Bug 566320

Summary:

RFE: add exception to removal of attributes in cn=config for aci

Product:

[Retired] 389

Reporter:

Rob Crittenden <rcritten>

Component:

Directory Server

Assignee:

Rich Megginson <rmeggins>

Status:

CLOSED DUPLICATE

QA Contact:

Chandrasekar Kannan <ckannan>

Severity:

low

Docs Contact:

Priority:

low

Version:

1.2.1

CC:

amsharma, benl, jgalipea, mniranja, nhosoi

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-11-07 18:06:18 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

543590, 639035

Attachments:

Description	Flags
0001-Bug-566320-RFE-add-exception-to-removal-of-attribute.patch	rmeggins: review+

Description Rob Crittenden 2010-02-17 21:50:53 UTC

Description of problem:

It is not possible to do an online deletion of an attribute from cn=config (probably a good thing).

It would be nice to be able to have an exception that acis can be removed online.

Version-Release number of selected component (if applicable):

389-ds-base-1.2.3-1.fc12.x86_64

Comment 2 Endi Sukma Dewata 2010-03-26 17:33:24 UTC

Created attachment 402899 [details]
0001-Bug-566320-RFE-add-exception-to-removal-of-attribute.patch

The modify_config_dse() has been modified to check the ignore_attr_type() for all types of modify operation.

Comment 3 Rich Megginson 2010-03-26 17:50:40 UTC

To ssh://git.fedorahosted.org/git/389/ds.git
   48d50e8..6e839e9  master -> master

commit 6e839e9cc2acb957dc3435ee46aa9d2942cf1bcc
Author: Endi S. Dewata <edewata>
Date:   Mon Mar 22 17:53:33 2010 -0500
    Fix description: The modify_config_dse() has been modified to
    check the ignore_attr_type() for all types of modify operation.
    Reviewed by: rmeggins (and pushed by)

Comment 4 Amita Sharma 2011-09-12 10:32:58 UTC

which attribute should I try deleting from config?
Please guide.

Comment 5 Rich Megginson 2011-09-12 15:29:35 UTC

The only attributes allowed to be deleted at this time are nsslapd-listenhost and nsslapd-securelistenhost

Comment 8 Rich Megginson 2011-09-14 14:13:38 UTC

I just tried to reproduce - it works fine for me - please also confirm what version of 389-ds-base you are using.

Comment 9 Amita Sharma 2011-09-16 07:15:44 UTC

[root@snmaptest ~]# rpm -qa | grep 389
389-adminutil-1.1.14-1.el6.x86_64
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-1.2.8.2-1.el6_1.12.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-base-libs-1.2.8.2-1.el6_1.12.x86_64

What is wrong here:
============================
[root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF
dn: cn=config
changetype: modify
delete: nsslapd-listenhost
EOF

modifying entry "cn=config"
ldap_modify: No such attribute (16)

[root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF
dn: cn=config
changetype: modify
delete: nsslapd-allowed-to-delete-attrs
EOF

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
	additional info: Deleting attributes is not allowed

[root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF
dn: cn=config
changetype: modify
delete: nsslapd-securelistenhost       
EOF

modifying entry "cn=config"
ldap_modify: No such attribute (16)

[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
[16/Sep/2011:12:38:59 +051800] conn=39 op=1 RESULT err=53 tag=103 nentries=0 etime=0
[16/Sep/2011:12:38:59 +051800] conn=39 op=2 UNBIND
[16/Sep/2011:12:38:59 +051800] conn=39 op=2 fd=64 closed - U1
[16/Sep/2011:12:39:18 +051800] conn=40 fd=64 slot=64 connection from ::1 to ::1
[16/Sep/2011:12:39:18 +051800] conn=40 op=0 BIND dn="cn=directory manager" method=128 version=3
[16/Sep/2011:12:39:18 +051800] conn=40 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[16/Sep/2011:12:39:18 +051800] conn=40 op=1 MOD dn="cn=config"
[16/Sep/2011:12:39:18 +051800] conn=40 op=2 UNBIND
[16/Sep/2011:12:39:18 +051800] conn=40 op=2 fd=64 closed - U1
[16/Sep/2011:12:39:18 +051800] conn=40 op=1 RESULT err=16 tag=103 nentries=0 etime=0
^C
[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors
[15/Sep/2011:17:40:30 +051800] - Waiting for 4 database threads to stop
[15/Sep/2011:17:40:31 +051800] - All database threads now stopped
[15/Sep/2011:17:40:31 +051800] - slapd stopped.
[15/Sep/2011:17:40:39 +051800] - 389-Directory/1.2.8.10 B2011.244.2149 starting up
[15/Sep/2011:17:40:39 +051800] - slapd started.  Listening on All Interfaces port 34206 for LDAP requests
[15/Sep/2011:17:40:39 +051800] - Listening on All Interfaces port 34216 for LDAPS requests
[16/Sep/2011:11:56:18 +051800] chaining database - Insufficient 'add' privilege to add the entry 'uid=sghai1,ou=people,o=airius.com'.

[16/Sep/2011:12:38:42 +051800] - Warning: Deleting configuration attribute "nsslapd-listenhost"
[16/Sep/2011:12:39:18 +051800] - Warning: Deleting configuration attribute "nsslapd-securelistenhost"
^C
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost:
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

Comment 10 Rich Megginson 2011-09-16 14:46:24 UTC

(In reply to comment #9)
> [root@snmaptest ~]# rpm -qa | grep 389
> 389-adminutil-1.1.14-1.el6.x86_64
> 389-adminutil-devel-1.1.14-1.el6.x86_64
> 389-ds-base-1.2.8.2-1.el6_1.12.x86_64
> 389-console-1.1.7-1.el6.noarch
> 389-ds-base-libs-1.2.8.2-1.el6_1.12.x86_64
> 
> What is wrong here:
> ============================
> [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p
> 34206 -h localhost << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-listenhost
> EOF
> 
> modifying entry "cn=config"
> ldap_modify: No such attribute (16)
> 
> [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p
> 34206 -h localhost << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-allowed-to-delete-attrs
> EOF
> 
> modifying entry "cn=config"
> ldap_modify: Server is unwilling to perform (53)
>  additional info: Deleting attributes is not allowed
> 
> [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p
> 34206 -h localhost << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-securelistenhost       
> EOF
> 
> modifying entry "cn=config"
> ldap_modify: No such attribute (16)
> 
> [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
> [16/Sep/2011:12:38:59 +051800] conn=39 op=1 RESULT err=53 tag=103 nentries=0
> etime=0
> [16/Sep/2011:12:38:59 +051800] conn=39 op=2 UNBIND
> [16/Sep/2011:12:38:59 +051800] conn=39 op=2 fd=64 closed - U1
> [16/Sep/2011:12:39:18 +051800] conn=40 fd=64 slot=64 connection from ::1 to ::1
> [16/Sep/2011:12:39:18 +051800] conn=40 op=0 BIND dn="cn=directory manager"
> method=128 version=3
> [16/Sep/2011:12:39:18 +051800] conn=40 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"
> [16/Sep/2011:12:39:18 +051800] conn=40 op=1 MOD dn="cn=config"
> [16/Sep/2011:12:39:18 +051800] conn=40 op=2 UNBIND
> [16/Sep/2011:12:39:18 +051800] conn=40 op=2 fd=64 closed - U1
> [16/Sep/2011:12:39:18 +051800] conn=40 op=1 RESULT err=16 tag=103 nentries=0
> etime=0
> ^C
> [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors
> [15/Sep/2011:17:40:30 +051800] - Waiting for 4 database threads to stop
> [15/Sep/2011:17:40:31 +051800] - All database threads now stopped
> [15/Sep/2011:17:40:31 +051800] - slapd stopped.
> [15/Sep/2011:17:40:39 +051800] - 389-Directory/1.2.8.10 B2011.244.2149 starting
> up
> [15/Sep/2011:17:40:39 +051800] - slapd started.  Listening on All Interfaces
> port 34206 for LDAP requests
> [15/Sep/2011:17:40:39 +051800] - Listening on All Interfaces port 34216 for
> LDAPS requests
> [16/Sep/2011:11:56:18 +051800] chaining database - Insufficient 'add' privilege
> to add the entry 'uid=sghai1,ou=people,o=airius.com'.
> 
> [16/Sep/2011:12:38:42 +051800] - Warning: Deleting configuration attribute
> "nsslapd-listenhost"
> [16/Sep/2011:12:39:18 +051800] - Warning: Deleting configuration attribute
> "nsslapd-securelistenhost"
> ^C
> [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager"
> -w Secret123 -b "cn=config" | grep nsslapd-listenhost
> nsslapd-listenhost:
> nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

This is as expected.  Since the attribute has no value
nsslapd-listenhost:
you cannot delete it, and it returns the correct error code No such attribute (16).

Try this:
stop slapd
edit dse.ldif - add nsslapd-listenhost: localhost
start slapd
do ldapsearch to confirm the value is listed 
then ldapmodify to delete the value

Comment 11 Amita Sharma 2011-09-21 06:48:58 UTC

[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
[root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-listenhost
> EOF
modifying entry "cn=config"

[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors
[21/Sep/2011:12:01:43 +051800] - slapd shutting down - signaling operation threads
[21/Sep/2011:12:01:43 +051800] - slapd shutting down - closing down internal subsystems and plugins
[21/Sep/2011:12:01:43 +051800] - Waiting for 4 database threads to stop
[21/Sep/2011:12:01:43 +051800] - All database threads now stopped
[21/Sep/2011:12:01:43 +051800] - slapd stopped.
[21/Sep/2011:12:02:46 +051800] - 389-Directory/1.2.9.11 B2011.259.2023 starting up
[21/Sep/2011:12:02:46 +051800] - slapd started.  Listening on IPv6 Loopback port 34206 for LDAP requests
[21/Sep/2011:12:02:47 +051800] - Listening on Loopback port 34206 for LDAP requests
[21/Sep/2011:12:02:47 +051800] - Listening on All Interfaces port 34216 for LDAPS requests
[21/Sep/2011:12:03:01 +051800] - Warning: Deleting configuration attribute "nsslapd-listenhost"
^C
[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
[21/Sep/2011:12:03:04 +051800] conn=3 op=1 RESULT err=0 tag=101 nentries=193 etime=0
[21/Sep/2011:12:03:04 +051800] conn=3 op=2 UNBIND
[21/Sep/2011:12:03:04 +051800] conn=3 op=2 fd=64 closed - U1
[21/Sep/2011:12:03:23 +051800] conn=4 fd=64 slot=64 connection from ::1 to ::1
[21/Sep/2011:12:03:23 +051800] conn=4 op=0 BIND dn="cn=directory manager" method=128 version=3
[21/Sep/2011:12:03:23 +051800] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[21/Sep/2011:12:03:23 +051800] conn=4 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[21/Sep/2011:12:03:23 +051800] conn=4 op=1 RESULT err=0 tag=101 nentries=193 etime=0
[21/Sep/2011:12:03:23 +051800] conn=4 op=2 UNBIND
[21/Sep/2011:12:03:23 +051800] conn=4 op=2 fd=64 closed - U1
^C
[root@snmaptest ~]# rpm -qa | grep 389
389-adminutil-1.1.14-1.el6.x86_64
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-libs-1.2.9.11-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-base-1.2.9.11-1.el6.x86_64
[root@snmaptest ~]# rpm -qf `which setup-ds.pl`
389-ds-base-1.2.9.11-1.el6.x86_64

But then I restarted the Instances, and then It got actually deleted which is not online :(
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
[root@snmaptest ~]# service dirsrv restart
Shutting down dirsrv: 
    c1...                                                  [  OK  ]
    c2...                                                  [  OK  ]
    s1...                                                  [  OK  ]
    s2...                                                  [  OK  ]
    snmaptest...                                           [  OK  ]
Starting dirsrv: 
    c1...                                                  [  OK  ]
    c2...                                                  [  OK  ]
    s1...                                                  [  OK  ]
    s2...                                                  [  OK  ]
    snmaptest...                                           [  OK  ]
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost:
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

Please help?

Comment 12 Amita Sharma 2011-09-21 08:10:35 UTC

Thanks to mniranja for highlighting more imp points here :

1. If I re-delete the attribute without a restart, It will give me error as "No such attribute" , but ldapsearch will show the attribute as below:

a). Set the attribute first:
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

b). Delete the attribute first time:
ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-listenhost
> EOF
modifying entry "cn=config"

c). Try to delete again :
[root@snmaptest ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 -h localhost -p 34206 << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-listenhost
> EOF
modifying entry "cn=config"
ldap_modify: No such attribute (16)

d). Try to search the attribute, :
ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost
nsslapd-listenhost: localhost
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

* This is the inconsistency between ldapsearch and ldapdelete.

2. There are few questions :
a. nsslapd-listenhost is the attribute which says that on which hostname the slapd is listening, so when we remove the attribute online, it would still work because slapd is already started using that hostname. Though we are not sure why one would want to delete that attribute,  (as in what's the use case here) 

b. Initially Rob wanted to that for ACI (chk https://bugzilla.redhat.com/show_bug.cgi?id=566320#c0), how these attributes - nsslapd-listenhost nsslapd-securelistenhost, are connected to the acis?

Please guide.

Thanks,
Amita

Comment 13 Rich Megginson 2011-09-21 15:09:30 UTC


(In reply to comment #12)
> Thanks to mniranja for highlighting more imp points here :
> 
> 1. If I re-delete the attribute without a restart, It will give me error as "No
> such attribute" , but ldapsearch will show the attribute as below:
> 
> a). Set the attribute first:
> [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager"
> -w Secret123 -b "cn=config" | grep nsslapd-listenhost
> nsslapd-listenhost: localhost
> nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
> 
> b). Delete the attribute first time:
> ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost <<
> EOF
> > dn: cn=config
> > changetype: modify
> > delete: nsslapd-listenhost
> > EOF
> modifying entry "cn=config"
> 
> c). Try to delete again :
> [root@snmaptest ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 -h
> localhost -p 34206 << EOF
> > dn: cn=config
> > changetype: modify
> > delete: nsslapd-listenhost
> > EOF
> modifying entry "cn=config"
> ldap_modify: No such attribute (16)
> 
> d). Try to search the attribute, :
> ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b
> "cn=config" | grep nsslapd-listenhost
> nsslapd-listenhost: localhost
> nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
> 
> * This is the inconsistency between ldapsearch and ldapdelete.
> 
> 2. There are few questions :
> a. nsslapd-listenhost is the attribute which says that on which hostname the
> slapd is listening, so when we remove the attribute online, it would still work
> because slapd is already started using that hostname. Though we are not sure
> why one would want to delete that attribute,  (as in what's the use case here) 

Ok - looks like the bug wasn't completely fixed.  The attribute is deleted, and it will not be in dse.ldif/cn=config upon restart, but it still shows up in ldapsearch after deletion.  So we need to reopen this bug in order to fix the ldapsearch issue.

> 
> b. Initially Rob wanted to that for ACI (chk
> https://bugzilla.redhat.com/show_bug.cgi?id=566320#c0), how these attributes -
> nsslapd-listenhost nsslapd-securelistenhost, are connected to the acis?

acis are handled separately, by a different part of the code, so you should be able to add/modify/delete acis without being affected by this bug.

> 
> Please guide.
> 
> Thanks,
> Amita

Comment 14 Amita Sharma 2011-09-27 07:16:14 UTC

as Rich suggested to mark it as assigned hence marking it as assigned.

Comment 15 Martin Kosek 2012-01-04 13:40:34 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/92

Comment 16 Noriko Hosoi 2012-11-07 18:06:18 UTC

Please see also https://fedorahosted.org/389/ticket/92.

*** This bug has been marked as a duplicate of bug 853106 ***