Hide Forgot
Description of problem: We can break the nsds5replicaid attribute rules (it should be 1 to 65534 for masters) if we'll try to modify the existing replication entry. Version-Release number of selected component (if applicable): 389-ds-base-1.3.7.5-11.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install an instance 2. Add a replica entry: [root@qeos-19 upstream]# ldapmodify -a -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaId: 65535 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaType: 3 > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > EOF adding new entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" AND another use case :: 1. Existing MMR 2. On M1 try :: [root@qeos-19 upstream]# ldapmodify -h localhost -p 39001 -D "cn=Directory manager" -w password << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > changetype: modify > replace: nsDS5ReplicaId > nsDS5ReplicaId: 65535 > EOF modifying entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" Actual results: Operation is Successful Expected results: It should fail with error message :: ldap_modify: Server is unwilling to perform (53) additional info: Attribute nsDS5ReplicaId value (wrong_id) is invalid, must be a number between 1 and 65535. Additional info:
It seems bug was introduced by 0025-Ticket-48393-Improve-replication-config-validation.patch ( https://pagure.io/389-ds-base/issue/48393 ) , fix for https://bugzilla.redhat.com/show_bug.cgi?id=1271208 I tested it on -6 and -7 to confirm :: ========================================= [root@qeos-8 upstream]# rpm -qa | grep 389 389-ds-base-libs-1.3.7.5-6.el7.x86_64 389-ds-base-1.3.7.5-6.el7.x86_64 389-ds-base-snmp-1.3.7.5-6.el7.x86_64 [root@qeos-8 upstream]# [root@qeos-8 upstream]# ldapmodify -a -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaId: 65535 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaType: 3 > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > EOF adding new entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" ldap_add: Operations error (1) additional info: Attribute nsDS5ReplicaId must have a value greater than 0 and less than 65535: entry cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config =============================================================================== [root@qeos-25 upstream]# ldapmodify -a -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaId: 65535 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaType: 3 > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > EOF adding new entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [root@qeos-25 upstream]# rpm -qa | grep 389 389-ds-base-libs-1.3.7.5-7.el7.x86_64 389-ds-base-1.3.7.5-7.el7.x86_64 389-ds-base-snmp-1.3.7.5-7.el7.x86_64
Upstream ticket: https://pagure.io/389-ds-base/issue/49541
This works fine. [root@qeos-11 upstream]# ldapmodify -a -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaId: 65535 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaType: 3 > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > EOF adding new entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" ldap_add: Operations error (1) additional info: Attribute nsDS5ReplicaId value (65535) is invalid, must be a number between 1 and 65534. But I can modify it like below [root@qeos-11 upstream]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > changetype: modify > replace: nsDS5ReplicaId > nsDS5ReplicaId: 65535 > EOF modifying entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" Is it as expected?
There is a still a bug that needs to be fixed
[root@qeos-34 upstream]# ldapmodify -h localhost -p 39001 -D "cn=Directory manager" -w password << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > changetype: modify > replace: nsDS5ReplicaId > nsDS5ReplicaId: 65535 > EOF modifying entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Attribute nsDS5ReplicaId value (65535) is invalid, must be a number between 1 and 65534. [root@qeos-34 upstream]# ldapmodify -a -h localhost -p 389 -D "cn=Directory manager" -w Secret123 << EOF > dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=sync user,cn=config > nsDS5ReplicaId: 65535 > nsDS5ReplicaRoot: dc=example,dc=com > nsDS5ReplicaType: 3 > objectClass: top > objectClass: nsDS5Replica > objectClass: extensibleobject > EOF adding new entry "cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" ldap_add: Operations error (1) additional info: Attribute nsDS5ReplicaId value (65535) is invalid, must be a number between 1 and 65534. This is working fine with new build. Just one query out of curiosity in above two operations we have two different return codes - ldap_modify: Server is unwilling to perform (53) and ldap_add: Operations error (1) , Is it by design? Thanks.
Marking this bug as verified as originally reported issue is solve.
> > This is working fine with new build. Just one query out of curiosity in > above two operations we have two different return codes - ldap_modify: > Server is unwilling to perform (53) and ldap_add: Operations error (1) , Is > it by design? > Thanks. It is by design, while the error codes are different from this point of view, they are consistent in the replication code: Add validation uses one error code, while modify validation uses a different error code). We could make them the same, but that's not in the scope of this bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0811