Bug 1377319

Summary: "nsslapd-allow-anonymous-access: off" makes console login as "admin" fail
Product: Red Hat Directory Server Reporter: Kamlesh <kchaudha>
Component: Directory ConsoleAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED NOTABUG QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0CC: kbanerje, mreynolds, nhosoi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 18:07:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kamlesh 2016-09-19 12:34:58 UTC 
Description of problem:
Can't log in the to the Directory console if anonymous access set to disabled for configuration directory server.

Version-Release number of selected component (if applicable):

389-admin-debuginfo-1.1.44-1.el7dsrv.x86_64
389-admin-console-1.1.12-1.el7dsrv.noarch
idm-console-framework-1.1.16-2.el7dsrv.noarch
389-ds-console-1.2.13-1.el7dsrv.noarch
389-ds-base-1.3.5.10-11.el7.x86_64
redhat-idm-console-10.1.0-1.el7dsrv.x86_64
389-admin-1.1.44-1.el7dsrv.x86_64
389-console-1.1.18-1.el7dsrv.noarch

How reproducible:
100%

Steps to Reproduce:

1. Disable the anonymous-access of configuration directory server
 #ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w test1234
dn: cn=config
changetype: modify  
replace:nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off

2.ldapsearch -x -D "cn=Directory Manager" -w test1234 -h localhost -p 389  "(objectClass=*)" -b cn=config -s base nsslapd-allow-anonymous-access -LLL
dn: cn=config
nsslapd-allow-anonymous-access: off

3. start the console
/usr/bin/redhat-idm-console 

4  login with user id "admin"

Result:
it gives error 49 
 
update in access log 
[19/Sep/2016:16:58:20.259756977 +051800] conn=25 fd=64 slot=64 connection from 192.168.122.75 to 192.168.122.75
[19/Sep/2016:16:58:20.259868998 +051800] conn=25 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[19/Sep/2016:16:58:20.259909348 +051800] conn=25 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[19/Sep/2016:16:58:20.260251560 +051800] conn=26 fd=65 slot=65 connection from 192.168.122.75 to 192.168.122.75
[19/Sep/2016:16:58:20.260281963 +051800] conn=25 op=1 UNBIND
[19/Sep/2016:16:58:20.260292998 +051800] conn=25 op=1 fd=64 closed - U1
[19/Sep/2016:16:58:20.260379717 +051800] conn=26 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[19/Sep/2016:16:58:20.260412248 +051800] conn=26 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[19/Sep/2016:16:58:20.260630045 +051800] conn=26 op=1 UNBIND
[19/Sep/2016:16:58:20.260640487 +051800] conn=26 op=1 fd=65 closed - U1
[19/Sep/2016:16:58:20.342473117 +051800] conn=27 fd=64 slot=64 connection from 192.168.122.75 to 192.168.122.75
[19/Sep/2016:16:58:20.342547152 +051800] conn=27 op=0 BIND dn="(anon)" method=128 version=3
[19/Sep/2016:16:58:20.342626028 +051800] conn=27 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - No such suffix ((anon))
[19/Sep/2016:16:58:26.167017704 +051800] conn=27 op=-1 fd=64 closed - B1



5 now login using full sufix 
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"

Result
now you can log in


6. Disble the anonymous-access of another directory server which is register to the admin 
ldapmodify -v -h localhost -p 1389 -D "cn=Directory Manager" -w test1234
ldap_initialize( ldap://localhost:1389 )
dn: cn=config
changetype: modify
replace:nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
replace nsslapd-allow-anonymous-access:
	off
modifying entry "cn=config"
modify complete

7. [root@localhost ~]# ldapsearch -x -D "cn=Directory Manager" -w test1234 -h localhost -p 389  "(objectClass=*)" -b cn=config -s base nsslapd-allow-anonymous-access -LLL
dn: cn=config
nsslapd-allow-anonymous-access: off

[root@localhost ~]# ldapsearch -x -D "cn=Directory Manager" -w test1234 -h localhost -p 1389  "(objectClass=*)" -b cn=config -s base nsslapd-allow-anonymous-access -LLL
dn: cn=config
nsslapd-allow-anonymous-access: off

6. now login as User id  "admin"
you can login
Comment 1 Noriko Hosoi 2016-09-19 16:40:09 UTC 
Hi Mark,
Do you happen to remember we support this case?
Thanks!
Comment 2 mreynolds 2016-09-19 17:04:07 UTC 
(In reply to Noriko Hosoi from comment #1)
> Hi Mark,
> Do you happen to remember we support this case?
> Thanks!

It works if you use a full DN in the login screen, but RDN logins will not work because it requires the console to do an anonymous search to find the entry.
Comment 3 Noriko Hosoi 2016-09-19 17:14:40 UTC 
(In reply to mreynolds from comment #2)
> (In reply to Noriko Hosoi from comment #1)
> > Hi Mark,
> > Do you happen to remember we support this case?
> > Thanks!
> 
> It works if you use a full DN in the login screen, but RDN logins will not
> work because it requires the console to do an anonymous search to find the
> entry.

Thanks, Mark!  That being said, the Console is working as expected and this is not a bug.  We could close this with NOTABUG.

BTW, do we have a doc/release note for this issue?
Comment 4 mreynolds 2016-09-27 18:07:48 UTC 
Created release note bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1379817