please find attached the patch for Ticket 5434 add context to exception on LdapEntry decode error


From 8094fca2e0a11c1c108959da3a8f05c3d9c62bb7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Fri, 3 Jun 2016 14:56:35 +0200
Subject: [PATCH] add context to exception on LdapEntry decode error

When reading the content of an invalid LDAP entry, the exception
only displays the attribute name and value, but not the DN of the entry.
Because of this, it is difficult to identify the root cause of the

The fix raises a ValueError exception which also contains the entry DN.
Note that this does not change the overall behavior: the web browser
will still display
An error has occurred (IPA Error 903: InternalError)
Please try the following options:

    Refresh the page.
    Return to the main page and retry the operation
    Reload the browser.

If the problem persists please contact the system administrator.

The exception is printed in httpd/error_log as
ValueError: unable to convert the attribute u'memberofindirect' value 'Y249ZWV5ZV9ob3N0LGNuPWhvc3Rncm91cHMsY249YWNjb3VudHMsZGM9cHJvZCxkYLg' to type <class 'ipapython.dn.DN'> in LDAP entry 'fqdn=vm-058-124.abc.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom-058-232,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'

The issue can be reproduced by disabling the schema checking and
manually modifying a host entry with a value that is not base64-decodable.
Example ldif:

dn: cn=config
changetype: modify
replace: nsslapd-syntaxcheck
nsslapd-syntaxcheck: off

dn: fqdn=<hostname>,cn=computers,cn=accounts,<basedn>
changetype: modify
add: memberof
memberof: Y249ZWV5ZV9ob3N0LGNuPWhvc3Rncm91cHMsY249YWNjb3VudHMsZGM9cHJvZCxkYLg

 ipapython/ipaldap.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 9fb7fd3f5a49dec0fd855c05f0e64004593e1306..6bade5bbc6f87ba9dd3d99b6f6befbfa2ee086c5 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -320,7 +320,11 @@ class LDAPEntry(collections.MutableMapping):
         for value in raw_adds:
-            value = self._conn.decode(value, name)
+            try:
+                value = self._conn.decode(value, name)
+            except ValueError as e:
+                raise ValueError("{error} in LDAP entry '{dn}'".format(
+                    error=e, dn=self._dn))
             if value in nice_dels:

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to