restart ipa.

ipa: ERROR: user with name "ttest" already exists
ipa user_show ttest
ipa: ERROR: ttest: user not found
ipa user_find ttest
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
ldapsearch -x -b "cn=accounts,dc=.....,dc=....." -D "uid=.....,cn=users,cn=accounts,dc=.....,dc=....." -W uid=ttest
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=.....,dc=.....> with scope subtree
# filter: uid=ttest
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Debug output:

ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$02af11e4...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$02af11e4.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal '.....', cookie: 'ipa_session=MagBearerToken=.....'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=.....'
ipa: DEBUG: trying https://...../ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140053371972240
ipa: DEBUG: raw: command_defaults('user_add/1', params=['cn'], kw={'givenname': 'test', 'sn': 'test'}, version='2.240')
ipa: DEBUG: command_defaults('user_add/1', params=('cn',), kw={'givenname': 'test', 'sn': 'test'}, version='2.240')
ipa: DEBUG: [try 1]: Forwarding 'command_defaults/1' to json server 'https://...../ipa/session/json'
ipa: INFO: Request: {
    "id": 0,
    "method": "command_defaults/1",
    "params": [
        [
            "user_add/1"
        ],
        {
            "kw": {
                "givenname": "test",
                "sn": "test"
            },
            "params": [
                "cn"
            ],
            "version": "2.240"
        }
    ]
}
ipa: DEBUG: New HTTP connection (.....)
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": ".....",
    "result": {
        "result": {
            "cn": "test test"
        }
    },
    "version": "4.9.3"
}
ipa: DEBUG: raw: user_add('ttest', givenname='test', sn='test', version='2.240')
ipa: DEBUG: user_add('ttest', givenname='test', sn='test', version='2.240')
ipa: DEBUG: [try 1]: Forwarding 'user_add/1' to json server 'https://...../ipa/session/json'
ipa: INFO: Request: {
    "id": 0,
    "method": "user_add/1",
    "params": [
        [
            "ttest"
        ],
        {
            "givenname": "test",
            "sn": "test",
            "version": "2.240"
        }
    ]
}
ipa: DEBUG: HTTP connection keep-alive (.....)
ipa: INFO: Response: {
    "error": {
        "code": 4002,
        "data": {},
        "message": "user with name \"ttest\" already exists",
        "name": "DuplicateEntry"
    },
    "id": 0,
    "principal": ".....",
    "result": null,
    "version": "4.9.3"
}
ipa: DEBUG: Destroyed connection context.rpcclient_140053371972240
ipa: ERROR: user with name "ttest" already exists

[hydrian]

I'm also facing this with FreeIPA 4.9.10 on AlamLinux 8

[hydrian]

Also block editing users. I get the

IPA Error 4002: DuplicateEntry Type or value exists

in the WebUI.

[hairmare]

sorry for the late reply and thanks for the heads up. we aren't on 4.9 yet but plan on upgrading sometime this year.

please let us know if you figure out how to fix the issue you're experiencing, pull requests are always very welcome.

i'll keep you posted if we figure it out from our end.

[smirta]

Hi @hydrian and @xionous,

Sorry for the late reply also from my side. As @hairmare already pointed out, we're not on 4.9 yet but I saw that there is a fork where somebody else has our work in use. Maybe they have fixed your issue. Have a look https://github.com/jasperroloff/freeipa-nextcloud

Unfortunately I currently don't have time to look closer into the issue.

[xionous]

Hi @hydrian and @xionous,

Sorry for the late reply also from my side. As @hairmare already pointed out, we're not on 4.9 yet but I saw that there is a fork where somebody else has our work in use. Maybe they have fixed your issue. Have a look https://github.com/jasperroloff/freeipa-nextcloud

Unfortunately I currently don't have time to look closer into the issue.

Thank you for the link, however i just tried that one and has the same issue.

[Et7f3]

@xionous can you use filter (uid=ttest) and can you just search at dc=.....,dc=..... level ? Does your uid you bind can see other account if you remove the filter ? The code provided works for me on 4.11

[xionous]

@xionous can you use filter (uid=ttest) and can you just search at dc=.....,dc=..... level ? Does your uid you bind can see other account if you remove the filter ? The code provided works for me on 4.11

This wont work because the account never actually gets created. And yes, if I remove the filter I see all other accounts. I will have to upgrade to 4.11 and try to see if I still get the same issue.

[xionous]

Version 4.11 works without issue, so there must have been some problem with IPA itself in 4.9 that was fixed in 4.11. I have made no other changes except updating to 4.11

[smirta]

Brilliant, thanks for the heads-up!