User entity provisioning via inventory broken

[jb@…]

When provisioning user entities via the inventory, any login attempt will fail with a backtrace like:

  File "/var/lib/python-support/python2.5/mmc/plugins/inventory/provisioning.py", line 65, in doProvisioning
    userentry = authtoken.getInfos()[1]
exceptions.IndexError: list index out of range

As it happens, line 65 should actually read:

    userentry = authtoken.getInfos()[0][1]

And then it works. Note the externalldap provisioning code suffers from the same bug, from a quick grep.

[cdelfosse]

Hi Julien,

Please post your configuration files (base.ini and inventory.ini). Did you try to log in as "root" ?

Regards,

Cédric

[jb@…]

Hi Cédric,

Logging in as root always works, due to root being excluded from the user/entity provisioning.

Here's base.ini (comments filtered out for brevity):

[ldap]
host = 127.0.0.1
baseDN = dc=plop,dc=fr
baseUsersDN = ou=Users, %(basedn)s
baseGroupsDN = ou=Groups, %(basedn)s
rootName = cn=admin, %(basedn)s
password = plopplop
userHomeAction = 0
skelDir = /etc/skel
defaultUserGroup =
defaultHomeDir = /home
uidStart = 10000
gidStart = 10000
logfile = /var/log/ldap.log
passwordscheme = ssha

[backup-tools]
path = /usr/lib/mmc/backup-tools
destpath = /srv

[provisioning]
method = inventory

[computers]
method = inventory

And inventory.ini:

[main]
disable = 0
displayLocalisationBar = 0

[inventory]
dbdriver = mysql
dbhost = localhost
dbport = 3306
dbname = inventory
dbuser = mmc
dbpasswd = mmc
dbsslenable = 0
dbsslca = /etc/mmc/pulse2/inventory/cacert.pem
dbsslcert = /etc/mmc/pulse2/inventory/cert.pem
dbsslkey = /etc/mmc/pulse2/inventory/key.pem


[expert_mode]
Bios = Chipset|BiosVersion|ChipSerial|BiosVendor|TypeMachine|SmbManufacturer|SmbProduct|SmbVersion|SmbSerial|SmbUUID|SmbType
Network = CardType|MIB|Bandwidth|NetworkType|SubnetMask|State
Hardware = Build|Version|ProcessorCount|SwapSpace|IpAddress|User|Date|Workgroup|RegisteredName|RegisteredCompany|OSSerialNumber|Type
Software = ProductPath|Type|ExecutableSize
Controller = ExpandedType|HardwareVersion|StandardType
Drive = DriveType|FileCount|FileSystem
Input = StandardDescription|ExpandedDescription|Connector
Memory = ExtendedDescription|SlotCount
Monitor = Stamp|Type|Serial|Manuf
Pci =
Port = Stamp
Printer =
Slot =
Sound = Description
Storage = ExtendedType|VolumeName|Media
VideoCard =

[graph]
Network = Gateway
Hardware = OperatingSystem|ProcessorType
Memory = Size

[querymanager]
list = Hardware/Workgroup||Machine/Name||Entity/Label||Software/ProductName||Hardware/ProcessorType||Hardware/OperatingSystem||Drive/TotalSpace
double = Software/Products::Software/ProductName##Software/ProductVersion
halfstatic = Registry/Value/display name::Path##DisplayName

[provisioning_inventory]
exclude = root
profile_attr = plopEntity
profile_entity_default = .
profile_entity_none = .

I don't think it's a configuration issue; printing the result of authtoken.getInfos() is what revealed the missing [0] - the dict the code is looking for is enclosed in a list.

JB.

[cdelfosse]

OK weird, I'll take a look.

[oroussy]

• is plopEntity a ldap attribute you have in user entries in your ldap and did you modified the ldap schema to support that attribute ?
• are default and none two values you can have in that field ?

http://pulse2.mandriva.org/content/doc/1.2.3/conf/en/mmc-python-plugin-inventory-configuration.html#id2839151

can you give a ldap export of one of your user please ?

[jb@…]

Hi,

• Yes on everything for the LDAP attribute
• Those values could be in that field, however, in practice, they're not.

The way I read the documentation, default and none would be special configuration values that aren't present in the LDAP attribute. I expect some config key named "bla_default" to be exactly that - a DEFAULT.

Even more so when entities can't be manipulated at all from the web interface...

Can't give an export, anyway it's just a standard user created from the web interface and with that attribute added manually afterwards.

Well, at least your answer gives me a hint as to what to do next.

JB.

[oroussy]

Replying to jb@…:

Hi, * Yes on everything for the LDAP attribute * Those values could be in that field, however, in practice, they're not. The way I read the documentation, default and none would be special configuration values that aren't present in the LDAP attribute. I expect some config key named "bla_default" to be exactly that - a DEFAULT.

no, default is not a special keyword (nor none), it's not applied to users by default (nor to empty profile).

"A user that doesn't have any profile (for example the pulse2profile attribute of her/his entry is empty), or that has an undefined profile, will be linked to no entity."

Even more so when entities can't be manipulated at all from the web interface... Can't give an export, anyway it's just a standard user created from the web interface and with that attribute added manually afterwards.

ok

Well, at least your answer gives me a hint as to what to do next. JB.

[oroussy]

there is no default value right now, but if we declare a profile_entity_ it's taken as default (it's a buggy behavior that should be corrected) (in fact it declare the empty profile...)

(the VM demo image has to be corrected as soon as the default value is created, because right now we use the empty profile to declare all users #785)

[oroussy]

the demo image VM is corrected like follow :

• modification of the ldap configuration :
  • modify the file /etc/openldap/schema/mmc.schema to add a section :

    attributetype ( 1.3.6.1.4.1.40098.1.1.12.4 NAME 'lmcProfile'
             DESC 'LMC user profile'
             EQUALITY caseIgnoreMatch
             SUBSTR caseIgnoreSubstringsMatch
             SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
    

and modify the lmcUserObject section to add lmcProfile ass a possible attribute

objectclass ( 1.3.6.1.4.1.40098.1.2.1.19.1 NAME 'lmcUserObject' AUXILIARY
        DESC 'Objectclass for LMC user settings '
        MAY  ( lmcACL $ lmcPrefMode $ lmcPrinterAllowed $ lmcProfile))

• modify the file /etc/openldap/slapd.access.conf to give access to lmcUserObject to normal users :

  # allow users to modify their own "address book" entries:
  access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
          attrs=inetOrgPerson,mail,lmcUserObject
          by self write
          by dn.exact,expand="uid=root,ou=People,$2" write
          by group.expand="cn=Domain Controllers,ou=Group,$2" write
          by group.expand="cn=Replicator,ou=Group,$2" write
          by users read
  

• modify mmc configuration :
  • the base.ini (be carefull, in the demo VM the default file is overrided by /etc/mmc/template/etc/mmc/plugins/base.ini, so modify that one) has to be modified to have a section :

    [provisioning]
    method = inventory
    

and

[userdefault]
objectClass = +lmcUserObject
lmcProfile = default

• inventory.ini (depending on the version of the demo VM you couuld have to modify /etc/mmc/template/etc/mmc/plugins/inventory.ini), add the section :

  [provisioning_inventory]
  exclude = root
  profile_attr = lmcProfile
  profile_entity_default = .
  

• now restart services (ldap and mmc-agent)

[oroussy]

Implemented in :

• mmc-projects r6867 - pulse2/server/trunk/services/mmc/plugins/inventory
• pulse2-mmc-plugins r869 - branches/PULSE_1_2_5/mmc/plugins/inventory

To define a profile where the attribute is not defined (empty), you can just set profile_entity_ in the provisioning_inventory section. If the profile_attr element don't exists, the empty profile is also going to be chosen.

The "default" profile is now create (WARNING : that mean default is a keyword) this profile is used when none of the others profiles are selected.

Examples :

UserA : title = ''
UserB : title = 'admin'
UserC : title = 'exploit'
UserD : title = 'user'
UserE : no title attribute


[provisioning_inventory]
profile_attr = title
profile_entity_ = entity_1
profile_entity_admin = entity_2
profile_entity_default = entity_3


UserA : entity_1
UserB : entity_2
UserC : entity_3
UserD : entity_3
UserE : entity_1