Description of problem:
After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error
"symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init"
Version-Release number of selected component (if applicable):
389-ds-base-126.96.36.199-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base)
Repo : appstream
Other : *ns-slapd
Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8
[14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init
[14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT
[14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function.
[14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found. Please refer to the error log or output for more information.
GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled.
you can disable it manually with
# dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off
Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.
My understanding is that early centos 8.5 builds (188.8.131.52-2 and 184.108.40.206-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 220.127.116.11-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init.
So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.
A fix is to remove that entry during upgrade.
(In reply to Arjen Heidinga from comment #2)
> Unfortunatly this did not work. The configuration was rolled-back
> sundaymorning, now I tried upgrading, prior to the update I ran the command
> (successful) however after the update the issue persists. Removing the
> relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels'
Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.
I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.
Bug confirmed on CentOS Stream release 8
Workaround confirmed as working also :)
Fix pushed upstream => POST
Fixed in 389-ds-base-18.104.22.168-3.module+el8.7.0+15600+347cafc6 => MODIFIED