Salt: Ldap.manged plugin is unable to modify/replace cn=config olcSyncRepl Attribute

Created on 9 Sep 2019 · 5Comments · Source: saltstack/salt

Description of Issue

The ldap.managed plugin is unable to modify the olcSyncRepl attribute when it already exists in the cn=config database. Note this error only occurs after the initial run as the plugin is attempting to update an existing attribute. I can also verify that the directive is set to 'replace'

Setup

 - 'olcDatabase={0}config,cn=config':
      - replace:
          olcSyncRepl
            - 'rid=001 provider=ldap://ldap_poc1.xxxx.xxxx binddn="cn=config" 
              bindmethod=simple credentials=x searchbase="cn=config" 
              type=refreshAndPersist retry="5 5 300 5" timeout=1'
            - 'rid=002 provider=ldap://ldap_poc2.xxxx.xxxxx binddn="cn=config" 
              bindmethod=simple credentials=x searchbase="cn=config" 
              type=refreshAndPersist retry="5 5 300 5" timeout=1'
            - 'rid=003 provider=ldap://ldap_poc3.xxx.xxxx binddn="cn=config" 
              bindmethod=simple credentials=x searchbase="cn=config" 
              type=refreshAndPersist retry="5 5 300 5" timeout=1'
          olcMirrorMode: 'TRUE

Steps to Reproduce Issue

Error occurs on the second pass, would be relevant to a update operation

[root@dev-master ~]# salt dev-minion-01 state.apply openldap
dev-minion-01:
----------
          ID: openldap_entries
    Function: ldap.managed
      Result: False
     Comment: failed to modify entry olcDatabase={0}config,cn=config(exception in ldap backend: TYPE_OR_VALUE_EXISTS({'info': 'modify/add: olcSyncrepl: value #0 already exists', 'desc': 'Type or value exists'},)), modify entry olcDatabase={2}hdb,cn=config(exception in ldap backend: TYPE_OR_VALUE_EXISTS({'info': 'modify/add: olcSyncrepl: value #0 already exists', 'desc': 'Type or value exists'},))
     Started: 21:31:00.411394
    Duration: 28.915 ms
     Changes:

Versions Report

Salt Version:
Salt: 2019.2.0

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4

System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.5.1.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core

Bug severity-medium

Source

moberlander08

Most helpful comment

I ran into this same issue trying to modify olcSyncrepl using Ansible.

Apparently, modifying the olcSyncrepl attribute has an issue with case sensitivity. If you query the settings, you will notice olcSyncrepl has a lower case r instead of upper case. Adding the attribute is case insensitive, but modifying is case sensitive.

If you change your attribute to olcSyncrepl (lower case r), it will probably work.

aaronwmorris on 8 Feb 2020

👍2

All 5 comments

Thanks for reporting this! I personally do not have experience using ldap, however it appears that this might be a small logic change/addition in the state file. Does anything specific jump out? @saltstack/team-core

xeacott on 4 Dec 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.