Bug 1556863

Summary: ds-replcheck command for "LDAP with StartTLS" using -Z option should be more robust
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: amsharma, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.8.4-1.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:13:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Dehadrai 2018-03-15 11:45:58 UTC 
Description of problem:
ds-replcheck command for "LDAP with StartTLS" using -Z option should be more robust
 
Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-18.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA Master /IPA-Replica.
2. On Master run the command:
#ds-replcheck -v -D "cn=directory manager" -w Secret123 -m ldap://master.testrelm.test -r ldap://replica.testrelm.test  -b "dc=testrelm,dc=test" -Z /etc/dirsrv/test123

Actual results:
After step2, the command crashes

Scenario1: Invalid path with -Z

[root@auto-hv-01-guest09 ~]# ds-replcheck -v -D "cn=directory manager" -w Secret123 -m ldap://`hostname` -r ldap://auto-hv-01-guest05.testrelm.test  -b "dc=testrelm,dc=test" -Z /etc/dirsrv/test123
Performing online report...
Connecting to servers...
Gathering Master's RUV...
Gathering Replica's RUV...
Start searching and comparing...
Preparing final report...
================================================================================
         Replication Synchronization Report  (Thu Mar 15 06:16:13 2018)
================================================================================


Database RUV's
=====================================================

Master RUV:
  {replica 3 ldap://auto-hv-01-guest05.testrelm.test:389} 5aaa40c3000000030000 5aaa46a6000200030000
  {replica 4 ldap://auto-hv-01-guest09.testrelm.test:389} 5aaa40bf000100040000 5aaa46d4000400040000
  {replicageneration} 5aaa40bf000000040000

Replica RUV:
  {replica 3 ldap://auto-hv-01-guest05.testrelm.test:389} 5aaa40c3000000030000 5aaa46a6000200030000
  {replica 4 ldap://auto-hv-01-guest09.testrelm.test:389} 5aaa40bf000100040000 5aaa46b0000100040000
  {replicageneration} 5aaa40bf000000040000


Entry Counts
=====================================================

Master:  516
Replica: 516


Tombstones
=====================================================

Master:  10
Replica: 10


Entry Inconsistencies
=====================================================

krbprincipalname=ldap/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
----------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=dogtag/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
------------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

idnsname=testrelm.test.,cn=dns,dc=testrelm,dc=test
--------------------------------------------------
 - Attribute 'idnssoaserial' is different:
      Master:
        - State Info: idnsSOAserial;adcsn-5aaa4693000000040000;vucsn-5aaa4693000000040000: 1521108627
        - Date:       Thu Mar 15 06:10:27 2018

      Replica:
        - State Info: idnsSOAserial;adcsn-5aaa448c000000030000;vucsn-5aaa448c000000030000: 1521108108
        - Date:       Thu Mar 15 06:01:48 2018


krbprincipalname=DNS/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=ipa-dnskeysyncd/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=dogtag/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
------------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;adcsn-5aaa41de000400030001;vucsn-5aaa41de000400030001: 0
 - Date: Thu Mar 15 05:50:22 2018


krbprincipalname=DNS/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;vucsn-5aaa42b2000700030000: 0
 - Date: Thu Mar 15 05:53:54 2018


krbprincipalname=ipa-dnskeysyncd/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;vucsn-5aaa42b8000200030000: 0
 - Date: Thu Mar 15 05:54:00 2018




Sceanrio2: random argument with -Z

[root@auto-hv-01-guest09 ~]# ds-replcheck -v -D "cn=directory manager" -w Secret123 -m ldap://`hostname` -r ldap://auto-hv-01-guest05.testrelm.test  -b "dc=testrelm,dc=test" -Z ghfhffhgfhgfhfhfhgf
Performing online report...
Connecting to servers...
Gathering Master's RUV...
Gathering Replica's RUV...
Start searching and comparing...
Preparing final report...
================================================================================
         Replication Synchronization Report  (Thu Mar 15 06:21:05 2018)
================================================================================


Database RUV's
=====================================================

Master RUV:
  {replica 3 ldap://auto-hv-01-guest05.testrelm.test:389} 5aaa40c3000000030000 5aaa46a6000200030000
  {replica 4 ldap://auto-hv-01-guest09.testrelm.test:389} 5aaa40bf000100040000 5aaa46d4000400040000
  {replicageneration} 5aaa40bf000000040000

Replica RUV:
  {replica 3 ldap://auto-hv-01-guest05.testrelm.test:389} 5aaa40c3000000030000 5aaa46a6000200030000
  {replica 4 ldap://auto-hv-01-guest09.testrelm.test:389} 5aaa40bf000100040000 5aaa46b0000100040000
  {replicageneration} 5aaa40bf000000040000


Entry Counts
=====================================================

Master:  516
Replica: 516


Tombstones
=====================================================

Master:  10
Replica: 10


Entry Inconsistencies
=====================================================

krbprincipalname=ldap/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
----------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=dogtag/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
------------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

idnsname=testrelm.test.,cn=dns,dc=testrelm,dc=test
--------------------------------------------------
 - Attribute 'idnssoaserial' is different:
      Master:
        - State Info: idnsSOAserial;adcsn-5aaa4693000000040000;vucsn-5aaa4693000000040000: 1521108627
        - Date:       Thu Mar 15 06:10:27 2018

      Replica:
        - State Info: idnsSOAserial;adcsn-5aaa448c000000030000;vucsn-5aaa448c000000030000: 1521108108
        - Date:       Thu Mar 15 06:01:48 2018


krbprincipalname=DNS/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=ipa-dnskeysyncd/auto-hv-01-guest09.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------------------
 - Replica missing attribute: "krbloginfailedcount"

krbprincipalname=dogtag/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
------------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;adcsn-5aaa41de000400030001;vucsn-5aaa41de000400030001: 0
 - Date: Thu Mar 15 05:50:22 2018


krbprincipalname=DNS/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;vucsn-5aaa42b2000700030000: 0
 - Date: Thu Mar 15 05:53:54 2018


krbprincipalname=ipa-dnskeysyncd/auto-hv-01-guest05.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
---------------------------------------------------------------------------------------------------------------------------
 - Master missing attribute: "krbloginfailedcount"

 - Replica's State Info: krbLoginFailedCount;vucsn-5aaa42b8000200030000: 0
 - Date: Thu Mar 15 05:54:00 2018

Expected results:
The command should be more robust for '-Z' option and throw errors for invalid path or argument.
Comment 3 Amita Sharma 2018-07-02 07:47:17 UTC 
[root@ibm-x3650m4-01-vm-14 config]# rpm -qa | grep 389
389-ds-base-snmp-1.3.8.4-3.el7.x86_64
389-ds-base-libs-1.3.8.4-3.el7.x86_64
389-ds-base-debuginfo-1.3.8.4-3.el7.x86_64
389-ds-base-1.3.8.4-3.el7.x86_64


[root@ibm-x3650m4-01-vm-14 config]# ds-replcheck -v -D "cn=directory manager" -w Secret123 -m ldap://ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com:30103 -r ldap://ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com:30105  -b "dc=example,dc=com" -Z dewfrefrgfregfdvgrf
certificate directory (dewfrefrgfregfdvgrf) does not exist or is not a directory

[root@ibm-x3650m4-01-vm-14 config]# ds-replcheck -v -D "cn=directory manager" -w Secret123 -m ldap://ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com:30103 -r ldap://ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com:30105  -b "dc=example,dc=com" -Z /hello/dsd
certificate directory (/hello/dsd) does not exist or is not a directory

Hence Verified.
Comment 5 errata-xmlrpc 2018-10-30 10:13:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3127