Bug 1391204 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend
Summary: (un)register/migration/remove may fail if there is no suffix on 'userRoot' ba...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 1414677
TreeView+ depends on / blocked
 
Reported: 2016-11-02 19:06 UTC by Noriko Hosoi
Modified: 2020-09-13 21:52 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.3.6.1-3.el7
Doc Type: Bug Fix
Doc Text:
Cause: If suffix is missing in the default backend entry userRoot, it wipes out the valid suffix defined in the existing backend. Consequence: The register/unregister script loses the valid suffix info and fails. Fix: If the default backend userRoot does not have the suffix, it correctly ignores the empty suffix. Result: The register/unregister script works as expected even if the default backend entry is not configured properly.
Clone Of:
: 1414677 (view as bug list)
Environment:
Last Closed: 2017-08-01 21:12:24 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2075 0 None None None 2020-09-13 21:52:29 UTC
Red Hat Product Errata RHBA-2017:2086 0 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2017-08-01 18:37:38 UTC

Description Noriko Hosoi 2016-11-02 19:06:50 UTC 
Description of problem:


DSUtil.pm:createInfFromConfig is used to create an info structure describing a server.

One of mapped field is the 'Suffix' that is the 'nsslapd-suffix' value of backend instance (one level entries below 'cn=ldbm database,cn=plugins,cn=config')

The loop that sets the 'Suffix' may fail if there is no suffix over 'userRoot'. In that case the result varies according to the order of recorded backends.

For example:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
dn: cn=<backend_name_different_than_userRoot>,cn=ldbm database,cn=plugins,cn=config
dn: cn=monitor,cn=ldbm database,cn=plugins,cn=config

will result with an undefined value for 'Suffix' because without 'userRoot' the 'Suffix' will take the last (cn=monitor) value of 'nsslapd-suffix'
Comment 1 thierry bordaz 2016-11-03 15:25:03 UTC 
Fixed upstream https://fedorahosted.org/389/ticket/49016#comment:5
Comment 4 Amita Sharma 2017-05-03 12:57:53 UTC 
[0 root@qeos-216 export]# rpm -qa | grep 389
389-ds-base-1.3.6.1-9.el7.x86_64
389-admin-console-doc-1.1.12-2.el7dsrv.noarch
389-admin-console-1.1.12-2.el7dsrv.noarch
389-ds-console-1.2.16-1.el7dsrv.noarch
389-ds-console-doc-1.2.16-1.el7dsrv.noarch
389-adminutil-1.1.23-2.el7dsrv.x86_64
389-console-1.1.18-2.el7dsrv.noarch
389-admin-1.1.46-1.el7dsrv.x86_64
389-ds-base-libs-1.3.6.1-9.el7.x86_64


[0 root@qeos-216 install]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com
nsBackendSuffix: NetscapeRoot:o=netscaperoot

[0 root@qeos-216 install]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com

1. Created dirsrv instance with multiple suffixes -
[0 root@qeos-216 export]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=example,dc=com
nsBackendSuffix: testdb:dc=test,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com

2. Removed userRoot db -
[0 root@qeos-216 export]# ldapdelete -rx -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 "cn=userRoot,cn=ldbm database,cn=plugins,cn=config"

[0 root@qeos-216 export]# ldapsearch -x -p 52044 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: testdb:dc=test,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com

3. Try removing the instance.
[0 root@qeos-216 export]# remove-ds.pl -f -a -i slapd-test
Instance slapd-test removed.

4. create another instance with multiple suffixes and delete userRoot and try register with admin server.

[0 root@qeos-216 export]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: userRoot:dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com
nsBackendSuffix: test3db:dc=test3,dc=com

[0 root@qeos-216 export]# ldapdelete -rx -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 "cn=userRoot,cn=ldbm database,cn=plugins,cn=config"

[0 root@qeos-216 export]# ldapsearch -x -p 1389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "" -s base + |grep -i nsBackendSuffix
nsBackendSuffix: test1db:dc=test1,dc=com
nsBackendSuffix: test2db:dc=test2,dc=com
nsBackendSuffix: test3db:dc=test3,dc=com

register-ds-admin.pl was succcessful.
remove-ds-admin.pl was successful


Small Observation for the error message -
https://bugzilla.redhat.com/show_bug.cgi?id=1257459#c9

Marking this bug as VERIFIED.
Comment 5 errata-xmlrpc 2017-08-01 21:12:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086
Note You need to log in before you can comment on or make changes to this bug.