Bug 1013736 - Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error
Summary: Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perfo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 7.1
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-30 16:47 UTC by Sankar Ramalingam
Modified: 2015-03-05 09:31 UTC (History)
2 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:31:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Sankar Ramalingam 2013-09-30 16:47:10 UTC
Description of problem: Enabling DNA plugin throws the following error.

modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
    additional info: Changes result in an invalid DNA configuration. 

Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-26


How reproducible: Consistently with RHEL6.5


Steps to Reproduce:
1. Install RHEL6.5 latest RTT accepted builds.
2. Install 389-ds-base-1.2.11.15-26 and run ldapmodify to enable DNA plugin.
3. Run ldapmodify multiple times to check whether its successful.

cat modify.ldif
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: On

ldapmodify -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -f modify.ldif

Actual results: The plug-in is enabled at first, but the consecutive attempts returns error 53.

modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
    additional info: Changes result in an invalid DNA configuration. 

Expected results: ldapmodify should be successful, irrespective how many ever the ldapmodify is run.


Additional info: The same error when trying to disable the plug-in too.

Comment 2 Nathan Kinder 2013-09-30 19:36:38 UTC
So is the problem that you receive an err=53 when you attempt to enable DNA and it is already enabled?

Comment 3 Sankar Ramalingam 2013-10-01 10:47:18 UTC
(In reply to Nathan Kinder from comment #2)
> So is the problem that you receive an err=53 when you attempt to enable DNA
> and it is already enabled?

Yes, but it requires a server restart. The exact steps to reproduce...
1). Enable DNA plugin.
 ldapmodify -x -p $PORTS -h localhost -D "cn=Directory Manager" -w Secret123 -f modify.ldif
2). Restart directory server instance.
3). Enable plugin with the same ldapmodify command.

Comment 4 Sankar Ramalingam 2013-10-01 11:58:51 UTC
The same problem occurs with 1.3.1.x packages too on RHEL7.

Comment 5 Nathan Kinder 2013-10-01 15:13:00 UTC
It looks like any change to the main DNA config entry when DNA is enabled is rejected at the pre-op stage in dna_parse_config_entry():

--------------------------------------------------------------------
    /* If this is the main DNA plug-in
     * config entry, just bail. */
    if (strcasecmp(getPluginDN(), slapi_entry_get_ndn(e)) == 0) {
        ret = DNA_FAILURE;
        goto bail;
    }
--------------------------------------------------------------------

Returning DNA_FAILURE will cause LDAP_UNWILLING_TO_PERFORM to be returned to the client.  The purpose of dna_parse_config_entry() is to validate range config entries, which are children of the main DNA config entry.  We want to skip validation of the main DNA config entry, but we shouldn't be rejecting the operation.  I believe that the above code snippet should just return DNA_SUCCESS to allow validation to be skipped for the main DNA config entry.

Comment 7 Nathan Kinder 2013-10-01 15:22:02 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/47539

Comment 9 Sankar Ramalingam 2014-12-03 12:49:52 UTC
Running ldapmodify to enable memberOf and DNA plugin works fine. Hence, marking the bug as Verified.

[root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=memberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: On 
EOF

modifying entry "cn=memberOf Plugin,cn=plugins,cn=config"

[root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=memberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: On
EOF
modifying entry "cn=memberOf Plugin,cn=plugins,cn=config"

[root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: On
> 
> EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

[root@vm-idm-035 slapd-test3]# /usr/bin/ldapmodify -x -h localhost -p 1189 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: On
EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

Comment 10 Sankar Ramalingam 2014-12-03 12:50:50 UTC
Build tested:
[root@vm-idm-035 slapd-test3]# rpm -qa |egrep '389-ds-base'
389-ds-base-libs-1.3.3.1-9.el7.x86_64
389-ds-base-1.3.3.1-9.el7.x86_64

Comment 12 errata-xmlrpc 2015-03-05 09:31:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.