Description of problem: A replicated operation failed due to LDAP error 50 ( LDAP_INSUFFICIENT_ACCESS ). With the error log level 262144 ( Access control summary information ), the following message is logged: ================================================================== [18/Feb/2021:17:56:22.531733035 +0100] - DEBUG - NSACLPlugin - print_access_control_summary - conn=594722 op=22 (main): Deny write on entry(companyid=123456789,cn=app,dc=example,dc=com).attr(companyID) to cn=replication manager,cn=config: no aci matched the subject by aci(174): aciname= "Admin ACI", acidn="dc=example,dc=com" ================================================================== RHDS documentation states that the Replication Manager is not subject to ACIs when performing operations on the replicated suffixes: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication#Replication_Overview-Replication_Identity ================================================================== This entry, with its special user profile, bypasses all access control rules defined on the consumer server for the database involved in that replication agreement. ================================================================== Version-Release number of selected component (if applicable): $ cat /etc/redhat-release Red Hat Enterprise Linux release 8.3 (Ootpa) $ $ grep 389-ds-base installed-rpms 389-ds-base-1.4.2.12-3.el8_2.bz1890118_1.x86_64 Mon Nov 16 08:58:23 2020 389-ds-base-libs-1.4.2.12-3.el8_2.bz1890118_1.x86_64 Mon Nov 16 08:58:23 2020 $ How reproducible: Customer reported the issue. Steps to Reproduce: N/A Actual results: A replicated operation is being rejected. Expected results: The replicated operation should be processed. Additional info:
Created attachment 1779379 [details] proposed patch version 1 Note the patch still includes the previous debug patch to get a clear error log message if the bug is not fixed and we still hit it.
Hi, A customer had a recent crash with 389-ds-base-1.4.3.13-1.el8.bz1931820_2.x86_64 that was delivered as part of this bz The stack frame is as follows : Program terminated with signal SIGSEGV, Segmentation fault. #0 csn_get_replicaid (csn=csn@entry=0x0) at ldap/servers/slapd/csn.c:167 167 return csn->rid; [Current thread is 1 (Thread 0x7fed749fe700 (LWP 3772))] (gdb) where #0 0x00007fedaacb7f24 in csn_get_replicaid (csn=csn@entry=0x0) at ldap/servers/slapd/csn.c:167 #1 0x00007fed9d10aded in ruv_cancel_csn_inprogress (repl=repl@entry=0x7fed996aea40, ruv=0x7fed99769720, csn=csn@entry=0x0, local_rid=local_rid@entry=12) at ldap/servers/plugins/replication/repl5_ruv.c:1594 #2 0x00007fed9d0f4a6a in cancel_opcsn (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:1326 #3 0x00007fed9d0f55a8 in write_changelog_and_ruv (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:983 #4 0x00007fed9d0f67a2 in multimaster_be_betxnpostop_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/plugins/replication/repl5_plugins.c:851 #5 0x00007fed9d0f6850 in multimaster_mmr_postop (pb=0x7fed6e57e000, flags=560) at ldap/servers/plugins/replication/repl5_plugins.c:612 #6 0x00007fedaad1223d in plugin_call_mmr_plugin_postop (pb=pb@entry=0x7fed6e57e000, e=e@entry=0x0, flags=flags@entry=560) at ldap/servers/slapd/plugin_mmr.c:65 #7 0x00007fed9d9c1e71 in ldbm_back_add (pb=0x7fed6e57e000) at ldap/servers/slapd/back-ldbm/ldbm_add.c:1335 #8 0x00007fedaacaab98 in op_shared_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/slapd/add.c:692 #9 0x00007fedaacabc37 in do_add (pb=pb@entry=0x7fed6e57e000) at ldap/servers/slapd/add.c:236 #10 0x000055e8e8a4bfa1 in connection_dispatch_operation (pb=0x7fed6e57e000, op=<optimized out>, conn=<optimized out>) at ldap/servers/slapd/connection.c:609 #11 0x000055e8e8a4bfa1 in connection_threadmain () at ldap/servers/slapd/connection.c:1759 #12 0x00007feda86435a8 in _pt_root (arg=0x7fed996b0ac0) at ../../.././nspr/pr/src/pthreads/ptthread.c:201 #13 0x00007feda7fde14a in start_thread (arg=<optimized out>) at pthread_create.c:479 #14 0x00007feda776ddc3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (gdb) This is obviously caused by dereferencing a NULL pointer csn->rid where csn is NULL I wonder if this crash can be due to the fact that the customer does NOT have the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1970259 ( comment #33 of current bz )
Build Tested: 389-ds-base-1.4.3.27-2.module+el8dsrv+12690+c6df6d1b.x86_64 ============================================================================ test session starts ================================================================= platform linux -- Python 3.6.8, pytest-6.2.5, py-1.10.0, pluggy-1.0.0 -- /usr/bin/python3.6 cachedir: .pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-343.el8.x86_64-x86_64-with-redhat-8.5-Ootpa', 'Packages': {'pytest': '6.2.5', 'py': '1.10.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'ignore-flaky': '2.0.0'}} 389-ds-base: 1.4.3.27-2.module+el8dsrv+12690+c6df6d1b nss: 3.67.0-6.el8_4 nspr: 4.32.0-1.el8_4 openldap: 2.4.46-18.el8 cyrus-sasl: not installed FIPS: disabled rootdir: /workspace/ds/dirsrvtests, configfile: pytest.ini plugins: metadata-1.11.0, html-3.1.1, ignore-flaky-2.0.0 collected 1 item dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_access_from_certain_network_only_ip PASSED [100%] ============================================================================ 1 passed in 12.43s ================================================================== Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3955