Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1376676 - Backport AES storage scheme plugin.
Backport AES storage scheme plugin.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.9
Unspecified Linux
urgent Severity urgent
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
: ZStream
Depends On: 1372420
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-16 03:04 EDT by Jan Kurik
Modified: 2016-12-13 11:23 EST (History)
7 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.15-84.el6_8
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1372420
Environment:
Last Closed: 2016-11-15 14:38:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2765 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-15 19:36:28 EST

  None (edit)
Description Jan Kurik 2016-09-16 03:04:46 EDT 
This bug has been copied from bug #1372420 and has been proposed
to be backported to 6.8 z-stream (EUS).
Comment 7 Sankar Ramalingam 2016-10-26 07:00:45 EDT 
1). Checking nsDS5ReplicaCredentials attribute value with older version of 389-ds-base on RHEL6.8
[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 dirsrv]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1489_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2616_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

2). Upgrade the server and restart the instances.

[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-81.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-libs-1.2.11.15-81.el6_8.x86_64
389-ds-base-devel-1.2.11.15-81.el6_8.x86_64

[root@vm-idm-006 dirsrv]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
    M3...[  OK  ]
    M4...[  OK  ]
Starting dirsrv: 
    C1...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.

It looks like a regression. Please confirm.
Comment 8 mreynolds 2016-10-26 08:12:13 EDT 
Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u" was not called?  Can you try running it manually to see if it helps?

I'll try and reproduce this on a beaker box as well.
Comment 9 Sankar Ramalingam 2016-10-26 09:22:50 EDT 
(In reply to mreynolds from comment #8)
> Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u"
> was not called?  Can you try running it manually to see if it helps?
> 
> I'll try and reproduce this on a beaker box as well.

This time, I ran setup-ds.pl -u after upgrading the packages. However, the result is observed. Restart of instances failed with the same error as comment #7
Comment 10 Sankar Ramalingam 2016-10-27 03:50:47 EDT 
Based on comment #8 and comment #9, marking the bug as assigned.
Comment 11 Sankar Ramalingam 2016-10-28 08:19:27 EDT 
1).
root@vm-idm-006 ~]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

2). Then, I created 4 way MMR. Encryption with DES
 
# replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

# 1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com, replica, dc\3Dpasssync\2Cd
 c\3Dcom, mapping tree, config
dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

3). Upgraded the packages to 389-ds-base-1.2.11.15-82. Ran setup-ds.pl -u to complete the upgrade process.
[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-82.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-82.el6_8.x86_64
389-ds-base-libs-1.2.11.15-82.el6_8.x86_64
389-ds-base-devel-1.2.11.15-82.el6_8.x86_64

4). Restarted directory server instances. 
[root@vm-idm-006 MMR_WINSYNC]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
Starting dirsrv: 
    C1...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.


I will retest with a fresh beaker machine and update my comments here in few hours.
Comment 12 mreynolds 2016-10-28 10:54:57 EDT 
389-ds-base-1.2.11.15-84.el6 still has the same problem (but possibly improved).

I can see that the upgrade script is present on the system, but there is no AES plugin entry in cn=config so the script does not complete:

[28/Oct/2016:10:43:05 -0400] conn=2 op=42 SRCH base="cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config" scope=0 filter="(cn=*)" attrs=ALL
[28/Oct/2016:10:43:05 -0400] conn=2 op=42 RESULT err=32 tag=101 nentries=0 etime=0

/usr/share/dirsrv/updates/52updateAESplugin.pl
...
    my $aes_dn = "cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config";
    my $aes_entry = $conn->search($aes_dn, "base", "(cn=*)");
    if (!$aes_entry) {
        # No AES plugin - nothing to do
        return ();
    }

The AES plugin is present in /usr/share/dirsrv/data/template-dse.ldif, but it's not updating the current dse.ldif when running "setup-ds.pl -u".  Continuing to investigate...
Comment 13 mreynolds 2016-10-28 11:35:06 EDT 
The upgrade script should create the AES plugin entry if it does not exist.

Created upstream ticket:

https://fedorahosted.org/389/ticket/49023
Comment 14 mreynolds 2016-10-28 13:01:57 EDT 
(In reply to mreynolds from comment #13)
> The upgrade script should create the AES plugin entry if it does not exist.
> 
> Created upstream ticket:
> 
> https://fedorahosted.org/389/ticket/49023

This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is missing from the Makefile
Comment 15 Sankar Ramalingam 2016-10-28 13:22:08 EDT 
Should we also verify if its backward compatible? I mean, downgrade from the latest 389-ds-base(which has the complete fix for AES plugin) to an older version of 389-ds-base(which supports DES by default) and check if server restarts fine and replication works.
Comment 16 Noriko Hosoi 2016-10-28 13:30:33 EDT 
(In reply to mreynolds from comment #14)
> (In reply to mreynolds from comment #13)
> > The upgrade script should create the AES plugin entry if it does not exist.
> > 
> > Created upstream ticket:
> > 
> > https://fedorahosted.org/389/ticket/49023
> 
> This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is
> missing from the Makefile

Ah...  Sorry, Mark and Sankar...

We removed autoconf artifacts from RHEL-6.9.  But RHEL-6.8 still has them.  I should have rerun autogen and push them to the tree... :(  

Let me redo it now.
Comment 17 Noriko Hosoi 2016-10-28 14:01:44 EDT 
It makes me rethink...  Do we rather want to apply the change -- removing artifacts to RHEL-6.8, as well?  What do you think, Mark?
Comment 22 Sankar Ramalingam 2016-11-07 23:05:26 EST 
[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 ~]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==

[root@vm-idm-006 ~]# yum -y update

[root@vm-idm-006 ~]# setup-ds.pl -u

[root@vm-idm-006 ~]# service dirsrv restart

[root@vm-idm-006 MMR_WINSYNC]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG

[root@vm-idm-006 MMR_WINSYNC]# ./AddEntry.sh Users 1189 "ou=people,dc=passsync,dc=com" utestnew 999 localhost

[root@vm-idm-006 ~]# #PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
[root@vm-idm-006 ~]# PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
1046
1046
1046
1046

[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-84.el6_8.x86_64
389-ds-base-1.2.11.15-84.el6_8.x86_64

Upgrade is working fine with the latest build of 389-ds-base-1.2.11.15-84. Hence, marking the bug as Verified.
Comment 23 Sankar Ramalingam 2016-11-07 23:12:37 EST 
However, the downgrade tests are failing. I heard from Viktor that automated way of downgrading may not be possible at this time. So, we need to document the steps for downgrade tests.

Here is the output...
    M1...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M1/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    M2...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M2/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M2 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
  *** Error: 4 instance(s) failed to start
Comment 26 errata-xmlrpc 2016-11-15 14:38:31 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2765.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.