Bug 1044205
| Summary: | [RFE] Allow memberOf to use an alternate config area | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathan Kinder <nkinder> | ||||
| Component: | 389-ds-base | Assignee: | mreynolds | ||||
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.0 | CC: | jgalipea, jherrman, mkubik, mnavrati, mreynolds, nhosoi, nkinder, rmeggins, swadeley | ||||
| Target Milestone: | rc | Keywords: | FutureFeature | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 389-ds-base-1.3.3.1-1.el7 | Doc Type: | Release Note | ||||
| Doc Text: |
Alternative Configuration Storage for the MemberOf Plug-In
The configuration of the MemberOf plug-in for the 389 Directory Server can now be stored in a suffix mapped to a back-end database. This allows the MemberOf plug-in configuration to be replicated, which makes it easier for the user to maintain a consistent MemberOf plug-in configuration in a replicated environment.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-03-05 09:33:08 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1172597 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Nathan Kinder
2013-12-17 22:05:30 UTC
Memberof plugin configuration with alternate configArea is failing. Hence, flipping the status back to Assigned. Refer - https://bugzilla.redhat.com/show_bug.cgi?id=1044170#c2 Build tested: [root@vm-idm-035 ~]# rpm -qa 389-ds-base 389-ds-base-1.3.3.1-9.el7.x86_64 Refer to discussion - https://bugzilla.redhat.com/show_bug.cgi?id=1044170#c5 and https://bugzilla.redhat.com/show_bug.cgi?id=1044170#c6 As per the comment from Nathan for Bug #1044170, I configured memberOf plugin with alternate config area in a single ldapmodify command. Then, restarted the server. [root@vm-idm-042 ~]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config" dn: cn=MemberOf Plugin,cn=plugins,cn=config nsslapd-pluginEnabled: off [root@vm-idm-042 ~]# ldapmodify -ax -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on > - > replace: nsslapd-pluginConfigArea > nsslapd-pluginConfigArea: ou=groups,dc=newmemof,dc=com > - > EOF modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" [root@vm-idm-042 ~]# ldapsearch -x -p 1989 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=MemberOf Plugin,cn=plugins,cn=config" # MemberOf Plugin, plugins, config dn: cn=MemberOf Plugin,cn=plugins,cn=config nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: betxnpostoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: member memberofattr: memberOf nsslapd-pluginId: none nsslapd-pluginVersion: none nsslapd-pluginVendor: none nsslapd-pluginDescription: none nsslapd-pluginConfigArea: ou=groups,dc=newmemof,dc=com [root@vm-idm-042 ~]# /usr/lib64/dirsrv/slapd-testinst1/restart-slapd Server failed to start !!! Please check errors log for problems Few lines from DS error logs... [26/Nov/2014:00:28:46 +051800] memberof-plugin - Error 53: The memberOfGroupAttr and memberOfAttr configuration attributes must be provided [26/Nov/2014:00:28:47 +051800] memberof-plugin - configuration failed (Server is unwilling to perform) [26/Nov/2014:00:28:47 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [26/Nov/2014:00:28:48 +051800] memberof-plugin - only one memberOf plugin instance can be used [26/Nov/2014:00:28:48 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [26/Nov/2014:00:28:48 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [26/Nov/2014:00:28:48 +051800] memberof-plugin - only one memberOf plugin instance can be used [26/Nov/2014:00:28:48 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [26/Nov/2014:00:28:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [26/Nov/2014:00:28:49 +051800] memberof-plugin - only one memberOf plugin instance can be used [26/Nov/2014:00:28:49 +051800] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [26/Nov/2014:00:28:49 +051800] - Failed to start betxnpostoperation plugin MemberOf Plugin [26/Nov/2014:00:28:49 +051800] - Error: Failed to resolve plugin dependencies [26/Nov/2014:00:28:49 +051800] - Error: betxnpostoperation plugin MemberOf Plugin is not started The first problem I see is that the following crashes ns-slapd: --------------------------------------------------------------------- [ipauser@ipa ~]$ ldapmodify -x -D "cn=directory manager" -w Secret12 dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace:nsslapd-pluginEnabled nsslapd-pluginEnabled: on modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" [ipauser@ipa ~]$ sudo systemctl restart dirsrv.target [ipauser@ipa ~]$ ps -ef | grep slapd nobody 21735 1 1 14:01 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-ipa -i /var/run/dirsrv/slapd-ipa.pid -w /var/run/dirsrv/slapd-ipa.startpid ipauser 21777 10356 0 14:02 pts/0 00:00:00 grep --color=auto slapd [ipauser@ipa ~]$ ldapmodify -x -D "cn=directory manager" -w Secret12 dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginConfigArea nsslapd-pluginConfigArea:ou=People,dc=example,dc=com modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" --------------------------------------------------------------------- The stack shows an abort and indicates a possible memory error: --------------------------------------------------------------------------- #0 0x00007fdc3d0105c9 in raise () from /lib64/libc.so.6 #1 0x00007fdc3d011cd8 in abort () from /lib64/libc.so.6 #2 0x00007fdc3d050dd7 in __libc_message () from /lib64/libc.so.6 #3 0x00007fdc3d0577dc in malloc_consolidate () from /lib64/libc.so.6 #4 0x00007fdc3d059069 in _int_malloc () from /lib64/libc.so.6 #5 0x00007fdc3d05b12c in malloc () from /lib64/libc.so.6 #6 0x00007fdc3e7902e5 in ber_memalloc_x () from /lib64/liblber-2.4.so.2 #7 0x00007fdc3e78e94b in ber_realloc () from /lib64/liblber-2.4.so.2 #8 0x00007fdc3e78d88b in ber_start_seqorset () from /lib64/liblber-2.4.so.2 #9 0x00007fdc3e78e3fc in ber_printf () from /lib64/liblber-2.4.so.2 #10 0x00007fdc3f61ef7f in send_ldap_result_ext () from /usr/lib64/dirsrv/libslapd.so.0 #11 0x00007fdc3f61f321 in send_ldap_result () from /usr/lib64/dirsrv/libslapd.so.0 #12 0x00007fdc3f609423 in slapi_send_ldap_result () from /usr/lib64/dirsrv/libslapd.so.0 #13 0x00007fdc3f5c852a in dse_modify () from /usr/lib64/dirsrv/libslapd.so.0 #14 0x00007fdc3f5f9061 in op_shared_modify () from /usr/lib64/dirsrv/libslapd.so.0 #15 0x00007fdc3f5fa39f in do_modify () from /usr/lib64/dirsrv/libslapd.so.0 #16 0x00007fdc3fad83f1 in connection_threadmain () #17 0x00007fdc3da029eb in _pt_root () from /lib64/libnspr4.so #18 0x00007fdc3d3a3df3 in start_thread () from /lib64/libpthread.so.0 #19 0x00007fdc3d0d101d in clone () from /lib64/libc.so.6 --------------------------------------------------------------------------- Valgrind will hopefully show more information. This crash problem only seems to occur if the following conditions are met: - memberOf is already enabled and loaded (enable + restart) - nsslapd-pluginConfigArea is added for memberOf on a running server - nsslapd-pluginConfigArea points to an entry that exists, but is an invalid config entry (doesn't contain the required configuration attributes) We validate that the entry pointed to by nsslapd-pluginConfigArea exists at the preop modify phase in memberof_validate_config(), but we don't actually validate that is contains the required configuration attributes. We then attempt to actually apply the config in memberof_apply_config(), which fails with an error 53. We attempt to return this error 53 to the client, but encounter some sort of memory error when returning the response. Created attachment 961376 [details]
Valgrind output
Fixed upstream Veriification steps list above (comment 8): https://bugzilla.redhat.com/show_bug.cgi?id=1044205#c8 Marking it as verified since there is a new bugzilla opened for the partial configuration of memberof plugin. https://bugzilla.redhat.com/show_bug.cgi?id=1172597 If this Feature should be included in the 7.1 Release Notes, could you please change the Doc Type from Enhancement to "Release Note"? Note that the Release Notes are intended to list the most prominent and customer-relevant new features rather than every single enhancement. Cheers, Jirka Configuring memberof plugin with alternate plugin config area works fine. I configured the plugin with the LDIF file as follows. [root@mgmt9 MMR_WINSYNC]# cat /tmp/MemOfNew.ldif dn: cn=memofGroup3,dc=newmemof,dc=com changetype: add objectClass: top objectClass: extensibleObject cn: memofGroup3 memberofgroupattr: member memberofattr: memberOf memberOfEntryScope: ou=groups,dc=newmemof,dc=com memberOfSkipNested: on memberOfEntryScopeExcludeSubtree: ou=people,dc=newmemof,dc=com memberOfAllBackends: off dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - replace: nsslapd-pluginConfigArea nsslapd-pluginConfigArea: cn=memofGroup3,dc=newmemof,dc=com Build tested: [root@mgmt9 MMR_WINSYNC]# rpm -qa 389-ds-base 389-ds-base-1.3.3.1-10.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |