Red Hat Bugzilla – Bug 1013736
Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error
Last modified: 2015-03-05 04:31:06 EST
Description of problem: Enabling DNA plugin throws the following error. modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Changes result in an invalid DNA configuration. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-26 How reproducible: Consistently with RHEL6.5 Steps to Reproduce: 1. Install RHEL6.5 latest RTT accepted builds. 2. Install 389-ds-base-1.2.11.15-26 and run ldapmodify to enable DNA plugin. 3. Run ldapmodify multiple times to check whether its successful. cat modify.ldif dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: On ldapmodify -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -f modify.ldif Actual results: The plug-in is enabled at first, but the consecutive attempts returns error 53. modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Changes result in an invalid DNA configuration. Expected results: ldapmodify should be successful, irrespective how many ever the ldapmodify is run. Additional info: The same error when trying to disable the plug-in too.
So is the problem that you receive an err=53 when you attempt to enable DNA and it is already enabled?
(In reply to Nathan Kinder from comment #2) > So is the problem that you receive an err=53 when you attempt to enable DNA > and it is already enabled? Yes, but it requires a server restart. The exact steps to reproduce... 1). Enable DNA plugin. ldapmodify -x -p $PORTS -h localhost -D "cn=Directory Manager" -w Secret123 -f modify.ldif 2). Restart directory server instance. 3). Enable plugin with the same ldapmodify command.
The same problem occurs with 1.3.1.x packages too on RHEL7.
It looks like any change to the main DNA config entry when DNA is enabled is rejected at the pre-op stage in dna_parse_config_entry(): -------------------------------------------------------------------- /* If this is the main DNA plug-in * config entry, just bail. */ if (strcasecmp(getPluginDN(), slapi_entry_get_ndn(e)) == 0) { ret = DNA_FAILURE; goto bail; } -------------------------------------------------------------------- Returning DNA_FAILURE will cause LDAP_UNWILLING_TO_PERFORM to be returned to the client. The purpose of dna_parse_config_entry() is to validate range config entries, which are children of the main DNA config entry. We want to skip validation of the main DNA config entry, but we shouldn't be rejecting the operation. I believe that the above code snippet should just return DNA_SUCCESS to allow validation to be skipped for the main DNA config entry.
Upstream ticket: https://fedorahosted.org/389/ticket/47539
Running ldapmodify to enable memberOf and DNA plugin works fine. Hence, marking the bug as Verified. [root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=memberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: On EOF modifying entry "cn=memberOf Plugin,cn=plugins,cn=config" [root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=memberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: On EOF modifying entry "cn=memberOf Plugin,cn=plugins,cn=config" [root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: On > > EOF modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" [root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: On EOF modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
Build tested: [root@vm-idm-035 slapd-test3]# rpm -qa |egrep '389-ds-base' 389-ds-base-libs-1.3.3.1-9.el7.x86_64 389-ds-base-1.3.3.1-9.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html