Description of problem: Create instance dialog allows non-valid input. Instance name: only alpha numeric ASCII and _- symbols should be allowed. Currently it allows non-ascii input. The length on the instance name should also be limited, see bz1748227. Port and secure port: only positive integer numbers in range 1-65535 should be allowed. Currently it allows negative numbers. Directory Manager DN: currently allows non-ASCII input, instance creation fails, in the access logs: [03/Sep/2019:08:49:43.851483240 -0400] conn=1 op=0 BIND dn="cn=ДМ" method=128 version=3 [03/Sep/2019:08:49:43.851551482 -0400] conn=1 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0000180413 - No suffix for bind dn found Create Sample Entries should be only enabled when backend name and suffix are specified. If checked, it doesn't do any harm, but it's not useful either. Version-Release number of selected component (if applicable): cockpit-389-ds-1.4.1.6-2.module+el8dsrv+3912+aa2ce078.noarch 389-ds-base-1.4.1.6-2.module+el8dsrv+3912+aa2ce078.x86_64 How reproducible: always Steps to Reproduce: 1. Open a dialog to create a new instance. 2. Try input from above 3. Actual results: Input is not validated and passed down to dscreate, which fails to create an instance. Expected results: We should pass down only correct input, validation should occur once the user enters the data. Additional info:
With 389-ds-base-1.4.1.7-1.module+el8dsrv+4200+233a821d I can't create an instance with capital letters :/ I think this should be allowed.
> if (new_server_id.match(/^[#%:-A-Za-z0-9_]+$/g)) { With this regex I'm allowed to have an instance with A and/or Z but not any other capital letters. I think '-' should be moved to the end, after '_'.
Builds tested: 389-ds-base-1.4.1.9-1.module+el8dsrv+4243+ba0eb3c6.x86_64 cockpit-389-ds-1.4.1.9-1.module+el8dsrv+4243+ba0eb3c6.noarch [1.1] Using instance name TestSLAPD_%#ls I get: Error: '%' must be followed by '%' or '(', found: '%#ls' [1.2] Without percent (TestSLAPD_#ls) instance creation starts, but then fails: Sep 27 09:11:31 ldap.example.com ds_systemd_ask_password_acl[11381]: grep: /etc/dirsrv/slapd-TestSLAPD_\x23ls/dse.ldif: No such file or directory Sep 27 09:11:31 ldap.example.com ns-slapd[11386]: [27/Sep/2019:09:11:31.192575759 -0400] - INFO - dse_check_file - The config /etc/dirsrv/slapd-TestSLAPD_\x23ls/dse.ldif can not be accessed. Attempting restore ... (reason: 0) Sep 27 09:11:31 ldap.example.com ns-slapd[11386]: [27/Sep/2019:09:11:31.192715137 -0400] - INFO - dse_check_file - The backup /etc/dirsrv/slapd-TestSLAPD_\x23ls/dse.ldif.bak can not be accessed. Check it exists and permissions. Sep 27 09:11:31 ldap.example.com ns-slapd[11386]: [27/Sep/2019:09:11:31.192719228 -0400] - ERR - slapd_bootstrap_config - No valid configurations can be accessed! You must restore /etc/dirsrv/slapd-TestSLAPD_\x23ls/dse.ldif from backup! Sep 27 09:11:31 ldap.example.com ns-slapd[11386]: [27/Sep/2019:09:11:31.192722633 -0400] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-TestSLAPD_\x23ls could not be read or were not found. Please refer to the error log or output for more information. Sep 27 09:11:31 ldap.example.com systemd[1]: dirsrv@TestSLAPD_\x23ls.service: Main process exited, code=exited, status=1/FAILURE Sep 27 09:11:31 ldap.example.com systemd[1]: dirsrv@TestSLAPD_\x23ls.service: Failed with result 'exit-code'. Sep 27 09:11:31 ldap.example.com systemd[1]: Failed to start 389 Directory Server TestSLAPD_\x23ls.. [2] When I'm trying port number -1, I get: Error: Port must be a number between 1 and 65534! Although it accepts 65535 (as it should). [3] non-ASCII input is accepted for Directory Manager DN, it fails as described in comment #0. Marking as ASSIGNED.
Build tested: cockpit-389-ds-1.4.2.12-1.module+el8dsrv+6328+f04d7471.noarch [1.1] Using instance name TestSLAPD_%#ls I get an error saying instance creation failed, but no details why. [1.2] Same issue as in comment #4. [2] I have error message 'Error: Port must be a number between 1 and 65534!' But the field allows to set from 0 to 65535: <input min="0" max="65535" type="number" id="nsslapd-port" class="form-control" value="389"> [3] Same issue as in comment #0 Marking as ASSIGNED.
So we always allowed: %# in instance names, but systemd will reject instances that contain these characters without special escaping. I think we should just simply not allow instance names with these characters. This only impacts new instances, and since we never documented what are valid/invalid characters I feel it's okay to reject them now. Any complaints or comments from anyone?
I agree with your proposal alphanum plus a set of characters like: +=-_@!:<>
*** Bug 1751132 has been marked as a duplicate of this bug. ***
Build tested: cockpit-389-ds-1.4.2.12-3.module+el8dsrv+6923+6ab1d5c5.noarch [1.1] Using instance name TestSLAPD_%#ls I get an error saying instance creation failed, but no details why. [1.2] I get an error saying instance creation failed, but no details why. [2] I have error message 'Error: Port must be a number between 1 and 65534!' But the field allows to set from 0 to 65535: <input min="0" max="65535" type="number" id="nsslapd-port" class="form-control" value="389"> [3] Non-ASCII input is accepted, but the instance creation fails and it doesn't leave the remainings of partially installed instance. Because of [2] marking as ASSIGNED.
The change needs to be included into the new build. https://pagure.io/389-ds-base/issue/51086
With build 389-ds-base-1.4.3.11-1.module+el8dsrv+7557+bc264682.x86_64 cockpit-389-ds-1.4.3.11-1.module+el8dsrv+7557+bc264682.noarch [1.1 & 1.2] non allowed characters in instance name are now rejected and a helpful error messgae is displayed : Instance name can only contain letters, numbers, and these 4 characters: - @ : _ [1.3] The length on the instance name is limited, but the error message appears only after clicking on 'create instance', not immediately when entering characters, as it is the case for unsupported characters ('server identifier should not be longer than 80 symbols') For consistency and to improve the user experience, the GUI should prevent to file other fields and go to the end of the form if all is not correct in the instance name. [2] The error message is still 'invalid (Secure) Port number. Port must be between 1 and 65534' when the maximum allowed port number is 65535 In addition, the up/down arrow on the right should not go down under 1 (it goes to 0, even if 0 is not allowed) [3] some cases of non-ASCII input are still accepted for Directory Manager DN : for example : cn=Д(qdFDFL) It seems that the '(' just after the non authorized character disables the checking, and let the DN be created, even if the instance is not usable after creation : [16/Sep/2020:08:43:26.300623191 -0400] conn=1 op=0 BIND dn="cn=Д(qdFDFL)" method=128 version=3 [16/Sep/2020:08:43:26.300714199 -0400] conn=1 op=0 RESULT err=49 tag=97 nentries=0 wtime=0.001112650 optime=0.000118982 etime=0.001229489 - No suffix for bind dn found Because of [1.3], [2] and [3], marking as ASSIGNED
Fixed upstream: https://github.com/389ds/389-ds-base/issues/4342
with build 389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64 / cockpit-389-ds-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.noarch The previously remaining failing items ([1.3], [2] and [3] in comment 21) are now fixed : [1.3] A warning now appears as soon as 80 characters are reached in the instance name field [2] Warning regarding port number range has been updated to "The port must be between 1 and 65535" [3] The directory manager DN does not accept any non-Ascii characters, whatever their position is -> marking as verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Directory Server bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4911