Bug 1376676 - Backport AES storage scheme plugin.
Summary: Backport AES storage scheme plugin.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.9
Hardware: Unspecified
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On: 1372420
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-16 07:04 UTC by Jan Kurik
Modified: 2022-07-09 07:49 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-84.el6_8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1372420
Environment:
Last Closed: 2016-11-15 19:38:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2082 0 None None None 2020-09-13 21:52:51 UTC
Red Hat Bugzilla 1404352 0 medium CLOSED The downgrade process of RHDS packages might require manual editing of the dse.ldif file. 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2016:2765 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-16 00:36:28 UTC

Internal Links: 1404352

Description Jan Kurik 2016-09-16 07:04:46 UTC 
This bug has been copied from bug #1372420 and has been proposed
to be backported to 6.8 z-stream (EUS).
Comment 7 Sankar Ramalingam 2016-10-26 11:00:45 UTC 
1). Checking nsDS5ReplicaCredentials attribute value with older version of 389-ds-base on RHEL6.8
[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 dirsrv]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1489_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_1626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2616_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

dn: cn=1189_to_2626_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

2). Upgrade the server and restart the instances.

[root@vm-idm-006 dirsrv]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-81.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-81.el6_8.x86_64
389-ds-base-libs-1.2.11.15-81.el6_8.x86_64
389-ds-base-devel-1.2.11.15-81.el6_8.x86_64

[root@vm-idm-006 dirsrv]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
    M3...[  OK  ]
    M4...[  OK  ]
Starting dirsrv: 
    C1...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[26/Oct/2016:16:26:12 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[26/Oct/2016:16:26:12 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[26/Oct/2016:16:26:12 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[26/Oct/2016:16:26:12 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.

It looks like a regression. Please confirm.
Comment 8 mreynolds 2016-10-26 12:12:13 UTC 
Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u" was not called?  Can you try running it manually to see if it helps?

I'll try and reproduce this on a beaker box as well.
Comment 9 Sankar Ramalingam 2016-10-26 13:22:50 UTC 
(In reply to mreynolds from comment #8)
> Looks like the upgrade scripts were not called.  Perhaps "setup-ds.pl -u"
> was not called?  Can you try running it manually to see if it helps?
> 
> I'll try and reproduce this on a beaker box as well.

This time, I ran setup-ds.pl -u after upgrading the packages. However, the result is observed. Restart of instances failed with the same error as comment #7
Comment 10 Sankar Ramalingam 2016-10-27 07:50:47 UTC 
Based on comment #8 and comment #9, marking the bug as assigned.
Comment 11 Sankar Ramalingam 2016-10-28 12:19:27 UTC 
1).
root@vm-idm-006 ~]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-74.el6.x86_64
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-devel-1.2.11.15-74.el6.x86_64

2). Then, I created 4 way MMR. Encryption with DES
 
# replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config

# 1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com, replica, dc\3Dpasssync\2Cd
 c\3Dcom, mapping tree, config
dn: cn=1189_to_1389_on_vm-idm-006.lab.eng.pnq.redhat.com,cn=replica,cn=dc\3Dpa
 sssync\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

3). Upgraded the packages to 389-ds-base-1.2.11.15-82. Ran setup-ds.pl -u to complete the upgrade process.
[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-82.el6_8.x86_64
389-ds-base-debuginfo-1.2.11.15-82.el6_8.x86_64
389-ds-base-libs-1.2.11.15-82.el6_8.x86_64
389-ds-base-devel-1.2.11.15-82.el6_8.x86_64

4). Restarted directory server instances. 
[root@vm-idm-006 MMR_WINSYNC]# service dirsrv restart
Shutting down dirsrv: 
    C1...[  OK  ]
    C2...[  OK  ]
    M1...[  OK  ]
    M2...[  OK  ]
Starting dirsrv: 
    C1...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C1/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    C2...[28/Oct/2016:17:38:11 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory
[28/Oct/2016:17:38:11 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libdes-plugin.so" for plugin DES
[28/Oct/2016:17:38:11 +051800] - The plugin entry [cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-C2/dse.ldif was invalid
[28/Oct/2016:17:38:11 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-C2 could not be read or were not found.  Please refer to the error log or output for more information.


I will retest with a fresh beaker machine and update my comments here in few hours.
Comment 12 mreynolds 2016-10-28 14:54:57 UTC 
389-ds-base-1.2.11.15-84.el6 still has the same problem (but possibly improved).

I can see that the upgrade script is present on the system, but there is no AES plugin entry in cn=config so the script does not complete:

[28/Oct/2016:10:43:05 -0400] conn=2 op=42 SRCH base="cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config" scope=0 filter="(cn=*)" attrs=ALL
[28/Oct/2016:10:43:05 -0400] conn=2 op=42 RESULT err=32 tag=101 nentries=0 etime=0

/usr/share/dirsrv/updates/52updateAESplugin.pl
...
    my $aes_dn = "cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config";
    my $aes_entry = $conn->search($aes_dn, "base", "(cn=*)");
    if (!$aes_entry) {
        # No AES plugin - nothing to do
        return ();
    }

The AES plugin is present in /usr/share/dirsrv/data/template-dse.ldif, but it's not updating the current dse.ldif when running "setup-ds.pl -u".  Continuing to investigate...
Comment 13 mreynolds 2016-10-28 15:35:06 UTC 
The upgrade script should create the AES plugin entry if it does not exist.

Created upstream ticket:

https://fedorahosted.org/389/ticket/49023
Comment 14 mreynolds 2016-10-28 17:01:57 UTC 
(In reply to mreynolds from comment #13)
> The upgrade script should create the AES plugin entry if it does not exist.
> 
> Created upstream ticket:
> 
> https://fedorahosted.org/389/ticket/49023

This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is missing from the Makefile
Comment 15 Sankar Ramalingam 2016-10-28 17:22:08 UTC 
Should we also verify if its backward compatible? I mean, downgrade from the latest 389-ds-base(which has the complete fix for AES plugin) to an older version of 389-ds-base(which supports DES by default) and check if server restarts fine and replication works.
Comment 16 Noriko Hosoi 2016-10-28 17:30:33 UTC 
(In reply to mreynolds from comment #14)
> (In reply to mreynolds from comment #13)
> > The upgrade script should create the AES plugin entry if it does not exist.
> > 
> > Created upstream ticket:
> > 
> > https://fedorahosted.org/389/ticket/49023
> 
> This ticket is invalid.  The real problem is that 50AES-pbe-plugin.ldif is
> missing from the Makefile

Ah...  Sorry, Mark and Sankar...

We removed autoconf artifacts from RHEL-6.9.  But RHEL-6.8 still has them.  I should have rerun autogen and push them to the tree... :(  

Let me redo it now.
Comment 17 Noriko Hosoi 2016-10-28 18:01:44 UTC 
It makes me rethink...  Do we rather want to apply the change -- removing artifacts to RHEL-6.8, as well?  What do you think, Mark?
Comment 22 Sankar Ramalingam 2016-11-08 04:05:26 UTC 
[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64

[root@vm-idm-006 ~]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==
nsDS5ReplicaCredentials: {DES}/2IL8UbcCrGTG5/757YC1g==

[root@vm-idm-006 ~]# yum -y update

[root@vm-idm-006 ~]# setup-ds.pl -u

[root@vm-idm-006 ~]# service dirsrv restart

[root@vm-idm-006 MMR_WINSYNC]# ldapsearch -x -p 1289 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsDS5ReplicaCredentials |grep -i nsDS5ReplicaCredentials 
# requesting: nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG

[root@vm-idm-006 MMR_WINSYNC]# ./AddEntry.sh Users 1189 "ou=people,dc=passsync,dc=com" utestnew 999 localhost

[root@vm-idm-006 ~]# #PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
[root@vm-idm-006 ~]# PORT=1189; SUFF="dc=passsync,dc=com"; for PORT in `echo "1189 1289 1389 1489"`; do /usr/bin/ldapsearch -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b $SUFF |grep -i dn: | wc -l ; done
1046
1046
1046
1046

[root@vm-idm-006 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-84.el6_8.x86_64
389-ds-base-1.2.11.15-84.el6_8.x86_64

Upgrade is working fine with the latest build of 389-ds-base-1.2.11.15-84. Hence, marking the bug as Verified.
Comment 23 Sankar Ramalingam 2016-11-08 04:12:37 UTC 
However, the downgrade tests are failing. I heard from Viktor that automated way of downgrading may not be possible at this time. So, we need to document the steps for downgrade tests.

Here is the output...
    M1...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M1/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M1 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
    M2...[08/Nov/2016:08:41:01 +051800] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libpbe-plugin.so: cannot open shared object file: No such file or directory
[08/Nov/2016:08:41:01 +051800] - Could not open library "/usr/lib64/dirsrv/plugins/libpbe-plugin.so" for plugin AES
[08/Nov/2016:08:41:01 +051800] - The plugin entry [cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-M2/dse.ldif was invalid
[08/Nov/2016:08:41:01 +051800] startup - The configuration files in directory /etc/dirsrv/slapd-M2 could not be read or were not found.  Please refer to the error log or output for more information.
[FAILED]
  *** Error: 4 instance(s) failed to start
Comment 26 errata-xmlrpc 2016-11-15 19:38:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2765.html
Note You need to log in before you can comment on or make changes to this bug.