From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Description of problem: The setup-ds-admin.pl script (or, to be more precise,/usr/lib64/dirsrv/cgi-bin/config which is called by /usr/lib64/dirsrv/perl/AdminServer.pm) does not correctly set up the ip adress of the administration server if this adress is different from the ldap server adress. It should set the attribute nsServerAddress of the entry cn=configuration, cn=admin-serv-<short hostname>, cn=Fedora Administration Server, cn=Server Group, cn=<full hostname>, ou=<admin domain>, o=NetscapeRoot. However it leaves this attribute clear. In turn in this case the fds java console on a distant workstation cannot correctly determine the adress of the admin server and tries to connect to the ip adress of the slapd (without success if the firewall is correctly configured). Other than that, logically, the /etc/dirsrv/admin-serv/console.conf file should contain the directive "Listen <admin-server-ip>:<admin-server-port>" instead of "Listen 0.0.0.0:<admin-server-port>". But this is not a critical point, it does not prevent the distant console from functioning. Version-Release number of selected component (if applicable): fedora-ds-admin-1.1.1-1.fc6 and fedora-ds-base-1.1.0-3.fc6 How reproducible: Always Steps to Reproduce: 1. For example, the physical server has two IPs - 192.168.69.50 (ldap-model.polytechnique.fr) for slapd and 192.168.69.51 (ldap-model-admin.polytechnique.fr) for admin server. Let us take this setup.inf : [General] AdminDomain = polytechnique.fr SuiteSpotGroup = ldap ConfigDirectoryLdapURL = ldap://ldap-model.polytechnique.fr:389/o=NetscapeRoot ConfigDirectoryAdminID = admin SuiteSpotUserID = ldap ConfigDirectoryAdminPwd = totoshka FullMachineName = ldap-model.polytechnique.fr [admin] ServerAdminID = admin ServerAdminPwd = totoshka SysUser = ldap ServerIpAddress = 192.168.69.51 Port = 10166 [slapd] InstallLdifFile = none ServerIdentifier = dmz ServerPort = 389 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = totoshka SlapdConfigForMC = yes Suffix = dc=polytechnique,dc=fr UseExistingMC = 0 AddSampleEntries = No 2. setup-ds-admin.pl -f /setup.inf 3. ldapsearch -x -W -D "cn=Directory Manager" -b "o=NetscapeRoot" nsServerPort=10166 Actual Results: The line in console.conf : Listen 0.0.0.0:10166 The results of ldapsearch : dn: cn=configuration, cn=admin-serv-ldap-model, cn=Fedora Administration Serve r, cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=Ne tscapeRoot nsServerPort: 10166 objectClass: nsConfig objectClass: nsAdminConfig objectClass: nsAdminObject objectClass: nsDirectoryInfo objectClass: top nsClassname: com.netscape.management.admserv.AdminServer.jar@ cn=admin-serv-ldap-model, cn=Fedora Administration Server, cn=Server Group, c n=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=NetscapeRoot cn: Configuration nsDirectoryInfoRef: cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polyte chnique.fr, o=NetscapeRoot nsAdminAccessAddresses: * nsSuiteSpotUser: ldap nsAdminEnableDSGW: on nsAdminAccessHosts: *.polytechnique.fr nsAdminCacheLifetime: 600 nsDefaultAcceptLanguage: en nsServerAddress: nsAdminOneACLDir: adminacl nsErrorLog: /var/log/dirsrv/admin-serv/error nsAdminUsers: /etc/dirsrv/admin-serv/admpw nsPidLog: admin-serv.pid nsAccessLog: /var/log/dirsrv/admin-serv/access nsAdminEnableEnduser: on Expected Results: The same but the line console.conf should be: Listen 192.168.69.51:10166 ldapsearch results should be: nsServerAddress: 192.168.69.51 Additional info: The setup script with the same sort of ip redistribution worked fine in fds 1.0.4. I tried to compile from the sources, the result is the same. I don't know whether the architecture x86_64 is important.
Tested on CentOS 5.1 x86_64 with all the latest updates.
Created attachment 330174 [details] Adminserver diffs There were numerous issues contributing to this problem. The first issue is that an error was being returned by the config CGI when attempting to set the IP address in console.conf, but the AdminServer.pm code was not detecting this error. This caused the install to not error out reporting that there was a problem with the IP address. The second issue is that the validation of the IP address in the config CGI was too strict. To validate the IP address, we were getting the hostname of the system, doing a reverse lookup to get the addresses associated with that hostname, then checking if any of those addresses matched the one form the .inf file. If the requested address is assigned to a different hostname, this validation will fail. The fix is to simply try to bind the address to a socket to see if the address is valid. We don't need to care what hostname it is associated with, we just need to know that the address is assigned to the system. The third issue is that the template file for the "o=NetscapeRoot" entry was missing a replace macro for the "nsServerAddress" attribute. The fix just adds the macro and maps it to the ServerIpAddress .inf directive.
Checked into adminserver (HEAD). Thanks to Noriko for her review! Checking in admserv/cgi-src40/config.c; /cvs/dirsec/adminserver/admserv/cgi-src40/config.c,v <-- config.c new revision: 1.17; previous revision: 1.16 done Checking in admserv/newinst/src/AdminServer.pm.in; /cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v <-- AdminServer.pm.in new revision: 1.15; previous revision: 1.14 done Checking in admserv/newinst/src/adminserver.map.in; /cvs/dirsec/adminserver/admserv/newinst/src/adminserver.map.in,v <-- adminserver.map.in new revision: 1.11; previous revision: 1.10 done Checking in admserv/schema/ldif/20asdata.ldif.tmpl; /cvs/dirsec/adminserver/admserv/schema/ldif/20asdata.ldif.tmpl,v <-- 20asdata.ldif.tmpl new revision: 1.7; previous revision: 1.6 done
*** Bug 432070 has been marked as a duplicate of this bug. ***
Created attachment 330399 [details] Additional diffs It turns out that my previous fix broke a regular interactive setup. When performing a typical interactive setup, you are not prompted for the adminserver IP address. This was causing the value to be undefined in the inf, which would make setup error out. The fix is to set a default answer of "0.0.0.0" if the adminserver IP is not specified via inf already.
Created attachment 330404 [details] console patches
Created attachment 330405 [details] cvs commit log - console Reviewed by: nkinder (Thanks!) Fix Description: If the admin server advertises its IP address in its cn=config nsServerAddress, the console will attempt to use the address instead of hostname (which will break https, btw). If the address is set to 0.0.0.0, clients cannot use this, so must fall back on the hostname. Platforms tested: RHEL5 Flag Day: no Doc impact: no
Checked in changes from comment#7 to adminserver (HEAD). Thanks to Noriko for her review! Checking in Makefile.am; /cvs/dirsec/adminserver/Makefile.am,v <-- Makefile.am new revision: 1.43; previous revision: 1.42 done Checking in Makefile.in; /cvs/dirsec/adminserver/Makefile.in,v <-- Makefile.in new revision: 1.51; previous revision: 1.50 done Checking in aclocal.m4; /cvs/dirsec/adminserver/aclocal.m4,v <-- aclocal.m4 new revision: 1.44; previous revision: 1.43 done Checking in configure; /cvs/dirsec/adminserver/configure,v <-- configure new revision: 1.48; previous revision: 1.47 done Checking in configure.ac; /cvs/dirsec/adminserver/configure.ac,v <-- configure.ac new revision: 1.29; previous revision: 1.28 done Checking in admserv/cfgstuff/console.conf.in; /cvs/dirsec/adminserver/admserv/cfgstuff/console.conf.in,v <-- console.conf.in new revision: 1.4; previous revision: 1.3 done Checking in admserv/newinst/src/ASDialogs.pm.in; /cvs/dirsec/adminserver/admserv/newinst/src/ASDialogs.pm.in,v <-- ASDialogs.pm.in new revision: 1.7; previous revision: 1.6 done Checking in mod_admserv/Makefile.in; /cvs/dirsec/mod_admserv/Makefile.in,v <-- Makefile.in new revision: 1.27; previous revision: 1.26 done Checking in mod_admserv/aclocal.m4; /cvs/dirsec/mod_admserv/aclocal.m4,v <-- aclocal.m4 new revision: 1.19; previous revision: 1.18 done Checking in mod_admserv/configure; /cvs/dirsec/mod_admserv/configure,v <-- configure new revision: 1.29; previous revision: 1.28 done Checking in mod_admserv/ltmain.sh; /cvs/dirsec/mod_admserv/ltmain.sh,v <-- ltmain.sh new revision: 1.7; previous revision: 1.6 done
fix verified RHEL 4 DS 8.1 ini file: [General] AdminDomain = example.com SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://jennyv4.bos.redhat.com:389/o=NetscapeRoot ConfigDirectoryAdminID = admin SuiteSpotUserID = nobody ConfigDirectoryAdminPwd = Secret123 FullMachineName = jennyv4.bos.redhat.com [admin] ServerAdminID = admin ServerAdminPwd = Secret123 SysUser = nobody ServerIpAddress = 10.16.0.49 Port = 10166 [slapd] InstallLdifFile = none ServerIdentifier = jennyv4 ServerPort = 389 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = Secret123 SlapdConfigForMC = yes Suffix = dc=example, dc=com UseExistingMC = 0 AddSampleEntries = No [root@jennyv4 jenny]# ldapsearch -x -w Secret123 -D "cn=Directory Manager" -b "o=NetscapeRoot" nsServerPort=10166 # extended LDIF # # LDAPv3 # base <o=NetscapeRoot> with scope sub # filter: nsServerPort=10166 # requesting: ALL # # configuration, admin-serv-jennyv4, Red Hat Administration Server, Server Gr oup, jennyv4.bos.redhat.com, example.com, NetscapeRoot dn: cn=configuration, cn=admin-serv-jennyv4, cn=Red Hat Administration Server, cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot nsServerPort: 10166 objectClass: nsConfig objectClass: nsAdminConfig objectClass: nsAdminObject objectClass: nsDirectoryInfo objectClass: top nsClassname: com.netscape.management.admserv.AdminServer.jar@ cn=admin-serv-jennyv4, cn=Red Hat Administration Server, cn=Server Group, cn= jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot cn: Configuration nsDirectoryInfoRef: cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com , o=NetscapeRoot nsAdminAccessAddresses: * nsSuiteSpotUser: nobody nsAdminEnableDSGW: on nsAdminAccessHosts: *.example.com nsAdminCacheLifetime: 600 nsDefaultAcceptLanguage: en nsServerAddress: 10.16.0.49 nsAdminOneACLDir: adminacl nsErrorLog: /var/log/dirsrv/admin-serv/error nsAdminUsers: /etc/dirsrv/admin-serv/admpw nsPidLog: admin-serv.pid nsAccessLog: /var/log/dirsrv/admin-serv/access nsAdminEnableEnduser: on console.conf: Listen 10.16.0.49:10166
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html