Bug 982582

Summary: 389 Directory Server Only Binds to IPv6 - IPv4 Not Accessible
Product: Red Hat Enterprise Linux 7 Reporter: Miles <miles>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED NOTABUG QA Contact: Sankar Ramalingam <sramling>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: jgalipea, miles, nhosoi, nkinder
Target Milestone: rc   
Target Release: 7.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-11 17:28:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1061410    

Description Miles 2013-07-09 10:39:51 UTC 
Description of problem:

First bug submission, sorry if I screw it up.
Platform is CentOS 6.4 (64bit) using EPEL 389 Directory Server packages.

After running "setup-ds-admin.pl", LDAP binds to IPv6 address, while ds-admin binds to IPv4 address

Have also tried to disable IPv6 using the following...

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

but it still binds to IPv4 instead.

Version-Release number of selected component (if applicable):
rpm -qa | grep 389 | sort

389-admin-1.1.29-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.11.15-14.el6_4.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64


How reproducible:
Consistently.

Steps to Reproduce:
1. Install CentOS-6.4-x86_64-minimal
2. rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
3. rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
4. yum -y install 389-ds openldap-clients
5. setup-ds-admin.pl

Actual results:
netstat -tulpn

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:9830                0.0.0.0:*                   LISTEN      3070/httpd.worker
tcp        0      :::389                        :::*                        LISTEN      2969/ns-slapd


Expected results:
netstat -tulpn

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      2969/ns-slapd
tcp        0      0 0.0.0.0:9830                0.0.0.0:*                   LISTEN      3070/httpd.worker


Additional info:
This has been reported and closed previously under RH Bug 588480.

Can manually change LDAP configuration to use IPv4 using following steps:

vi /etc/dirsrv/fix-ipv6-bind.ldif

dn: cn=config
changetype: modify
replace: nsslapd-listenhost
nsslapd-listenhost: 0.0.0.0

ldapmodify -a -x -h localhost -p 389 -D cn="Directory Manager" -w PASSWORD -f /etc/dirsrv/fix-ipv4-bind.ldif



vi /etc/dirsrv/fix-ipv6-sslbind.ldif

dn: cn=config
changetype: modify
replace: nsslapd-securelistenhost
nsslapd-securelistenhost: 0.0.0.0

ldapmodify -a -x -h localhost -p 389 -D cn="Directory Manager" -w PASSWORD -f /etc/dirsrv/fix-ipv4-sslbind.ldif


service dirsrv restart
service dirsrv-admin restart
Comment 2 Rich Megginson 2013-07-22 15:47:40 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/47438
Comment 4 Noriko Hosoi 2014-07-22 01:09:04 UTC 
Miles, could you elaborate your problem some more?

By default, both IPv4 and v6 are listened:
# /usr/lib64/mozldap/ldapsearch -h [::0] -p 389 -b "" -s base "(objectclass=*)" dn
dn:
# /usr/lib64/mozldap/ldapsearch -h 127.0.0.1 -p 389 -b "" -s base "(objectclass=*)" dn
dn:

Once disabling the IPv6:
# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

indeed, IPv6 is not available any more:
# /usr/lib64/mozldap/ldapsearch -h [::0] -p 389 -b "" -s base "(objectclass=*)"
ldap_search: Can't connect to the LDAP server - No route to host
# /usr/lib64/mozldap/ldapsearch -h 127.0.0.1 -p 389 -b "" -s base "(objectclass=*)" dn
dn:

Yes, netstat returns ":::*" even after IPv6 is disabled.
# netstat -tulpn | egrep 389  
tcp6    0      0 :::389       :::*      LISTEN      14613/ns-slapd

But that's just the format that netstat is returning?

For instance, other utilities such as sshd and cupsd returns ":::*" even after IPv6 is disabled:
tcp6    0      0 :::22        :::*      LISTEN      825/sshd            
tcp6    0      0 :::631       :::*      LISTEN      1440/cupsd 

Regarding the admin server, please take a look at /etc/dirsrv/admin-serv/console.conf. You will see a comment like this:

# To allow connections to IPv6 addresses add "Listen [::]:80"
#
Listen 0.0.0.0:9830

That is, IPv4 address is explicitly configured.

We are thinking this is not a bug in the directory server.
Comment 5 Noriko Hosoi 2014-08-11 17:28:13 UTC 
Closing this bug as NOTABUG along with https://fedorahosted.org/389/ticket/47438.