1150206 – result of dna_dn_is_shared_config is incorrectly used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1150206 - result of dna_dn_is_shared_config is incorrectly used

Summary: result of dna_dn_is_shared_config is incorrectly used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1160758
TreeView+	depends on / blocked

Reported:	2014-10-07 16:47 UTC by Noriko Hosoi
Modified:	2020-09-13 21:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	389-ds-base-1.3.3.1-6.el7
Doc Type:	Bug Fix
Doc Text:	Cause: There was a logic error and dna_load_shared_servers() is called for all entries, except the config entries which really needs it. Consequence: dna shared entry is loaded at the every operation. Fix: Made the logic reverse. Now dna_load_shared_servers() is called just for the config entries. Result: Unnecessary dna shared entry load is avoided and it is loaded only when needed.
Clone Of:
Environment:
Last Closed:	2015-03-05 09:36:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
access log (112.12 KB, text/plain) 2015-01-27 00:16 UTC, Viktor Ashirov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1249	0	None	None	None	2020-09-13 21:12:59 UTC
Red Hat Product Errata	RHSA-2015:0416	0	normal	SHIPPED_LIVE	Important: 389-ds-base security, bug fix, and enhancement update	2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-10-07 16:47:30 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47918

The function dna_dn_is_shared_config() should determine if the entry handled by the plugin is a shared config entry, but it does the opposite.
As a side effect for every changed entry dna_load_shared_servers() is called.

Comment 1 Jenny Severance 2014-10-07 16:59:47 UTC

please add steps to reproduce and verify
Thanks!

Comment 2 Noriko Hosoi 2014-10-07 17:07:43 UTC

I think the performance of DNA over MMR would be significantly improved, but functionality-wise, no difference.  So, running DNA acceptance/stress would be good enough to verify this bug.

But I could be wrong, could you please add your comments, Ludwig?
Thanks!

Comment 3 Ludwig 2014-10-09 14:29:21 UTC

the bug is also a functional but, it did not only do too many searches, but it did it also for the wrong entries. 
But so far there haven't been any report on failures, perhaps the changig of entries in the shared config is not a common case.

I'm not so familiar with that changes and how to test, passing needinfo on to Mark

Comment 4 mreynolds 2014-10-09 15:14:54 UTC

It doesn't look like tet tests the new "remote servers" feature yet, but the  remote server code is still evaluated when checking for shared configurations.  So if tet passes, the core/shared config functionality is working correctly.

Note, the new "remote server" feature is just an extension of the existing shared configuration functionality.  The "shared configuration" feature has been around since the creation of the DNA plugin, and it is fully tested in tet.

Comment 9 Viktor Ashirov 2015-01-27 00:01:21 UTC

$ rpm -qa | grep 389
389-ds-base-libs-1.3.3.1-12.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-12.el7.x86_64
389-ds-base-1.3.3.1-12.el7.x86_64


[1]  Install two servers using "dc=example,dc=com": Server A and Server B
M1: 1189, 1616
M2: 1289, 1626

$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1289 << EOF
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

$ sudo systemctl restart dirsrv.target

[2]  Add some org units:
$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: ou=ranges,dc=example,dc=com
changetype: add
ou: ranges
objectClass: top
objectClass: organizationalunit
EOF
adding new entry "ou=ranges,dc=example,dc=com"

[3]  Add a shared config entry that points to Server B
$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: dnaHostname=rhel7.brq.redhat.com+dnaPortNum=1289,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: rhel7.brq.redhat.com
dnaPortNum: 1289
dnaSecurePortNum: 1626
dnaRemainingValues: 1000
EOF
adding new entry "dnaHostname=rhel7.brq.redhat.com+dnaPortNum=1289,ou=ranges,dc=example,dc=com"

[4]  Add the DNA config entries
$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: cn=UID and GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: UID and GID numbers
dnaType: cn
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com
dnaRemoteBindDN: cn=Directory Manager
dnaRemoteBindCred: Secret123
EOF
adding new entry "cn=UID and GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

[5]  Turn on plugin and internal access logging, and disable log buffering
$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on
-
replace: nsslapd-accesslog-level
nsslapd-accesslog-level: 4
-
replace: nsslapd-accesslog-logbuffering
nsslapd-accesslog-logbuffering: off
EOF
modifying entry "cn=config"

[6]  Restart the server
$ sudo systemctl restart dirsrv.target

[7]  Add a entry to ou=people,dc=example,dc=com
$ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 << EOF
dn: cn=entry,ou=People,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupofuniquenames
cn: entry
EOF
adding new entry "cn=entry,ou=People,dc=example,dc=com"

[8]  This should not trigger an internal search:
$ grep -i -E "Internal.*dna" /var/log/dirsrv/slapd-M1/access | wc -l
0

> However, at server startup this is logged, so the proper way to verify this is to chek for two of these searches:

After server restart there is no mentions of this kind of internal search. 
Is this OK, or I'm missing something in my setup?
Thanks!

Comment 10 mreynolds 2015-01-27 00:10:14 UTC

Are there any searches that contain "dnaRemoteConnProtocol"?  Can you attach the access log?

Comment 11 Viktor Ashirov 2015-01-27 00:16:55 UTC

Created attachment 984461 [details]
access log

Comment 12 mreynolds 2015-01-27 02:09:18 UTC

Thanks for getting the access log. This can be marked verified.  It's okay if there is not a matching search, we are only concerned if there is more than 1.

Comment 13 Viktor Ashirov 2015-01-27 09:10:08 UTC

Thank you, Mark! 

Marking this bug as VERIFIED.

Comment 15 errata-xmlrpc 2015-03-05 09:36:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.