Bug 679460
Summary: | [RFE] Interpret IPV6 addresses for ACIs, replication, and chaining | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | kent lamb <klamb> |
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Sankar Ramalingam <sramling> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | amsharma, dsirrine, jgalipea, jrusnack, mreynolds, nhosoi, nkinder, zleite |
Target Milestone: | alpha | Keywords: | FutureFeature |
Target Release: | 7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.1.2-1.el7 | Doc Type: | Enhancement |
Doc Text: |
Cause: Lack of full support of IPv6 addresses in features such as replication, access control, and chaining.
Consequence: Some of the main features of the server can be used in IPv6 environments.
Change: Added IPv6 support to all the server plugins
Result: Directory Server can now fully handle IPv6 addresses.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:01:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 512820, 690319 |
Comment 2
Rich Megginson
2012-01-09 17:43:06 UTC
This fix has been checked into the main trunk. To verify fix: Replication: manually create an agreement and set the nsDS5ReplicaHost with the IPv6 address, and make sure you can replicate entries Chaining: use an IPv6 address for nsfarmserverurl. Note: For LDAP urls, the IPv6 Address must be in brackets: ldap://[fe80::250:45ff:fe02:7fe8]:389 Access Control: Example of aci that uses IPv6: aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(version 3.0;acl "Anonymous IPv6 read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");) This fix will be rhel 6.4(DS 9), and in 389-ds-base-1.3.0.a1. moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA. Successfully Added ACI using IPv6 address::
[root@dhcp201-149 ~]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: dc=example,dc=com
> changetype: modify
> replace: aci
> aci: (target ="ldap:///dc=example,dc=com")(targetattr !="userPassword")(version 3.0;acl "Anonymous IPv6 read-search access";allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");)
> EOF
modifying entry "dc=example,dc=com"
Successfully tested replication: [root@localhost admin-serv]# ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" -LLL dn: cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree, cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: test cn: test nsDS5ReplicaRoot: ou=test,dc=example,dc=com nsDS5ReplicaHost: [::1] nsDS5ReplicaPort: 1389 nsDS5ReplicaBindDN: uid=replmgr,dc=example,dc=com nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}3iMsHyML5/QgiI3nMoqaYw== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20131112120823Z nsds5replicaLastUpdateEnd: 20131112120826Z nsds5replicaChangesSentSinceStartup:: MToxLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20131112120728Z nsds5replicaLastInitEnd: 20131112120730Z nsds5replicaLastInitStatus: 0 Total update succeeded Feature is implemented in latest RHEL7 389, testing is yet to be done - bugs in this feature will be filed separately. Configured replication with IPv6 address and encountering "function not implemented" errors. ==> /var/log/dirsrv/slapd-M2/errors <== [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620") ==> /var/log/dirsrv/slapd-M1/errors <== [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620") (In reply to Sankar Ramalingam from comment #13) > Configured replication with IPv6 address and encountering "function not > implemented" errors. > > ==> /var/log/dirsrv/slapd-M2/errors <== > [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind > request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: > error -1 (Can't contact LDAP server), system error -5992 (function not > implemented.), network error 115 (Operation now in progress, host "[2620") > > ==> /var/log/dirsrv/slapd-M1/errors <== > [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind > request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: > error -1 (Can't contact LDAP server), system error -5992 (function not > implemented.), network error 115 (Operation now in progress, host "[2620") Looks like the replication fails for SSL configured instances, not for non-ssl. [root@ibm-x3650m4-01-vm-14 MMR_WINSYNC]# /usr/bin/ldapsearch -x -h 2620:52:0:102f:5054:1ff:fe3c:e136 -p 1289 -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo # extended LDIF # # LDAPv3 # base <cn=replica,cn="dc=passsync,dc=com",cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo # # replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config # 1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsDS5ReplicaTransportInfo: LDAP # 1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsDS5ReplicaTransportInfo: LDAP # 1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsDS5ReplicaTransportInfo: SSL SSL requires a hostname, not an IPv4/IPv6 address. This is for the hostname checking for the cn in the server cert subject DN. What you have to do, in this case, is ensure that the hostname resolves to an IPv6 address. Since the feature is implemented and the hostname issue is addressed by comment #15, marking as VERIFIED. Testplan for this feature is pending and new bugs will be filed separately. FWIW, ACIs with ip addresses on multihomed servers are still broken in 1.3.1.6-10 (In reply to Zailo Leite from comment #17) > FWIW, ACIs with ip addresses on multihomed servers are still broken in > 1.3.1.6-10 Hi Zailo, Could you please open a ticket (if not yet) at https://fedorahosted.org/389/newticket with the sample ACIs and the broken results? Thanks! --noriko Looks OK in 1.3.2.9-1 . Thanks! Z This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |