Bug 1931820
| Summary: | ACIs are being evaluated against the Replication Manager account in a replication context. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Têko Mihinto <tmihinto> | ||||
| Component: | 389-ds-base | Assignee: | Pierre Rogier <progier> | ||||
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | ||||
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||
| Priority: | high | ||||||
| Version: | 11.2 | CC: | aadhikar, knakai, ldap-maint, mreynolds, msauton, progier, rmarigny, sgouvern, tbordaz | ||||
| Target Milestone: | DS11.3 | ||||||
| Target Release: | dirsrv-11.4 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | sync-to-jira | ||||||
| Fixed In Version: | redhat-ds-11-8050020210803164248.d3df4063 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1967839 2022086 (view as bug list) | Environment: | |||||
| Last Closed: | 2021-10-25 06:36:13 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1967839, 2005434, 2022086 | ||||||
| Attachments: |
|
||||||
Created attachment 1779379 [details]
proposed patch version 1
Note the patch still includes the previous debug patch to get a clear error log
message if the bug is not fixed and we still hit it.
Hi, A customer had a recent crash with 389-ds-base-1.4.3.13-1.el8.bz1931820_2.x86_64 that was delivered as part of this bz The stack frame is as follows : Program terminated with signal SIGSEGV, Segmentation fault. #0 csn_get_replicaid (csn=csn@entry=0x0) at ldap/servers/slapd/csn.c:167 167 return csn->rid; [Current thread is 1 (Thread 0x7fed749fe700 (LWP 3772))] (gdb) where #0 0x00007fedaacb7f24 in csn_get_replicaid (csn=csn@entry=0x0) at ldap/servers/slapd/csn.c:167 #1 0x00007fed9d10aded in ruv_cancel_csn_inprogress (repl=repl@entry=0x7fed996aea40, ruv=0x7fed99769720, csn=csn@entry=0x0, local_rid=local_rid@entry=12) at ldap/servers/plugins/replication/repl5_ruv.c:1594 #2 0x00007fed9d0f4a6a in cancel_opcsn (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:1326 #3 0x00007fed9d0f55a8 in write_changelog_and_ruv (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:983 #4 0x00007fed9d0f67a2 in multimaster_be_betxnpostop_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:851 #5 0x00007fed9d0f6850 in multimaster_mmr_postop (pb=0x7fed6e57e000, flags=560) at ldap/servers/plugins/replication/repl5_plugins.c:612 #6 0x00007fedaad1223d in plugin_call_mmr_plugin_postop (pb=pb@entry=0x7fed6e57e000, e=e@entry=0x0, flags=flags@entry=560) at ldap/servers/slapd/plugin_mmr.c:65 #7 0x00007fed9d9c1e71 in ldbm_back_add (pb=0x7fed6e57e000) at ldap/servers/slapd/back-ldbm/ldbm_add.c:1335 #8 0x00007fedaacaab98 in op_shared_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/slapd/add.c:692 #9 0x00007fedaacabc37 in do_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/slapd/add.c:236 #10 0x000055e8e8a4bfa1 in connection_dispatch_operation (pb=0x7fed6e57e000, op=<optimized out>, conn=<optimized out>) at ldap/servers/slapd/connection.c:609 #11 0x000055e8e8a4bfa1 in connection_threadmain () at ldap/servers/slapd/connection.c:1759 #12 0x00007feda86435a8 in _pt_root (arg=0x7fed996b0ac0) at ../../.././nspr/pr/src/pthreads/ptthread.c:201 #13 0x00007feda7fde14a in start_thread (arg=<optimized out>) at pthread_create.c:479 #14 0x00007feda776ddc3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (gdb) This is obviously caused by dereferencing a NULL pointer csn->rid where csn is NULL I wonder if this crash can be due to the fact that the customer does NOT have the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1970259 ( comment #33 of current bz ) Build Tested: 389-ds-base-1.4.3.27-2.module+el8dsrv+12690+c6df6d1b.x86_64
============================================================================ test session starts =================================================================
platform linux -- Python 3.6.8, pytest-6.2.5, py-1.10.0, pluggy-1.0.0 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-343.el8.x86_64-x86_64-with-redhat-8.5-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.10.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}}
389-ds-base: 1.4.3.27-2.module+el8dsrv+12690+c6df6d1b
nss: 3.67.0-6.el8_4
nspr: 4.32.0-1.el8_4
openldap: 2.4.46-18.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0
collected 1 item
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_access_from_certain_network_only_ip PASSED [100%]
============================================================================ 1 passed in 12.43s ==================================================================
Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3955 |
Description of problem: A replicated operation failed due to LDAP error 50 ( LDAP_INSUFFICIENT_ACCESS ). With the error log level 262144 ( Access control summary information ), the following message is logged: ================================================================== [18/Feb/2021:17:56:22.531733035 +0100] - DEBUG - NSACLPlugin - print_access_control_summary - conn=594722 op=22 (main): Deny write on entry(companyid=123456789,cn=app,dc=example,dc=com).attr(companyID) to cn=replication manager,cn=config: no aci matched the subject by aci(174): aciname= "Admin ACI", acidn="dc=example,dc=com" ================================================================== RHDS documentation states that the Replication Manager is not subject to ACIs when performing operations on the replicated suffixes: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication#Replication_Overview-Replication_Identity ================================================================== This entry, with its special user profile, bypasses all access control rules defined on the consumer server for the database involved in that replication agreement. ================================================================== Version-Release number of selected component (if applicable): $ cat /etc/redhat-release Red Hat Enterprise Linux release 8.3 (Ootpa) $ $ grep 389-ds-base installed-rpms 389-ds-base-1.4.2.12-3.el8_2.bz1890118_1.x86_64 Mon Nov 16 08:58:23 2020 389-ds-base-libs-1.4.2.12-3.el8_2.bz1890118_1.x86_64 Mon Nov 16 08:58:23 2020 $ How reproducible: Customer reported the issue. Steps to Reproduce: N/A Actual results: A replicated operation is being rejected. Expected results: The replicated operation should be processed. Additional info: