Bug 894015
| Summary: | Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control results in inconsistent configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ján Rusnačko <jrusnack> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sankar Ramalingam <sramling> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | amsharma, arubin, jgalipea, mreynolds, nhosoi, nkinder |
| Target Milestone: | rc | ||
| Target Release: | 7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.1.2-1.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: There were no checks to validate configuration changes to the Root DN Access Control Plugin.
Consequence: When restarting the server, after making invalid configuration changes, the server would fail to start.
Fix: Validate config changes when they happen, and not at server startup
Result: An error is returned when making invalid configuration changes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 13:28:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ján Rusnačko
2013-01-10 14:22:58 UTC
Created ticket: https://fedorahosted.org/389/ticket/552 There is no easy way to reject a modify operation that will result in a misconfiguration. At startup we just log a new error message, ignore the time based settings, and allow the server to startup. Also, for this type of plugin (internalpreoperation), any modification to the plugin does require a server restart for that change to take effect. Fix is out for review. Upstream ticket: https://fedorahosted.org/389/ticket/552 Fix has been pushed to 1.3.1 commit hash: 00349f6e05fdc66fe24e8034ce072234aa0cacfa moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA. [root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF > dn: cn=RootDN Access Control,cn=plugins,cn=config > changetype: modify > add: rootdn-close-time > rootdn-close-time: 0800 > EOF ldap_initialize( ldap://localhost:389 ) ldap_bind: Server is unwilling to perform (53) additional info: RootDN access control violation [root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF > dn: cn=RootDN Access Control,cn=plugins,cn=config > changetype: modify > replace: rootdn-open-time > rootdn-open-time: 0800 > EOF ldap_initialize( ldap://localhost:389 ) replace rootdn-open-time: 0800 modifying entry "cn=RootDN Access Control,cn=plugins,cn=config" modify complete [root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL version: 1 dn: cn=RootDN Access Control,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: RootDN Access Control nsslapd-pluginPath: librootdn-access-plugin.so nsslapd-pluginInitfunc: rootdn_init nsslapd-pluginType: internalpreoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginId: RootDN Access Control nsslapd-pluginVersion: 1.3.1.6 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: RootDN Access Control plugin rootdn-days-allowed: Sat, Wed, Mon, Thu rootdn-open-time: 0800 [root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF > dn: cn=RootDN Access Control,cn=plugins,cn=config > changetype: modify > add: rootdn-close-time > rootdn-close-time: 0800 > EOF ldap_initialize( ldap://localhost:389 ) add rootdn-close-time: 0800 modifying entry "cn=RootDN Access Control,cn=plugins,cn=config" modify complete ================================================================================= But if I do it manually in dse.ldif file then no error :: [root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/stop-slapd [root@dhcp201-149 yum.repos.d]# vim /etc/dirsrv/slapd-dhcp201-149/dse.ldif [root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd [root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL version: 1 dn: cn=RootDN Access Control,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: RootDN Access Control nsslapd-pluginPath: librootdn-access-plugin.so nsslapd-pluginInitfunc: rootdn_init nsslapd-pluginType: internalpreoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginId: RootDN Access Control nsslapd-pluginVersion: 1.3.1.6 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: RootDN Access Control plugin rootdn-days-allowed: Sat, Wed, Mon, Thu rootdn-close-time: 0800 ==================================================================== Sometimes it gives error in error log as:: [07/Nov/2013:15:21:20 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time. Ignoring time based settings. This behavior is inconsistent. ==================================================================== Please add verification steps and check for the inconsistency. [root@dhcp201-149 yum.repos.d]# rpm -qa | grep 389 389-ds-base-1.3.1.6-8.el7.x86_64 389-ds-base-libs-1.3.1.6-8.el7.x86_64 Verification steps: 1) Add rootdn-open-time: 0800, do NOT add rootdn-close-time 2) Restart server 3) Verify that server start and error message is logged. Bug is, in this situation server refused to start, because plugin has open-time but not close-time. Fix is, in this situation DS starts but plugin ignores open-time and logs the error message. Steps above should suffice to verify. After testing https://bugzilla.redhat.com/show_bug.cgi?id=894015#c11 , Checked error msg in error logs :: [11/Nov/2013:15:44:00 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time. Ignoring time based settings. Marking bug as VERIFIED. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. previous requested info was provided... |