Bug 1527020

Summary: nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during install even if another value was provided in an LDIF ( --dirsrv-config-file )
Product: Red Hat Enterprise Linux 7 Reporter: François Cami <fcami>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: amarecek, cheimes, ipa-maint, ndehadra, pasik, pvoborni, rcritten, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477664    

Description François Cami 2017-12-18 11:17:34 UTC 
Description of problem:

# ipa-server-install --dirsrv-config-file params.ldif
with params.ldif:
~~~
dn: cn=config
changetype: modify
replace: nsslapd-maxsasliosize
nsslapd-maxsasliosize: 50000000
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 50000000
~~~
ends up with nsslapd-sasl-max-buffer-size at 2MB anyway due to:
https://bugzilla.redhat.com/show_bug.cgi?id=1044193

So during install the new value is correctly taken into account, but reset to 2M at the end:
~~~
2017-12-13T16:53:18Z DEBUG only: set nsslapd-sasl-max-buffer-size to '2097152', current value [u'50000000']
2017-12-13T16:53:18Z DEBUG only: updated value [u'2097152']
~~~

The default value of 2MB is proving too low in some environments for initial replication, so overriding it safely is a must.


Version-Release number of selected component (if applicable):
As of RHEL 7.4


How reproducible:
Always


Steps to Reproduce:
1. Install IPA server with "--dirsrv-config-file params.ldif" as above
2. Watch the log

Actual results:
~~~
2017-12-13T16:53:18Z DEBUG only: set nsslapd-sasl-max-buffer-size to '2097152', current value [u'50000000']
2017-12-13T16:53:18Z DEBUG only: updated value [u'2097152']
~~~


Expected results:
Custom value is not overridden by hardcoded default value.

Additional info:

We should detect if the value was changed.

Known workaround:
* set the parameter nsslapd-sasl-max-buffer-size to 50000000 on the first IdM server right after installation
* install all replica with ipa-replica-install --dirsrv-config-file params.ldif
* once installation is done, set the nsslapd-sasl-max-buffer-size to 50000000 in the replica as well.

As initial replication is done after the new value (50MB) is used, but before the hardcoded value of 2MB is set, the parameter's value goes from:

dirserv default => 50MB => 2MB => 50MB
Comment 3 Florence Blanc-Renaud 2017-12-20 17:09:00 UTC 
The value of nsslapd-sasl-max-buffer-size is overwritten at the end of the installation, because of the step upgrading the server. The upgrade is loading the content from the file 10-config.update which contains the following:
 
# Default SASL buffer size was too small and could lead for example to
# migration errors
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
dn: cn=config
only:nsslapd-sasl-max-buffer-size:2097152

Note that ticket 47457 has been fixed in  389-ds-base-1.3.2 and 389-ds-base-1.2.11, and the default value for nsslapd-sasl-max-buffer-size is already 2097152 in 389-ds. This means that we can safely remove nsslapd-sasl-max-buffer-size from 10-config.update. In this case, any value supplied with ipa-server-install --dirsrv-config-file will be taken into account.
Comment 4 Florence Blanc-Renaud 2018-01-02 14:38:33 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7341
Comment 5 François Cami 2018-01-04 16:38:11 UTC 
Upstream commit:
https://github.com/freeipa/freeipa/commit/6f5042cd873a13cdae5ce41a6329a09dd7191da0
Comment 6 Christian Heimes 2018-01-10 08:35:50 UTC 
ipa-4-6:
    2212fb5 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
ipa-4-5:
    8a0e790 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
Comment 11 Sudhir Menon 2018-08-24 11:40:58 UTC 
nsslapd-sasl-max-buffer-size was set to 50000000 when specified ldif was provided input to the ipa-server-install command.

Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
using 

[root@master ~]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy 389-ds-base
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-6.el7.noarch
selinux-policy-3.13.1-219.el7.noarch
389-ds-base-1.3.8.4-11.el7.x86_64

[root@master ~]# ipa-server-install --dirsrv-config-file params.ldif
.......
.......
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring apollo.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

/var/log/ipaserver-install.log
2018-08-24T10:51:43Z DEBUG nsslapd-sasl-max-buffer-size:
2018-08-24T10:51:43Z DEBUG      50000000
Comment 13 errata-xmlrpc 2018-10-30 10:57:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187