1376676 – Backport AES storage scheme plugin.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1376676 - Backport AES storage scheme plugin.

Summary: Backport AES storage scheme plugin.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	6.9
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:	1372420
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-16 07:04 UTC by Jan Kurik
Modified:	2022-07-09 07:49 UTC (History)
CC List:	7 users (show)
Fixed In Version:	389-ds-base-1.2.11.15-84.el6_8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1372420
Environment:
Last Closed:	2016-11-15 19:38:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2082	None	None	None	2020-09-13 21:52:51 UTC
Red Hat Bugzilla	1404352	medium	CLOSED	The downgrade process of RHDS packages might require manual editing of the dse.ldif file.	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2016:2765	normal	SHIPPED_LIVE	Moderate: 389-ds-base security, bug fix, and enhancement update	2016-11-16 00:36:28 UTC

Internal Links: 1404352

Description Jan Kurik 2016-09-16 07:04:46 UTC

This bug has been copied from bug #1372420 and has been proposed
to be backported to 6.8 z-stream (EUS).

Comment 7 Sankar Ramalingam 2016-10-26 11:00:45 UTC

1). Checking nsDS5ReplicaCredentials attribute value with older version of 389-ds-base on RHEL6.8
[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 dirsrv]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1489_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2616_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

2). Upgrade the server and restart the instances.

[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-81.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-libs-1.2.11.15-81.el6_8.x86_64
389-ds-base-devel-1.2.11.15-81.el6_8.x86_64

[root@vm-idm-006 dirsrv]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
    M3...[  OK  ]
    M4...[  OK  ]
Starting dirsrv: 
    C1...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.

It looks like a regression. Please confirm.

Comment 8 mreynolds 2016-10-26 12:12:13 UTC

Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u" was not called?  Can you try running it manually to see if it helps?

I'll try and reproduce this on a beaker box as well.

Comment 9 Sankar Ramalingam 2016-10-26 13:22:50 UTC

(In reply to mreynolds from comment #8)
> Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u"
> was not called?  Can you try running it manually to see if it helps?
> 
> I'll try and reproduce this on a beaker box as well.

This time, I ran setup-ds.pl -u after upgrading the packages. However, the result is observed. Restart of instances failed with the same error as comment #7

Comment 10 Sankar Ramalingam 2016-10-27 07:50:47 UTC

Based on comment #8 and comment #9, marking the bug as assigned.

Comment 11 Sankar Ramalingam 2016-10-28 12:19:27 UTC

1).
root@vm-idm-006 ~]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

2). Then, I created 4 way MMR. Encryption with DES
 
# replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

# 1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com, replica, dc\3Dpasssync\2Cd
 c\3Dcom, mapping tree, config
dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

3). Upgraded the packages to 389-ds-base-1.2.11.15-82. Ran setup-ds.pl -u to complete the upgrade process.
[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-82.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-82.el6_8.x86_64
389-ds-base-libs-1.2.11.15-82.el6_8.x86_64
389-ds-base-devel-1.2.11.15-82.el6_8.x86_64

4). Restarted directory server instances. 
[root@vm-idm-006 MMR_WINSYNC]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
Starting dirsrv: 
    C1...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.


I will retest with a fresh beaker machine and update my comments here in few hours.

Comment 12 mreynolds 2016-10-28 14:54:57 UTC

389-ds-base-1.2.11.15-84.el6 still has the same problem (but possibly improved).

I can see that the upgrade script is present on the system, but there is no AES plugin entry in cn=config so the script does not complete:

[28/Oct/2016:10:43:05 -0400] conn=2 op=42 SRCH base="cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config" scope=0 filter="(cn=*)" attrs=ALL
[28/Oct/2016:10:43:05 -0400] conn=2 op=42 RESULT err=32 tag=101 nentries=0 etime=0

/usr/share/dirsrv/updates/52updateAESplugin.pl
...
    my $aes_dn = "cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config";
    my $aes_entry = $conn->search($aes_dn, "base", "(cn=*)");
    if (!$aes_entry) {
        # No AES plugin - nothing to do
        return ();
    }

The AES plugin is present in /usr/share/dirsrv/data/template-dse.ldif, but it's not updating the current dse.ldif when running "setup-ds.pl -u".  Continuing to investigate...

Comment 13 mreynolds 2016-10-28 15:35:06 UTC

The upgrade script should create the AES plugin entry if it does not exist.

Created upstream ticket:

https://fedorahosted.org/389/ticket/49023

Comment 14 mreynolds 2016-10-28 17:01:57 UTC

(In reply to mreynolds from comment #13)
> The upgrade script should create the AES plugin entry if it does not exist.
> 
> Created upstream ticket:
> 
> https://fedorahosted.org/389/ticket/49023

This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is missing from the Makefile

Comment 15 Sankar Ramalingam 2016-10-28 17:22:08 UTC

Should we also verify if its backward compatible? I mean, downgrade from the latest 389-ds-base(which has the complete fix for AES plugin) to an older version of 389-ds-base(which supports DES by default) and check if server restarts fine and replication works.

Comment 16 Noriko Hosoi 2016-10-28 17:30:33 UTC

(In reply to mreynolds from comment #14)
> (In reply to mreynolds from comment #13)
> > The upgrade script should create the AES plugin entry if it does not exist.
> > 
> > Created upstream ticket:
> > 
> > https://fedorahosted.org/389/ticket/49023
> 
> This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is
> missing from the Makefile

Ah...  Sorry, Mark and Sankar...

We removed autoconf artifacts from RHEL-6.9.  But RHEL-6.8 still has them.  I should have rerun autogen and push them to the tree... :(  

Let me redo it now.

Comment 17 Noriko Hosoi 2016-10-28 18:01:44 UTC

It makes me rethink...  Do we rather want to apply the change -- removing artifacts to RHEL-6.8, as well?  What do you think, Mark?

Comment 22 Sankar Ramalingam 2016-11-08 04:05:26 UTC

[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 ~]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==

[root@vm-idm-006 ~]# yum -y update

[root@vm-idm-006 ~]# setup-ds.pl -u

[root@vm-idm-006 ~]# service dirsrv restart

[root@vm-idm-006 MMR_WINSYNC]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG

[root@vm-idm-006 MMR_WINSYNC]# ./AddEntry.sh Users 1189 "ou=people,dc=passsync,dc=com" utestnew 999 localhost

[root@vm-idm-006 ~]# #PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
[root@vm-idm-006 ~]# PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
1046
1046
1046
1046

[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-84.el6_8.x86_64
389-ds-base-1.2.11.15-84.el6_8.x86_64

Upgrade is working fine with the latest build of 389-ds-base-1.2.11.15-84. Hence, marking the bug as Verified.

Comment 23 Sankar Ramalingam 2016-11-08 04:12:37 UTC

However, the downgrade tests are failing. I heard from Viktor that automated way of downgrading may not be possible at this time. So, we need to document the steps for downgrade tests.

Here is the output...
    M1...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M1/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    M2...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M2/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M2 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
  *** Error: 4 instance(s) failed to start

Comment 26 errata-xmlrpc 2016-11-15 19:38:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2765.html

Note You need to log in before you can comment on or make changes to this bug.