Bug 1044170
| Summary: | [RFE] Allow memberOf suffixes to be configurable | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathan Kinder <nkinder> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | jgalipea, lkrispen, nhosoi, pspacek |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.3.1-10.el7 | Doc Type: | Known Issue |
| Doc Text: |
Feature:
A new configuration parameter is added to the memberof plugin:
nsslapd-memberofScope: <dn>
Description:
If the memberof plugin is enabled and a scope is defined, moving a group out of scope with a modrdn operation fails with (err=16). Moving a member entry out of scope, correctly removes the memberof value.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 09:32:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1082754, 1109759, 1115294, 1168850, 1185102, 1249775, 2084180 | ||
|
Description
Nathan Kinder
2013-12-17 21:39:18 UTC
Enabling member of plugin and configuring it with nsslapd-pluginConfigArea is failing. I think it crashes the server. I will reproduce the crash with the debuginfo packages and provide the stack trace. 1). Default plugin status: Off ldapsearch -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config"|egrep 'nsslapd-pluginEnabled|dn' dn: cn=MemberOf Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: off 2). Enabling the plugin without nsslapd-pluginConfigArea ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace:nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" /usr/lib64/dirsrv/slapd-M1/restart-slapd ldapsearch -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config" |egrep 'nsslapd-pluginEnabled|dn' dn: cn=MemberOf Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: on 3). Adding nsslapd-pluginConfigArea to memberof plugin ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginConfigArea nsslapd-pluginConfigArea:ou=People,dc=memofsuff,dc=com EOF modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" ldap_result: Can't contact LDAP server (-1) 4). DS error logs... [25/Nov/2014:12:50:13 +051800] - Listening on All Interfaces port 1616 for LDAPS requests [25/Nov/2014:12:52:08 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:12:52:08 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:12:52:08 +051800] memberof-plugin - �� 5). Some other error messages observed when trying to play around with the plugin... [25/Nov/2014:12:27:47 +051800] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [25/Nov/2014:12:27:47 +051800] - slapd shutting down - closing down internal subsystems and plugins [25/Nov/2014:12:27:48 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up [25/Nov/2014:12:27:48 +051800] - I'm resizing my cache now...cache was 2621440 and is now 2097152 [25/Nov/2014:12:27:48 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:12:27:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:12:27:49 +051800] - Error: Failed to resolve plugin dependencies [25/Nov/2014:12:27:49 +051800] - Error: betxnpostoperation plugin MemberOf Plugin is not started [25/Nov/2014:12:28:51 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up Error log messages when trying to restart the server... [25/Nov/2014:14:03:57 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:14:03:57 +051800] memberof-plugin - The memberOfGroupAttr and memberOfAttr configuration attributes must be provided[25/Nov/2014:14:03:57 +051800] memberof-plugin - [25/Nov/2014:14:04:57 +051800] - 389-Directory/1.3.3.1 B2014.317.2357 starting up [25/Nov/2014:14:04:57 +051800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Nov/2014:14:04:57 +051800] memberof-plugin - Error 53: The memberOfGroupAttr and memberOfAttr configuration attributes must be provided [25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Server is unwilling to perform) [25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used [25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used [25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:14:04:58 +051800] memberof-plugin - only one memberOf plugin instance can be used [25/Nov/2014:14:04:58 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [25/Nov/2014:14:04:58 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [25/Nov/2014:14:04:58 +051800] - Error: Failed to resolve plugin dependencies [25/Nov/2014:14:04:58 +051800] - Error: betxnpostoperation plugin MemberOf Plugin is not started Build tested: [root@vm-idm-035 ~]# rpm -qa 389-ds-base 389-ds-base-1.3.3.1-9.el7.x86_64 You are trying to test an alternate config area, but that feature is covered by bug 1044205. This bug is for configuring the scope of entries that the memberOf plugin is supposed to operate on, not the configuration area. The failure you are encountering is that you are trying to add nsslapd-pluginConfigArea to an already enabled memberOf plug-in on a running server. This is not allowed, as the server was started with memberOf enabled without the alternate config area enabled. The server then expects any changes to it's plugin config entry to result in a valid configuration. The proper way to configure memberOf is one of the following: - Enable the plugin and set all of the required attributes in the plugin config entry, then restart ns-slapd. - Enable the plugin, set alternate config area, then restart ns-slapd. The description in comment#5 doesn't explain the crash, but does explain the config validation errors you are receiving (which may be part of the cause of the crash). I am putting this bug back to the ON_QA status, as it was reopened due to a failure in a completely different feature (alternate config area support). This new failure should be dealt with in bug 1044205, which is the feature but for memberOf alternate config area support. Configured memberOf plugin with new attributes: nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.3.3.1 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin nsslapd-memberofscope: ou=people,dc=memofsuff,dc=com memberofallbackends: true memberofentryscope: ou=people,dc=memofsuff,dc=com [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn memberof # People, memofsuff.com dn: ou=People,dc=memofsuff,dc=com # tnewusr3, People, memofsuff.com dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com # tnewusr2, People, memofsuff.com dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com # tnewusr1, People, memofsuff.com dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com memberof: cn=newgrp2,ou=People,dc=memofsuff,dc=com # newgrp2, People, memofsuff.com dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn member # People, memofsuff.com dn: ou=People,dc=memofsuff,dc=com # tnewusr3, People, memofsuff.com dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com # tnewusr2, People, memofsuff.com dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com # tnewusr1, People, memofsuff.com dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com # newgrp2, People, memofsuff.com dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com member: uid=tnewusr3,ou=people,dc=memofsuff,dc=com member: uid=tnewusr2,ou=people,dc=memofsuff,dc=com member: uid=tnewusr1,ou=people,dc=memofsuff,dc=com [root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com changetype: modrdn newrdn: cn=mynewgrp2 deleteoldrdn: 0 newsuperior: ou=testing,dc=memofsuff,dc=com EOF modifying rdn of entry "cn=newgrp2,ou=People,dc=memofsuff,dc=com" ldap_rename: No such attribute (16) ==> /var/log/dirsrv/slapd-testinst1/errors <== [26/Nov/2014:03:21:49 +051800] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com), error (16) [root@vm-idm-042 MMR_WINSYNC]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "ou=people,dc=memofsuff,dc=com" dn member # People, memofsuff.com dn: ou=People,dc=memofsuff,dc=com # tnewusr3, People, memofsuff.com dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com # tnewusr2, People, memofsuff.com dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com # tnewusr1, People, memofsuff.com dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com memberOf attribute removed from the users. Its working. however, when I added another group with the same users to ou=people, the plugin failed to add memberof attribute to users. [root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -f Group2.ldif adding new entry "cn=newgrp3,ou=people,dc=memofsuff,dc=com" # tnewusr3, People, memofsuff.com dn: uid=tnewusr3,ou=People,dc=memofsuff,dc=com # tnewusr2, People, memofsuff.com dn: uid=tnewusr2,ou=People,dc=memofsuff,dc=com # tnewusr1, People, memofsuff.com dn: uid=tnewusr1,ou=People,dc=memofsuff,dc=com # newgrp3, People, memofsuff.com dn: cn=newgrp3,ou=People,dc=memofsuff,dc=com member: uid=tnewusr3,ou=people,dc=memofsuff,dc=com member: uid=tnewusr2,ou=people,dc=memofsuff,dc=com member: uid=tnewusr1,ou=people,dc=memofsuff,dc=com Ds error logs: ==> /var/log/dirsrv/slapd-testinst1/errors <== [26/Nov/2014:03:23:28 +051800] entryrdn-index - entryrdn_rename_subtree: Failed to read the target element "cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com" (-30988) [26/Nov/2014:03:23:28 +051800] ldbm_back_modrdn - entryrdn_rename_subtree failed (-30988); dn: cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com, newsrdn: (null), dn_newsuperiordn: ou=Testing,dc=memofsuff,dc=com The feature seems to be not working completely. Hence, marking the bug as Assigned. Hi Ludwig, It looks this bug failed to verify. Ticket #47526 - Allow memberOf suffixes to be configurable Could you please take a look? In the Comment 8 (https://bugzilla.redhat.com/show_bug.cgi?id=1044170#c8), I wonder why this rename fails due to LDAP_NO_SUCH_ATTRIBUTE in the call back. The modrdn is renaming the rdn as well as move to the outside of the scope. [root@vm-idm-042 MMR_WINSYNC]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=newgrp2,ou=People,dc=memofsuff,dc=com changetype: modrdn newrdn: cn=mynewgrp2 deleteoldrdn: 0 newsuperior: ou=testing,dc=memofsuff,dc=com EOF modifying rdn of entry "cn=newgrp2,ou=People,dc=memofsuff,dc=com" ldap_rename: No such attribute (16) ==> /var/log/dirsrv/slapd-testinst1/errors <== [26/Nov/2014:03:21:49 +051800] memberof-plugin - memberof_postop_modrdn - delete dn callback failed for (cn=mynewgrp2,ou=Testing,dc=memofsuff,dc=com), error (16) Thanks! --noriko Hi Ludwig, can you clarify the issues listed here? I'll investigate this Regarding the test in comment #8, it is failing with err=16, which I need to investigate, but the memberof was not removed, the following search was for member, not memberof looks like the check for the return code of memberof_del_dn_type_callback() was introduce with ticket 47810. When I had implemented the memberof scope this was not noticed, the feature seemed to work, need to check why memberof_del_dn_type_callback() is failing or why it should be ignored Can you please add a Doc text for the list of issues and change the Doc type as known issue? I would prefer to fix it, instead of marking as known issue. Looks like only the moving of an entry out of scope removes the memberof, but for moving a gropu out of scope it doesn't work. The RHEl7.1 Beta compose is already out with 389-ds-base-1.3.3.1-9 build. It will be a known issue for the Beta customers. Later, we can change the Doc text once the feature is tested thoroughly. So, we need to explain in the doc text as which operation would fail and the consequences. doc text added Memberof plugin configured with nsslapd-memberofscope: ou=people,dc=newmemof,dc=com memberofentryscope: ou=groups,dc=newmemof,dc=com is working fine for new groups addition as well as modrn operations. Hence, marking the bug as verified. Build tested: [root@mgmt9 MMR_WINSYNC]# rpm -qa 389-ds-base 389-ds-base-1.3.3.1-10.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |