ldap.managed Errors

[Sakorah]

Description of Issue/Question

I have a lot of states to manage users/groups in LDAP via saltstack.

ldap.managed state fails with two error different error messages.
It started failing in the last couple of weeks, did work for the last years fine :)

Running Ubuntu 18.04 or Debian 9 with latest patches.

Setup

I have an LDAP docker container running and saltstack connects to this LDAP server. Authentication to the LDAP server is working find.

ldap-user-ou:
  ldap.managed:
    - connect_spec:
        url: 'ldap://127.0.0.1'
        bind:
          method: 'simple'
          dn: 'cn=admin,dc=domain,dc=at'
          password: XXXX
    - entries:
      - 'ou=users,dc=domain,dc=at':
        - replace:
            objectClass:
              - organizationalUnit
              - top
            ou: 'VHOST Users'

test-user:
  ldap.managed:
    - connect_spec:
        url: 'ldap://127.0.0.1'
        bind:
          method: 'simple'
          dn: 'cn=admin,dc=domain,dc=at'
          password: XXXX
    - entries:
      - cn=test,ou=users,dc=domain,dc=at:
        - replace:
            cn: 'test'
            description: 'User test'
            homeDirectory: '/var/www/vhosts/test'
            loginShell: '/bin/bash'
            objectClass:
              - posixAccount
              - top
              - shadowAccount
              - inetOrgPerson
            sn: 'sn'
            uid: test

Steps to Reproduce Issue

Run and apply sls from above.

Output I get for those two states:

----------
          ID: ldap-user-ou
    Function: ldap.managed
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python2.7/dist-packages/salt/state.py", line 1919, in call
                  **cdata['kwargs'])
                File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1918, in wrapper
                  return f(*args, **kwargs)
                File "/usr/lib/python2.7/dist-packages/salt/states/ldap.py", line 334, in managed
                  __salt__['ldap3.add'](l, dn, n)
                File "/usr/lib/python2.7/dist-packages/salt/modules/ldap3.py", line 414, in add
                  l.c.add_s(dn, modlist)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 428, in add_s
                  return self.add_ext_s(dn,modlist,None,None)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 413, in add_ext_s
                  msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 409, in add_ext
                  modlist = self._bytesify_modlist('modlist', modlist, with_opcode=False)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 199, in _bytesify_modlist
                  for attr, val in modlist
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 199, in <genexpr>
                  for attr, val in modlist
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 164, in _bytesify_input
                  return value.encode('utf-8')
              AttributeError: 'tuple' object has no attribute 'encode'
     Started: 14:06:14.785436
    Duration: 1480.86 ms
     Changes:
----------
          ID: test-user
    Function: ldap.managed
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python2.7/dist-packages/salt/state.py", line 1919, in call
                  **cdata['kwargs'])
                File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 1918, in wrapper
                  return f(*args, **kwargs)
                File "/usr/lib/python2.7/dist-packages/salt/states/ldap.py", line 334, in managed
                  __salt__['ldap3.add'](l, dn, n)
                File "/usr/lib/python2.7/dist-packages/salt/modules/ldap3.py", line 414, in add
                  l.c.add_s(dn, modlist)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 428, in add_s
                  return self.add_ext_s(dn,modlist,None,None)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 413, in add_ext_s
                  msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 409, in add_ext
                  modlist = self._bytesify_modlist('modlist', modlist, with_opcode=False)
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 199, in _bytesify_modlist
                  for attr, val in modlist
                File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 199, in <genexpr>
                  for attr, val in modlist
              ValueError: too many values to unpack
     Started: 14:06:16.267257
    Duration: 5.829 ms
     Changes:

Versions Report

~# salt --versions-report
Salt Version:
           Salt: 2018.3.4

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.6.1
      docker-py: 3.7.0
          gitdb: 2.0.3
      gitpython: 2.1.8
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.7
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: 1.3.10
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.15rc1 (default, Nov 12 2018, 14:31:15)
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: 2.0.3
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist: Ubuntu 18.04 bionic
         locale: UTF-8
        machine: x86_64
        release: 4.15.0-29-generic
         system: Linux
        version: Ubuntu 18.04 bionic

[garethgreenaway]

@Sakorah Thanks for the report. This line seems like it might be the problematic line and resulting in the tuple in question, https://github.com/saltstack/salt/blob/2018.3/salt/modules/ldap3.py#L412
@angeloudy it looks like you made this change, was this change to be a tuple done for a particular reason? Thanks!

[Sakorah]

Hi!

I just did some re-test and tried 2018.3.3 and it worked. Switched forward to 2018.3.4 and it failed. Switched back again and it worked.

So something changed from 2018.3.3 to 2018.3.4.

[garethgreenaway]

@Sakorah that's super helpful 😁 we'll hopefully be able to track down the problematic commit.

[ghost]

It seems to be this one:

05e55bd

#48666

[importepeu]

Hi,

I have some troubles here using ldap.manage module regarding some "tuple" stuff. This was described here #48258, fixed and backported by @rallytime on June 2018 as described there. But later, @angeloudy remove the fix on commits 05e55bd and 0d749e6 as described here.

So with salt version 2018.3.4 I still have some trouble managing LDAP users with tuple error. Apply the fix authored by @nullify005 correct the issue but I have to patch all my minions instead of using package to upgrade.

Could you explain me why the fix was removed please ?
Regards,
Guillaume C.

[nullify005]

In order to successfully use 2018.3.4 I've had to apply the following patch:

--- /usr/lib/python2.7/dist-packages/salt/modules/ldap3.py	2019-07-30 03:38:37.631989816 +0000
+++ /usr/lib/python2.7/dist-packages/salt/modules/ldap3.py	2019-07-30 03:38:17.599877660 +0000
@@ -409,7 +409,7 @@
     if 'unicodePwd' in attributes:
         attributes['unicodePwd'] = [_format_unicode_password(x) for x in attributes['unicodePwd']]

-    modlist = ldap.modlist.addModlist(attributes),
+    modlist = ldap.modlist.addModlist(attributes)
     try:
         l.c.add_s(dn, modlist)
     except ldap.LDAPError as e:

It's subtle but there's a comma present there which appears to be causing the reported issue (for me at least).

[sathieu]

I've proposed a PR for this as #54342.