Bug 1391204

Summary: (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: amsharma, mreynolds, msauton, nkinder, rmeggins, tbordaz
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-3.el7 Doc Type: Bug Fix
Doc Text:
Cause: If suffix is missing in the default backend entry userRoot, it wipes out the valid suffix defined in the existing backend. Consequence: The register/unregister script loses the valid suffix info and fails. Fix: If the default backend userRoot does not have the suffix, it correctly ignores the empty suffix. Result: The register/unregister script works as expected even if the default backend entry is not configured properly.
 Story Points: ---
Clone Of:
: 1414677 (view as bug list) Environment:
Last Closed: 2017-08-01 21:12:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1414677    

Description Noriko Hosoi 2016-11-02 19:06:50 UTC 
Description of problem:


DSUtil.pm:createInfFromConfig is used to create an info structure describing a server.

One of mapped field is the 'Suffix' that is the 'nsslapd-suffix' value of backend instance (one level entries below 'cn=ldbm database,cn=plugins,cn=config')

The loop that sets the 'Suffix' may fail if there is no suffix over 'userRoot'. In that case the result varies according to the order of recorded backends.

For example:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
dn: cn=<backend_name_different_than_userRoot>,cn=ldbm database,cn=plugins,cn=config
dn: cn=monitor,cn=ldbm database,cn=plugins,cn=config

will result with an undefined value for 'Suffix' because without 'userRoot' the 'Suffix' will take the last (cn=monitor) value of 'nsslapd-suffix'
Comment 1 thierry bordaz 2016-11-03 15:25:03 UTC 
Fixed upstream https://fedorahosted.org/389/ticket/49016#comment:5
Comment 4 Amita Sharma 2017-05-03 12:57:53 UTC 
[0 root@qeos-216 export]# rpm -qa | grep 389
389-ds-base-1.3.6.1-9.el7.x86_64
389-admin-console-doc-1.1.12-2.el7dsrv.noarch
389-admin-console-1.1.12-2.el7dsrv.noarch
389-ds-console-1.2.16-1.el7dsrv.noarch
389-ds-console-doc-1.2.16-1.el7dsrv.noarch
389-adminutil-1.1.23-2.el7dsrv.x86_64
389-console-1.1.18-2.el7dsrv.noarch
389-admin-1.1.46-1.el7dsrv.x86_64
389-ds-base-libs-1.3.6.1-9.el7.x86_64


[0 root@qeos-216 install]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com
nsBackendSuffix: NetscapeRoot:o=netscaperoot

[0 root@qeos-216 install]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com

1. Created dirsrv instance with multiple suffixes -
[0 root@qeos-216 export]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com
nsBackendSuffix: testdb:dc=test,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com

2. Removed userRoot db -
[0 root@qeos-216 export]# ldapdelete -rx -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 "cn=userRoot,cn=ldbm database,cn=plugins,cn=config"

[0 root@qeos-216 export]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: testdb:dc=test,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com

3. Try removing the instance.
[0 root@qeos-216 export]# remove-ds.pl -f -a -i slapd-test
Instance slapd-test removed.

4. create another instance with multiple suffixes and delete userRoot and try register with admin server.

[0 root@qeos-216 export]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com
nsBackendSuffix: test3db:dc=test3,dc=com

[0 root@qeos-216 export]# ldapdelete -rx -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 "cn=userRoot,cn=ldbm database,cn=plugins,cn=config"

[0 root@qeos-216 export]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com
nsBackendSuffix: test3db:dc=test3,dc=com

register-ds-admin.pl was succcessful.
remove-ds-admin.pl was successful


Small Observation for the error message -
https://bugzilla.redhat.com/show_bug.cgi?id=1257459#c9

Marking this bug as VERIFIED.
Comment 5 errata-xmlrpc 2017-08-01 21:12:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086