| Summary: | DS crashes when "cn=Directory Manager" is changing it's password in IPA | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | ||||
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sankar Ramalingam <sramling> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.0 | CC: | amsharma, mreynolds, nkinder, nsoman, pviktori | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 389-ds-base-1.3.1.6-6.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause: The cn=Directory Manager user is not a real entry, and does not exist in any database backend. Changing the password in IPA would attempt to start a transaction in this database, but it was NULL.
Consequence: The server would dereference the NULL database and would crash.
Fix: Do not attempt a transaction in a database that does not exist.
Result: Server does not crash when using IPA and the Directory Manager password is changed.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 10:56:21 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Martin Kosek
2013-10-08 15:42:07 UTC
Upstream ticket: https://fedorahosted.org/389/ticket/47329 I got the same error when changing the password for a normal user: ldappasswd -D "cn=Directory Manager" -s 12345678 uid=u-127-1797,cn=users,cn=accounts,dc=example,dc=com -w 12345678 -x Rich, just note that the test above was done on Fedora 19 - I am not sure if it already received this fix as well. (In reply to Martin Kosek from comment #7) > Rich, just note that the test above was done on Fedora 19 - I am not sure if > it already received this fix as well. No. The fix will be in 389-ds-base-1.3.1.13 Hi Mark,
I am getting below response. DS does not crash, IPA rather receives an error code from slapi_back_transaction_begin.
Can you please comment on this ::
[root@dhcp207-218 ~]# rpm -q ipa-server 389-ds-base
ipa-server-3.3.3-15.el7.x86_64
389-ds-base-1.3.1.6-14.el7.x86_64
[root@dhcp207-218 ~]# ldapadd -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: uid=amsharma1,dc=newdom,dc=qe
> cn: ams
> sn: ams
> givenname: ams
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: ams
> mail: ams
> userpassword: amsamsams
> EOF
adding new entry "uid=amsharma1,dc=newdom,dc=qe"
[root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
# amsharma1, newdom.qe
dn: uid=amsharma1,dc=newdom,dc=qe
cn: ams
sn: ams
givenName: ams
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: ams
uid: amsharma1
mail: ams
userPassword:: e1NTSEF9ZG4ycFBXSW9wZDlYeDRGc1RRbEpOVDZXTStUN3AxVnl1OXd1dVE9PQ=
=
[root@dhcp207-218 ~]# ldappasswd -D "cn=Directory Manager" -s amitaamita uid=amsharma1,dc=newdom,dc=qe -w Secret123 -x
[root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
# amsharma1, newdom.qe
dn: uid=amsharma1,dc=newdom,dc=qe
cn: ams
sn: ams
givenName: ams
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: ams
uid: amsharma1
mail: ams
userPassword:: e1NTSEF9RlV0clhrMERueTl2VEwwT3pTeDMyaHF0bEY0Q1hHdkx6ZzZiTnc9PQ=
=
ldappasswd -h localhost -x -D "cn=Directory Manager" -w Secret123 -s Secret123 -ZZZ
Result: No such object (32)
Additional info: No such Entry exists.
[root@dhcp207-218 ~]# tail -f /var/log/dirsrv/slapd-NEWDOM-QE/errors
[28/Jan/2014:18:55:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:00:02 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:01:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:05:46 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:05:56 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:07:08 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:08:39 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:12:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:14:43 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:16:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
Thanks & Regards,
Ami
(In reply to Amita Sharma from comment #9) > Hi Mark, > > I am getting below response. DS does not crash, IPA rather receives an error > code from slapi_back_transaction_begin. This is the expected behavior(fix is working). This fix/patch was added to 1.3.1.6-6, and you are testing 1.3.1.6-14. > > Can you please comment on this :: > > > [root@dhcp207-218 ~]# rpm -q ipa-server 389-ds-base > ipa-server-3.3.3-15.el7.x86_64 > 389-ds-base-1.3.1.6-14.el7.x86_64 > > [root@dhcp207-218 ~]# ldapadd -x -h localhost -p 389 -D "cn=Directory > Manager" -w Secret123 << EOF > > dn: uid=amsharma1,dc=newdom,dc=qe > > cn: ams > > sn: ams > > givenname: ams > > objectclass: top > > objectclass: person > > objectclass: organizationalPerson > > objectclass: inetOrgPerson > > uid: ams > > mail: ams > > userpassword: amsamsams > > EOF > adding new entry "uid=amsharma1,dc=newdom,dc=qe" > > [root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 > -h localhost -b "uid=amsharma1,dc=newdom,dc=qe" > # amsharma1, newdom.qe > dn: uid=amsharma1,dc=newdom,dc=qe > cn: ams > sn: ams > givenName: ams > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > uid: ams > uid: amsharma1 > mail: ams > userPassword:: > e1NTSEF9ZG4ycFBXSW9wZDlYeDRGc1RRbEpOVDZXTStUN3AxVnl1OXd1dVE9PQ= > = > > [root@dhcp207-218 ~]# ldappasswd -D "cn=Directory Manager" -s amitaamita > uid=amsharma1,dc=newdom,dc=qe -w Secret123 -x > > [root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 > -h localhost -b "uid=amsharma1,dc=newdom,dc=qe" > # amsharma1, newdom.qe > dn: uid=amsharma1,dc=newdom,dc=qe > cn: ams > sn: ams > givenName: ams > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > uid: ams > uid: amsharma1 > mail: ams > userPassword:: > e1NTSEF9RlV0clhrMERueTl2VEwwT3pTeDMyaHF0bEY0Q1hHdkx6ZzZiTnc9PQ= > = > > ldappasswd -h localhost -x -D "cn=Directory Manager" -w Secret123 -s > Secret123 -ZZZ > Result: No such object (32) > Additional info: No such Entry exists. > > [root@dhcp207-218 ~]# tail -f /var/log/dirsrv/slapd-NEWDOM-QE/errors > [28/Jan/2014:18:55:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:00:02 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- > attribute "krbExtraData" not allowed > [28/Jan/2014:19:01:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:05:46 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:05:56 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- > attribute "krbExtraData" not allowed > [28/Jan/2014:19:07:08 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- > attribute "krbExtraData" not allowed > [28/Jan/2014:19:08:39 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:12:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:14:43 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > [28/Jan/2014:19:16:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line > 333]: failed to start transaction > > Thanks & Regards, > Ami Thanks Mark for you comment. Marking bug as VERIFIED. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |