1444938 – nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1444938 - nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart

Summary: nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a res...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1448547 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-24 15:02 UTC by Simon Pichugin
Modified:	2020-09-13 21:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:	389-ds-base-1.3.6.1-16.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 21:16:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2290	0	None	closed	nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart	2021-02-09 10:26:30 UTC
Red Hat Product Errata	RHBA-2017:2086	0	normal	SHIPPED_LIVE	389-ds-base bug fix and enhancement update	2017-08-01 18:37:38 UTC

Description Simon Pichugin 2017-04-24 15:02:40 UTC

Description of problem:
When we have some value in nsslapd-allowed-sasl-mechanisms attribute of cn=config and if we'll delete the attribute (which will set it to the default), it will be set to supportedSASLMechanisms: EXTERNAL only. Though after a restart we will see a full set of attributes.

Version-Release number of selected component (if applicable):
389-ds-base-1.3.6.1-9.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Check the supportedSASLMechanisms on a clean instance with a default nsslapd-allowed-sasl-mechanisms:
[root@qeos-236 tests]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

2. Set some particular SASL mechanism:
[root@qeos-236 tests]# ldapmodify -h localhost -p 389 -D "cn=directory manager" -w Secret123
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: DIGEST-MD5

modifying entry "cn=config"

3. Check the supportedSASLMechanisms:
[root@qeos-236 tests]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

4. Reset to default by deleting the attribute:
[root@qeos-236 tests]# ldapmodify -h localhost -p 389 -D "cn=directory manager" -w Secret123
dn: cn=config
changetype: modify
delete: nsslapd-allowed-sasl-mechanisms

modifying entry "cn=config"

5. Check the supportedSASLMechanisms once againg:
[root@qeos-236 tests]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL

6. Restart the instance:
[root@qeos-236 tests]# restart-dirsrv
Restarting instance "qeos-236"

7. Check the supportedSASLMechanisms:
[root@qeos-236 tests]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS


Actual results:
On a step 5, we see only supportedSASLMechanisms: EXTERNAL.

Expected results:
On a step 5, we should see a full set of supportedSASLMechanisms.

Additional info:
Issue is covered by TET.
sasl_allowed_mechanisms_8 in sasl test suite.

Comment 2 Simon Pichugin 2017-04-25 06:30:25 UTC

Upstream issue - https://pagure.io/389-ds-base/issue/49231

Comment 3 mreynolds 2017-04-27 15:30:20 UTC

Fixed upstream

Comment 5 Viktor Ashirov 2017-05-05 20:01:21 UTC

*** Bug 1448547 has been marked as a duplicate of this bug. ***

Comment 6 Viktor Ashirov 2017-05-05 22:04:00 UTC

Build tested:
389-ds-base-1.3.6.1-12.el7.x86_64

ldapsearch crashes the server:

$ ldapsearch -x -s base


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd058b700 (LWP 16923)]
0x00007ffff76d8fa8 in strcmpi_fast (src=0x5555555a8a21 "supportedSASLMechanisms", dst=0x1 <Address 0x1 out of bounds>)
    at ldap/servers/slapd/intrinsics.h:29
29                      if ( ((f = (unsigned char)(*(dst++))) >= 'A') && (f <= 'Z') )
Missing separate debuginfos, use: debuginfo-install sqlite-3.7.17-8.el7.x86_64
(gdb) 
(gdb) bt
#0  0x00007ffff76d8fa8 in strcmpi_fast (src=0x5555555a8a21 "supportedSASLMechanisms", dst=0x1 <Address 0x1 out of bounds>)
    at ldap/servers/slapd/intrinsics.h:29
#1  attrlist_find_or_create_locking_optional (alist=alist@entry=0x55555686a1f8, 
    type=type@entry=0x5555555a8a21 "supportedSASLMechanisms", a=a@entry=0x7fffd0585760, use_lock=use_lock@entry=1)
    at ldap/servers/slapd/attrlist.c:47
#2  0x00007ffff76d905a in attrlist_find_or_create (alist=alist@entry=0x55555686a1f8, 
    type=type@entry=0x5555555a8a21 "supportedSASLMechanisms", a=a@entry=0x7fffd0585760) at ldap/servers/slapd/attrlist.c:37
#3  0x00007ffff76d910d in attrlist_merge_valuearray (alist=alist@entry=0x55555686a1f8, 
    type=type@entry=0x5555555a8a21 "supportedSASLMechanisms", vals=0x55555686f250) at ldap/servers/slapd/attrlist.c:102
#4  0x00007ffff76d9180 in attrlist_merge (alist=alist@entry=0x55555686a1f8, type=type@entry=0x5555555a8a21 "supportedSASLMechanisms", 
    vals=vals@entry=0x7fffd0585810) at ldap/servers/slapd/attrlist.c:88
#5  0x000055555557d8b4 in read_root_dse (pb=0x7fffd058aa50, e=0x55555686a180, entryAfter=<optimized out>, returncode=0x7fffd058592c, 
    returntext=<optimized out>, arg=<optimized out>) at ldap/servers/slapd/rootdse.c:212
#6  0x00007ffff76e9369 in dse_call_callback (pb=pb@entry=0x7fffd058aa50, operation=operation@entry=4, flags=flags@entry=1, 
    entryBefore=entryBefore@entry=0x55555686a180, entryAfter=entryAfter@entry=0x0, returncode=returncode@entry=0x7fffd058592c, 
    returntext=returntext@entry=0x7fffd05859b0 "", pdse=<optimized out>) at ldap/servers/slapd/dse.c:2637
#7  0x00007ffff76eaf47 in dse_search (pb=0x7fffd058aa50) at ldap/servers/slapd/dse.c:1739
#8  0x00007ffff772460e in op_shared_search (pb=pb@entry=0x7fffd058aa50, send_result=send_result@entry=1)
    at ldap/servers/slapd/opshared.c:807
#9  0x00005555555815f3 in do_search (pb=pb@entry=0x7fffd058aa50) at ldap/servers/slapd/search.c:349
#10 0x00005555555707d4 in connection_dispatch_operation (pb=0x7fffd058aa50, op=0x555556236340, conn=0x5555568a7a00)
    at ldap/servers/slapd/connection.c:658
#11 connection_threadmain () at ldap/servers/slapd/connection.c:1772
#12 0x00007ffff5a959bb in _pt_root (arg=0x555555fd9440) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#13 0x00007ffff5435e25 in start_thread (arg=0x7fffd058b700) at pthread_create.c:308
#14 0x00007ffff4d1734d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Comment 16 Simon Pichugin 2017-05-30 15:57:16 UTC

There is failure in the automated test suite. It is related to 389-ds-base-1.3.6.1-15.el7.x86_64 only. The test on master branch has passed.

[root@qeos-247 ds]# py.test -v dirsrvtests/tests/suites/sasl/allowed_mechs.py
========================= test session starts =========================
platform linux2 -- Python 2.7.5, pytest-3.1.0, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-671.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.1.0', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-15.el7
nss: 3.28.4-8.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items

dirsrvtests/tests/suites/sasl/allowed_mechs.py::test_sasl_allowed_mechs FAILED

========================= FAILURES =========================
_________________________ test_sasl_allowed_mechs _________________________

topology_st = <lib389.topologies.TopologyMain object at 0x2c758d0>

    def test_sasl_allowed_mechs(topology_st):
        standalone = topology_st.standalone

        # Get the supported mechs. This should contain PLAIN, GSSAPI, EXTERNAL at least
        orig_mechs = standalone.rootdse.supported_sasl()
        print(orig_mechs)
        assert('GSSAPI' in orig_mechs)
>       assert('PLAIN' in orig_mechs)
E       AssertionError: assert 'PLAIN' in ['EXTERNAL', 'GSS-SPNEGO', 'GSSAPI', 'DIGEST-MD5', 'CRAM-MD5', 'ANONYMOUS']

dirsrvtests/tests/suites/sasl/allowed_mechs.py:24: AssertionError
------------------------- Captured stdout setup -------------------------
OK group dirsrv exists
OK user dirsrv exists
------------------------- Captured stdout call -------------------------
['EXTERNAL', 'GSS-SPNEGO', 'GSSAPI', 'DIGEST-MD5', 'CRAM-MD5', 'ANONYMOUS']
------------------------- Captured stdout teardown -------------------------
Instance slapd-standalone_1 removed.
========================= 1 failed in 4.19 seconds =========================

Though if we remove the lines 24, 31, 40 - 'assert('PLAIN' in mechs)' - the test case will pass. So the actual bugzilla subject is okay - "nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart".

Comment 17 wibrown@redhat.com 2017-05-30 21:46:42 UTC

Does this test pass on git master? I think it should ....

Comment 18 mreynolds 2017-05-30 23:05:54 UTC

(In reply to wibrown from comment #17)
> Does this test pass on git master? I think it should ....

I believe it does, but it needs to pass on 1.3.6.

Comment 19 wibrown@redhat.com 2017-05-31 01:13:25 UTC

These patches should all be in 1.3.6 though. Do you want me took at this?

Comment 24 Simon Pichugin 2017-06-07 17:30:59 UTC

[root@qeos-99 ds]# py.test -v dirsrvtests/tests/suites/sasl/allowed_mechs.py
======================= test session starts =======================
platform linux2 -- Python 2.7.5, pytest-3.1.1, py-1.4.34, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-675.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.34', 'pytest': '3.1.1', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-16.el7
nss: 3.28.4-8.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items

dirsrvtests/tests/suites/sasl/allowed_mechs.py::test_sasl_allowed_mechs PASSED

======================= 1 passed in 4.20 seconds =======================

Marking as verified.

Comment 25 errata-xmlrpc 2017-08-01 21:16:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086

Note You need to log in before you can comment on or make changes to this bug.