Bug 679460

Upstream ticket:
https://fedorahosted.org/389/ticket/196

This fix has been checked into the main trunk.

To verify fix:


Replication: 

   manually create an agreement and set the nsDS5ReplicaHost with the IPv6  address, and make sure you can replicate entries


Chaining:

   use an IPv6 address for nsfarmserverurl.  


Note:  For LDAP urls, the IPv6 Address must be in brackets:

ldap://[fe80::250:45ff:fe02:7fe8]:389


Access Control:

   Example of aci that uses IPv6:

aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
 "userPassword")(version 3.0;acl "Anonymous IPv6 read-search access";
 allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");)

This fix will be rhel 6.4(DS 9), and in 389-ds-base-1.3.0.a1.

moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.

Successfully Added ACI using IPv6 address::
[root@dhcp201-149 ~]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (target ="ldap:///dc=example,dc=com")(targetattr !="userPassword")(version 3.0;acl "Anonymous IPv6 read-search access";allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");)
> EOF
modifying entry "dc=example,dc=com"

Successfully tested replication:
[root@localhost admin-serv]# ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" -LLL
dn: cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,
 cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: test
cn: test
nsDS5ReplicaRoot: ou=test,dc=example,dc=com
nsDS5ReplicaHost: [::1]
nsDS5ReplicaPort: 1389
nsDS5ReplicaBindDN: uid=replmgr,dc=example,dc=com
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES}3iMsHyML5/QgiI3nMoqaYw==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20131112120823Z
nsds5replicaLastUpdateEnd: 20131112120826Z
nsds5replicaChangesSentSinceStartup:: MToxLzAg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20131112120728Z
nsds5replicaLastInitEnd: 20131112120730Z
nsds5replicaLastInitStatus: 0 Total update succeeded

Feature is implemented in latest RHEL7 389, testing is yet to be done - bugs in this feature will be filed separately.

Configured replication with IPv6 address and encountering "function not implemented" errors.

==> /var/log/dirsrv/slapd-M2/errors <==
[12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620")

==> /var/log/dirsrv/slapd-M1/errors <==
[12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620")

(In reply to Sankar Ramalingam from comment #13)
> Configured replication with IPv6 address and encountering "function not
> implemented" errors.
> 
> ==> /var/log/dirsrv/slapd-M2/errors <==
> [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind
> request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]:
> error -1 (Can't contact LDAP server), system error -5992 (function not
> implemented.), network error 115 (Operation now in progress, host "[2620")
> 
> ==> /var/log/dirsrv/slapd-M1/errors <==
> [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind
> request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]:
> error -1 (Can't contact LDAP server), system error -5992 (function not
> implemented.), network error 115 (Operation now in progress, host "[2620")

Looks like the replication fails for SSL configured instances, not for non-ssl.

[root@ibm-x3650m4-01-vm-14 MMR_WINSYNC]# /usr/bin/ldapsearch -x -h 2620:52:0:102f:5054:1ff:fe3c:e136 -p 1289 -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo
# extended LDIF
#
# LDAPv3
# base <cn=replica,cn="dc=passsync,dc=com",cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo 
#

# replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

# 1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D
 passsync\2Cdc\3Dcom, mapping tree, config
dn: cn=1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica,
 cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s
 tartup
nsDS5ReplicaTransportInfo: LDAP

# 1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D
 passsync\2Cdc\3Dcom, mapping tree, config
dn: cn=1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica,
 cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s
 tartup
nsDS5ReplicaTransportInfo: LDAP

# 1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D
 passsync\2Cdc\3Dcom, mapping tree, config
dn: cn=1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica,
 cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co
 ntact LDAP server
nsDS5ReplicaTransportInfo: SSL

SSL requires a hostname, not an IPv4/IPv6 address.  This is for the hostname checking for the cn in the server cert subject DN.

What you have to do, in this case, is ensure that the hostname resolves to an IPv6 address.

Since the feature is implemented and the hostname issue is addressed by comment #15, marking as VERIFIED. Testplan for this feature is pending and new bugs will be filed separately.

FWIW, ACIs with ip addresses on multihomed servers are still broken in 1.3.1.6-10

(In reply to Zailo Leite from comment #17)
> FWIW, ACIs with ip addresses on multihomed servers are still broken in
> 1.3.1.6-10
Hi Zailo,
Could you please open a ticket (if not yet) at https://fedorahosted.org/389/newticket with the sample ACIs and the broken results?
Thanks!
--noriko

Looks OK in 1.3.2.9-1 . Thanks!

Z

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.