Bug 1751123 - Cockpit : removing 'secure listen host' configuration value will make the instance fail to start
Summary: Cockpit : removing 'secure listen host' configuration value will make the ins...
Keywords:
Status: CLOSED DUPLICATE of bug 1751190
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: cockpit-389-ds
Version: 11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-11 08:49 UTC by sgouvern
Modified: 2019-09-13 20:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-13 20:09:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description sgouvern 2019-09-11 08:49:07 UTC
Description of problem:

Security/security configuration tab :
enter a value in 'secure listen host' field
click 'Save configuration'
-> Ok, get message "Successfully updated security configuration. You must restart the server for these changes to take effect."

Then, without restarting the server, remove the previously entered value to get a blank field as it was previously, click 'save configuration'
"Error updating security configuration - Invalid syntax - nsslapd-securelistenhost: value #0 invalid per syntax"
 
Then the instance cannot be restarted any more : error :
Job for dirsrv failed because the control process exited with error code.
See "systemctl status dirsrv" and "journalctl -xe" for details.

journalctl exe output :
-- Unit dirsrv has begun starting up.
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com ns-slapd[15484]: [11/Sep/2019:04:35:51.557996640 -0400] - ERR - slapd_listenhost2addr - PR_GetAddrInfoByName(fdsgsh) failed - Netscape Portable Runtime error 0 (no error)
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: dirsrv: Main process exited, code=exited, status=1/FAILURE
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: dirsrv: Failed with result 'exit-code'.
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start 389 Directory Server inst2..
-- Subject: Unit dirsrv has failed

systemctl status dirsrv output :
 Process: 15484 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-inst2 -i /var/run/dirsrv/slapd-inst2.pid (code=exited, status=1/FAILURE)
  Process: 15479 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-inst2/dse.ldif (code=exited, status=0/SUCCESS)
 Main PID: 15484 (code=exited, status=1/FAILURE)

Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: Starting 389 Directory Server inst2....
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com ns-slapd[15484]: [11/Sep/2019:04:35:51.557996640 -0400] - ERR - slapd_listenhost2addr - PR_GetAddrInfoByName(fdsgsh) failed - Netscape Portable Runtime error 0 (no error)
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: dirsrv: Main process exited, code=exited, status=1/FAILURE
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: dirsrv: Failed with result 'exit-code'.
Sep 11 04:35:51 ci-vm-10-0-132-195.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start 389 Directory Server inst2..



Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.8-1.module+el8dsrv+4209+f45880df.x86_64
cockpit-389-ds-1.4.1.8-1.module+el8dsrv+4209+f45880df.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 sgouvern 2019-09-12 09:05:53 UTC
Looking closer to the behavior, my points are :

- it is misleading to see the 'secure listen host' field empty by default in cockpit, and then not to be able to come back to this empty state if you entered a value in this field by mistake for example. I understand that the nsslapd-securelistenhost parameter cannot be empty. In case of an empty value entered, if the parameter was removed from dse.ldif, it would induce a more logical behavior for the user

- the same apply for 'Listen Host Address' in the server configuration settings

- a misleading factor around this 'secure listen host' field is the imprecision in the description : it should be 'secure listen host Address', first for a clearer interpretation, and second to be consistent with the 'Listen Host Address' field in the server configuration settings

- I noticed a discrepancy in the behaviors between 'secure listen host' and 'Listen Host Address' fields : if you perform the same steps for 'Listen Host Address' in the server configuration settings tab, you won't see any error "Invalid syntax - nsslapd-securelistenhost: value #0 invalid per syntax" when saving configuration. Instead, no message is displayed, and it's not clear weither the new configuration is taken into account or not. Both behaviors should be aligned

Comment 2 mreynolds 2019-09-13 20:09:58 UTC
This is being fully addressed in BZ#1751190

*** This bug has been marked as a duplicate of bug 1751190 ***


Note You need to log in before you can comment on or make changes to this bug.