Bug 1016749 - DS crashes when "cn=Directory Manager" is changing it's password in IPA
DS crashes when "cn=Directory Manager" is changing it's password in IPA
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-08 11:42 EDT by Martin Kosek
Modified: 2014-06-17 23:01 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.1.6-6.el7
Doc Type: Bug Fix
Doc Text:
Cause: The cn=Directory Manager user is not a real entry, and does not exist in any database backend. Changing the password in IPA would attempt to start a transaction in this database, but it was NULL. Consequence: The server would dereference the NULL database and would crash. Fix: Do not attempt a transaction in a database that does not exist. Result: Server does not crash when using IPA and the Directory Manager password is changed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:56:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Stacktrace (71.90 KB, text/plain)
2013-10-08 11:42 EDT, Martin Kosek
no flags Details

  None (edit)
Description Martin Kosek 2013-10-08 11:42:07 EDT
Created attachment 809370 [details]
Stacktrace

Description of problem:

The following piece of code in ipa password change extop plugin seems to be causing a crash:

ipa_pwd_extop.c:
static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
{
...
	if (usetxn) {
                Slapi_DN *sdn = slapi_sdn_new_dn_byref(dn);
                Slapi_Backend *be = slapi_be_select(sdn);
                slapi_sdn_free(&sdn);
                if (be) {
			chpwop_pb = slapi_pblock_new();
			if (slapi_pblock_set(chpwop_pb, SLAPI_BACKEND, be)) {
				LOG_FATAL("slapi_pblock_set failed!\n");
				rc = LDAP_OPERATIONS_ERROR;
				goto free_and_return;
			}
>>>>>			rc = slapi_back_transaction_begin(chpwop_pb);
			if (rc) {
				LOG_FATAL("failed to start transaction\n");
			}
		} else {
			LOG_FATAL("failed to get be backend from %s\n", dn);
		}
	}
...


... when the target user entry is "cn=Directory Manager":

# ipa-server-install
...
# ldappasswd -h localhost -x -D "cn=Directory Manager" -w Secret123 -s Secret123 -ZZZ
ldap_result: Can't contact LDAP server (-1)

ns-slapd process crashed

Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.6-5.el7.x86_64
ipa-server-3.3.2-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server
2. Run ldappasswd command as specified above

Actual results:
DS crashes

Expected results:
DS does not crash, IPA rather receives an error code from slapi_back_transaction_begin

Additional info:
Attached stacktrace
Comment 2 Rich Megginson 2013-10-08 12:16:11 EDT
Upstream ticket:
https://fedorahosted.org/389/ticket/47329
Comment 6 Petr Viktorin 2013-10-17 06:45:22 EDT
I got the same error when changing the password for a normal user:

ldappasswd -D "cn=Directory Manager" -s 12345678 uid=u-127-1797,cn=users,cn=accounts,dc=example,dc=com -w 12345678 -x
Comment 7 Martin Kosek 2013-10-17 06:53:52 EDT
Rich, just note that the test above was done on Fedora 19 - I am not sure if it already received this fix as well.
Comment 8 Rich Megginson 2013-10-17 09:54:27 EDT
(In reply to Martin Kosek from comment #7)
> Rich, just note that the test above was done on Fedora 19 - I am not sure if
> it already received this fix as well.

No.  The fix will be in 389-ds-base-1.3.1.13
Comment 9 Amita Sharma 2014-01-28 08:54:59 EST
Hi Mark,

I am getting below response. DS does not crash, IPA rather receives an error code from slapi_back_transaction_begin.

Can you please comment on this ::
 

[root@dhcp207-218 ~]# rpm -q ipa-server 389-ds-base
ipa-server-3.3.3-15.el7.x86_64
389-ds-base-1.3.1.6-14.el7.x86_64

[root@dhcp207-218 ~]# ldapadd -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: uid=amsharma1,dc=newdom,dc=qe
> cn: ams
> sn: ams
> givenname: ams
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: ams
> mail: ams@example.com
> userpassword: amsamsams
> EOF
adding new entry "uid=amsharma1,dc=newdom,dc=qe"

[root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
# amsharma1, newdom.qe
dn: uid=amsharma1,dc=newdom,dc=qe
cn: ams
sn: ams
givenName: ams
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: ams
uid: amsharma1
mail: ams@example.com
userPassword:: e1NTSEF9ZG4ycFBXSW9wZDlYeDRGc1RRbEpOVDZXTStUN3AxVnl1OXd1dVE9PQ=
 =

[root@dhcp207-218 ~]# ldappasswd -D "cn=Directory Manager" -s amitaamita uid=amsharma1,dc=newdom,dc=qe -w Secret123 -x

[root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123 -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
# amsharma1, newdom.qe
dn: uid=amsharma1,dc=newdom,dc=qe
cn: ams
sn: ams
givenName: ams
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: ams
uid: amsharma1
mail: ams@example.com
userPassword:: e1NTSEF9RlV0clhrMERueTl2VEwwT3pTeDMyaHF0bEY0Q1hHdkx6ZzZiTnc9PQ=
 =

ldappasswd -h localhost -x -D "cn=Directory Manager" -w Secret123 -s Secret123 -ZZZ
Result: No such object (32)
Additional info: No such Entry exists.

[root@dhcp207-218 ~]# tail -f /var/log/dirsrv/slapd-NEWDOM-QE/errors
[28/Jan/2014:18:55:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:00:02 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:01:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:05:46 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:05:56 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:07:08 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" -- attribute "krbExtraData" not allowed
[28/Jan/2014:19:08:39 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:12:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:14:43 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction
[28/Jan/2014:19:16:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line 333]: failed to start transaction

Thanks & Regards,
Ami
Comment 10 mreynolds 2014-01-28 10:14:33 EST
(In reply to Amita Sharma from comment #9)
> Hi Mark,
> 
> I am getting below response. DS does not crash, IPA rather receives an error
> code from slapi_back_transaction_begin.

This is the expected behavior(fix is working).  This fix/patch was added to  1.3.1.6-6, and you are testing 1.3.1.6-14.

> 
> Can you please comment on this ::
>  
> 
> [root@dhcp207-218 ~]# rpm -q ipa-server 389-ds-base
> ipa-server-3.3.3-15.el7.x86_64
> 389-ds-base-1.3.1.6-14.el7.x86_64
> 
> [root@dhcp207-218 ~]# ldapadd -x -h localhost -p 389 -D "cn=Directory
> Manager" -w Secret123  << EOF
> > dn: uid=amsharma1,dc=newdom,dc=qe
> > cn: ams
> > sn: ams
> > givenname: ams
> > objectclass: top
> > objectclass: person
> > objectclass: organizationalPerson
> > objectclass: inetOrgPerson
> > uid: ams
> > mail: ams@example.com
> > userpassword: amsamsams
> > EOF
> adding new entry "uid=amsharma1,dc=newdom,dc=qe"
> 
> [root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123
> -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
> # amsharma1, newdom.qe
> dn: uid=amsharma1,dc=newdom,dc=qe
> cn: ams
> sn: ams
> givenName: ams
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> uid: ams
> uid: amsharma1
> mail: ams@example.com
> userPassword::
> e1NTSEF9ZG4ycFBXSW9wZDlYeDRGc1RRbEpOVDZXTStUN3AxVnl1OXd1dVE9PQ=
>  =
> 
> [root@dhcp207-218 ~]# ldappasswd -D "cn=Directory Manager" -s amitaamita
> uid=amsharma1,dc=newdom,dc=qe -w Secret123 -x
> 
> [root@dhcp207-218 ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123
> -h localhost -b "uid=amsharma1,dc=newdom,dc=qe"
> # amsharma1, newdom.qe
> dn: uid=amsharma1,dc=newdom,dc=qe
> cn: ams
> sn: ams
> givenName: ams
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> uid: ams
> uid: amsharma1
> mail: ams@example.com
> userPassword::
> e1NTSEF9RlV0clhrMERueTl2VEwwT3pTeDMyaHF0bEY0Q1hHdkx6ZzZiTnc9PQ=
>  =
> 
> ldappasswd -h localhost -x -D "cn=Directory Manager" -w Secret123 -s
> Secret123 -ZZZ
> Result: No such object (32)
> Additional info: No such Entry exists.
> 
> [root@dhcp207-218 ~]# tail -f /var/log/dirsrv/slapd-NEWDOM-QE/errors
> [28/Jan/2014:18:55:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:00:02 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" --
> attribute "krbExtraData" not allowed
> [28/Jan/2014:19:01:21 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:05:46 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:05:56 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" --
> attribute "krbExtraData" not allowed
> [28/Jan/2014:19:07:08 +051800] - Entry "uid=amsharma1,dc=newdom,dc=qe" --
> attribute "krbExtraData" not allowed
> [28/Jan/2014:19:08:39 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:12:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:14:43 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> [28/Jan/2014:19:16:13 +051800] ipapwd_chpwop - [file ipa_pwd_extop.c, line
> 333]: failed to start transaction
> 
> Thanks & Regards,
> Ami
Comment 11 Amita Sharma 2014-01-28 11:55:35 EST
Thanks Mark for you comment. Marking bug as VERIFIED.
Comment 12 Ludek Smid 2014-06-13 06:56:21 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.