Cannot create a filtered role using "dsidm role create-filtered"

[mirielka]

Filtered role cannot be created using "dsidm role create-filtered" command, as it doesn't accept necessary attribute nsRoleFilter and fails with object class violation.

Version-Release number of the selected component

389-ds-base-3.0.5-2.el10.x86_64

Steps to reproduce

1. Try to create a new filtered role using "dsidm role create-filtered"
2. Fill in cn when prompted, confirm

Actual results
Fails with object class violation:

# dsidm -v localhost -b dc=example,dc=com role create-filtered
DEBUG: The 389 Directory Server Identity Manager
DEBUG: Inspired by works of: ITS, The University of Adelaide
DEBUG: dsrc path: /root/.dsrc
DEBUG: dsrc container path: /data/config/container.inf
DEBUG: dsrc instances: []
DEBUG: dsrc no such section: slapd-localhost
DEBUG: Called with: Namespace(verbose=True, json=False, instance='localhost', basedn='dc=example,dc=com', binddn=None, bindpw=None, prompt=False, pwdfile=None, starttls=False, cn=None, func=<function create_filtered at 0x7fefb9f28b80>)
DEBUG: Instance details: {'uri': 'localhost', 'basedn': 'dc=example,dc=com', 'binddn': None, 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'localhost', 'root-dn': None}}
DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with %2frun%2fslapd-localhost.socket
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: Allocate <class 'lib389.DirSrv'> with prereserve-1mt-rhel-10.0-20241220.0-890-2025-01-10-09-28:389
DEBUG: open(): Connecting to uri ldapi://%2frun%2fslapd-localhost.socket
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-localhost
DEBUG: Using external ca certificate /etc/dirsrv/slapd-localhost
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: open(): Using root autobind ...
DEBUG: open(): bound as None
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn: 
vendorVersion: 389-Directory/3.0.5 B2024.351.0000]
Enter value for cn : test_role
DEBUG: Checking "None" under dc=example,dc=com : {'cn': 'test_role'}
DEBUG: Using first property cn: test_role as rdn
DEBUG: Validated dn cn=test_role,dc=example,dc=com
DEBUG: Creating cn=test_role,dc=example,dc=com
DEBUG: updating dn: cn=test_role,dc=example,dc=com
DEBUG: updated dn: cn=test_role,dc=example,dc=com with {'objectclass': [b'nsComplexRoleDefinition', b'nsFilteredRoleDefinition']}
DEBUG: updating dn: cn=test_role,dc=example,dc=com
DEBUG: updated dn: cn=test_role,dc=example,dc=com with {'cn': [b'test_role']}
DEBUG: {'msgtype': 105, 'msgid': 4, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'missing attribute "nsRoleFilter" required by object class "nsFilteredRoleDefinition"\n', 'ldap_request': "add_ext_s((dn: cn=test_role,dc=example,dc=com\ncn: test_role\nobjectclass: nsComplexRoleDefinition\nobjectclass: nsFilteredRoleDefinition\n\n,),{'serverctrls': None, 'clientctrls': None, 'escapehatch': 'i am sure'}) on instance localhost"}
Traceback (most recent call last):
  File "/usr/sbin/dsidm", line 139, in <module>
    result = args.func(inst, basedn, log, args)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/cli_idm/role.py", line 63, in create_filtered
    _generic_create(inst, basedn, log.getChild('_generic_create'), FilteredRoles, kwargs, args)
  File "/usr/lib/python3.12/site-packages/lib389/cli_base/__init__.py", line 247, in _generic_create
    o = mc.create(properties=kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1323, in create
    return co.create(rdn, properties, self._basedn)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1076, in create
    return self._create(rdn, properties, basedn, ensure=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 1051, in _create
    _add_ext_s(self._instance, e, serverctrls=self._server_controls, clientctrls=self._client_controls, escapehatch='i am sure')
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 83, in _add_ext_s
    return _ldap_op_s(inst, inst.add_ext_s, 'add_ext_s', *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 80, in _ldap_op_s
    raise e
  File "/usr/lib/python3.12/site-packages/lib389/_mapped_object.py", line 74, in _ldap_op_s
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 173, in inner
    return f(ent.dn, ent.toTupleList(), *args[2:])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 222, in add_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 543, in result3
    resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
                                                                           ^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 553, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/lib389/__init__.py", line 177, in inner
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
    result = func(*args,**kwargs)
             ^^^^^^^^^^^^^^^^^^^^
ldap.OBJECT_CLASS_VIOLATION: {'msgtype': 105, 'msgid': 4, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'missing attribute "nsRoleFilter" required by object class "nsFilteredRoleDefinition"\n', 'ldap_request': "add_ext_s((dn: cn=test_role,dc=example,dc=com\ncn: test_role\nobjectclass: nsComplexRoleDefinition\nobjectclass: nsFilteredRoleDefinition\n\n,),{'serverctrls': None, 'clientctrls': None, 'escapehatch': 'i am sure'}) on instance localhost"}
ERROR: Error: Object class violation

Expected results
Should ask for nsRoleFilter attribute and create the role properly.