Bug 430364 - setup-ds-admin.pl does not correctly set the admin server ip address
setup-ds-admin.pl does not correctly set the admin server ip address
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Install/Uninstall (Show other bugs)
1.1.2
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
:
: 432070 (view as bug list)
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-01-26 17:36 EST by Andrey Ivanov
Modified: 2015-01-04 18:30 EST (History)
5 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:02:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Adminserver diffs (4.26 KB, patch)
2009-01-27 18:13 EST, Nathan Kinder
no flags Details | Diff
Additional diffs (3.67 KB, patch)
2009-01-29 15:12 EST, Nathan Kinder
no flags Details | Diff
console patches (6.34 KB, patch)
2009-01-29 16:14 EST, Rich Megginson
no flags Details | Diff
cvs commit log - console (938 bytes, text/plain)
2009-01-29 16:24 EST, Rich Megginson
no flags Details

  None (edit)
Description Andrey Ivanov 2008-01-26 17:36:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Description of problem:
The setup-ds-admin.pl script (or, to be more precise,/usr/lib64/dirsrv/cgi-bin/config which is called by /usr/lib64/dirsrv/perl/AdminServer.pm) does not correctly set up the ip adress of the administration server if this adress is different from the ldap server adress. It should set the attribute nsServerAddress of the entry cn=configuration, cn=admin-serv-<short hostname>, cn=Fedora Administration Server, cn=Server Group, cn=<full hostname>, ou=<admin domain>, o=NetscapeRoot.
However it leaves this attribute clear. In turn in this case the fds java console on a distant workstation cannot correctly determine the adress of the admin server and tries to connect to the ip adress of the slapd (without success if the firewall is correctly configured).

Other than that, logically, the /etc/dirsrv/admin-serv/console.conf file should contain the directive "Listen <admin-server-ip>:<admin-server-port>" instead of "Listen 0.0.0.0:<admin-server-port>". But this is not a critical point, it does not prevent the distant console from functioning.

Version-Release number of selected component (if applicable):
fedora-ds-admin-1.1.1-1.fc6 and fedora-ds-base-1.1.0-3.fc6

How reproducible:
Always


Steps to Reproduce:
1. For example, the physical server has two IPs - 192.168.69.50 (ldap-model.polytechnique.fr) for slapd and 192.168.69.51 (ldap-model-admin.polytechnique.fr) for admin server. Let us take this setup.inf :
[General]
AdminDomain = polytechnique.fr
SuiteSpotGroup = ldap
ConfigDirectoryLdapURL = ldap://ldap-model.polytechnique.fr:389/o=NetscapeRoot
ConfigDirectoryAdminID = admin
SuiteSpotUserID = ldap
ConfigDirectoryAdminPwd = totoshka
FullMachineName = ldap-model.polytechnique.fr

[admin]
ServerAdminID = admin
ServerAdminPwd = totoshka
SysUser = ldap
ServerIpAddress = 192.168.69.51
Port = 10166


[slapd]
InstallLdifFile = none
ServerIdentifier = dmz
ServerPort = 389
AddOrgEntries = No
RootDN = cn=Directory Manager
RootDNPwd = totoshka
SlapdConfigForMC = yes
Suffix = dc=polytechnique,dc=fr
UseExistingMC = 0
AddSampleEntries = No

2. setup-ds-admin.pl -f /setup.inf

3. ldapsearch -x -W -D "cn=Directory Manager" -b "o=NetscapeRoot"  nsServerPort=10166

Actual Results:
The line in console.conf :
Listen 0.0.0.0:10166

The results of ldapsearch :
dn: cn=configuration, cn=admin-serv-ldap-model, cn=Fedora Administration Serve
 r, cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=Ne
 tscapeRoot
nsServerPort: 10166
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname: com.netscape.management.admserv.AdminServer@fedora-admin-1.1.jar@
 cn=admin-serv-ldap-model, cn=Fedora Administration Server, cn=Server Group, c
 n=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polyte
 chnique.fr, o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: ldap
nsAdminEnableDSGW: on
nsAdminAccessHosts: *.polytechnique.fr
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress:
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on

Expected Results:
The same but

the line console.conf should be:
Listen 192.168.69.51:10166

ldapsearch results should be:
nsServerAddress: 192.168.69.51

Additional info:
The setup script with the same sort of ip redistribution worked fine in fds 1.0.4.

I tried to compile from the sources, the result is the same.

I don't know whether the architecture x86_64 is important.
Comment 1 Andrey Ivanov 2008-01-26 21:06:47 EST
Tested on CentOS 5.1 x86_64 with all the latest updates.
Comment 4 Nathan Kinder 2009-01-27 18:13:19 EST
Created attachment 330174 [details]
Adminserver diffs

There were numerous issues contributing to this problem.

The first issue is that an error was being returned by the config CGI when attempting to set the IP address in console.conf, but the AdminServer.pm code was not detecting this error.  This caused the install to not error out reporting that there was a problem with the IP address.

The second issue is that the validation of the IP address in the config CGI was too strict.  To validate the IP address, we were getting the hostname of the system, doing a reverse lookup to get the addresses associated with that hostname, then checking if any of those addresses matched the one form the .inf file.  If the requested address is assigned to a different hostname, this validation will fail.  The fix is to simply try to bind the address to a socket to see if the address is valid.  We don't need to care what hostname it is associated with, we just need to know that the address is assigned to the system.

The third issue is that the template file for the "o=NetscapeRoot" entry was missing a replace macro for the "nsServerAddress" attribute.  The fix just adds the macro and maps it to the ServerIpAddress .inf directive.
Comment 5 Nathan Kinder 2009-01-28 16:26:39 EST
Checked into adminserver (HEAD).  Thanks to Noriko for her review!

Checking in admserv/cgi-src40/config.c;
/cvs/dirsec/adminserver/admserv/cgi-src40/config.c,v  <--  config.c
new revision: 1.17; previous revision: 1.16
done
Checking in admserv/newinst/src/AdminServer.pm.in;
/cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v  <--  AdminServer.pm.in
new revision: 1.15; previous revision: 1.14
done
Checking in admserv/newinst/src/adminserver.map.in;
/cvs/dirsec/adminserver/admserv/newinst/src/adminserver.map.in,v  <--  adminserver.map.in
new revision: 1.11; previous revision: 1.10
done
Checking in admserv/schema/ldif/20asdata.ldif.tmpl;
/cvs/dirsec/adminserver/admserv/schema/ldif/20asdata.ldif.tmpl,v  <--  20asdata.ldif.tmpl
new revision: 1.7; previous revision: 1.6
done
Comment 6 Nathan Kinder 2009-01-28 18:49:30 EST
*** Bug 432070 has been marked as a duplicate of this bug. ***
Comment 7 Nathan Kinder 2009-01-29 15:12:25 EST
Created attachment 330399 [details]
Additional diffs

It turns out that my previous fix broke a regular interactive setup.  When performing a typical interactive setup, you are not prompted for the adminserver IP address.  This was causing the value to be undefined in the inf, which would make setup error out.

The fix is to set a default answer of "0.0.0.0" if the adminserver IP is not specified via inf already.
Comment 8 Rich Megginson 2009-01-29 16:14:58 EST
Created attachment 330404 [details]
console patches
Comment 9 Rich Megginson 2009-01-29 16:24:37 EST
Created attachment 330405 [details]
cvs commit log - console

Reviewed by: nkinder (Thanks!)
Fix Description: If the admin server advertises its IP address in its cn=config nsServerAddress, the console will attempt to use the address instead of hostname (which will break https, btw).  If the address is set to 0.0.0.0, clients cannot use this, so must fall back on the hostname.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Comment 10 Nathan Kinder 2009-01-29 16:34:36 EST
Checked in changes from comment#7 to adminserver (HEAD).  Thanks to Noriko for her review!

Checking in Makefile.am;
/cvs/dirsec/adminserver/Makefile.am,v  <--  Makefile.am
new revision: 1.43; previous revision: 1.42
done
Checking in Makefile.in;
/cvs/dirsec/adminserver/Makefile.in,v  <--  Makefile.in
new revision: 1.51; previous revision: 1.50
done
Checking in aclocal.m4;
/cvs/dirsec/adminserver/aclocal.m4,v  <--  aclocal.m4
new revision: 1.44; previous revision: 1.43
done
Checking in configure;
/cvs/dirsec/adminserver/configure,v  <--  configure
new revision: 1.48; previous revision: 1.47
done
Checking in configure.ac;
/cvs/dirsec/adminserver/configure.ac,v  <--  configure.ac
new revision: 1.29; previous revision: 1.28
done
Checking in admserv/cfgstuff/console.conf.in;
/cvs/dirsec/adminserver/admserv/cfgstuff/console.conf.in,v  <--  console.conf.in
new revision: 1.4; previous revision: 1.3
done
Checking in admserv/newinst/src/ASDialogs.pm.in;
/cvs/dirsec/adminserver/admserv/newinst/src/ASDialogs.pm.in,v  <--  ASDialogs.pm.in
new revision: 1.7; previous revision: 1.6
done
Checking in mod_admserv/Makefile.in;
/cvs/dirsec/mod_admserv/Makefile.in,v  <--  Makefile.in
new revision: 1.27; previous revision: 1.26
done
Checking in mod_admserv/aclocal.m4;
/cvs/dirsec/mod_admserv/aclocal.m4,v  <--  aclocal.m4
new revision: 1.19; previous revision: 1.18
done
Checking in mod_admserv/configure;
/cvs/dirsec/mod_admserv/configure,v  <--  configure
new revision: 1.29; previous revision: 1.28
done
Checking in mod_admserv/ltmain.sh;
/cvs/dirsec/mod_admserv/ltmain.sh,v  <--  ltmain.sh
new revision: 1.7; previous revision: 1.6
done
Comment 11 Jenny Galipeau 2009-04-02 08:39:17 EDT
fix verified RHEL 4 DS 8.1

ini file:

[General]
AdminDomain = example.com
SuiteSpotGroup = nobody
ConfigDirectoryLdapURL = ldap://jennyv4.bos.redhat.com:389/o=NetscapeRoot
ConfigDirectoryAdminID = admin
SuiteSpotUserID = nobody
ConfigDirectoryAdminPwd = Secret123
FullMachineName = jennyv4.bos.redhat.com

[admin]
ServerAdminID = admin
ServerAdminPwd = Secret123
SysUser = nobody
ServerIpAddress = 10.16.0.49
Port = 10166


[slapd]
InstallLdifFile = none
ServerIdentifier = jennyv4
ServerPort = 389
AddOrgEntries = No
RootDN = cn=Directory Manager
RootDNPwd = Secret123
SlapdConfigForMC = yes
Suffix = dc=example, dc=com
UseExistingMC = 0
AddSampleEntries = No



[root@jennyv4 jenny]# ldapsearch -x -w Secret123 -D "cn=Directory Manager" -b "o=NetscapeRoot"  nsServerPort=10166
# extended LDIF
#
# LDAPv3
# base <o=NetscapeRoot> with scope sub
# filter: nsServerPort=10166
# requesting: ALL
#

# configuration, admin-serv-jennyv4, Red Hat Administration Server, Server Gr
 oup, jennyv4.bos.redhat.com, example.com, NetscapeRoot
dn: cn=configuration, cn=admin-serv-jennyv4, cn=Red Hat Administration Server,
  cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot
nsServerPort: 10166
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname: com.netscape.management.admserv.AdminServer@redhat-admin-8.1.jar@
 cn=admin-serv-jennyv4, cn=Red Hat Administration Server, cn=Server Group, cn=
 jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com
 , o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: nobody
nsAdminEnableDSGW: on
nsAdminAccessHosts: *.example.com
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress: 10.16.0.49
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on


console.conf:

Listen 10.16.0.49:10166
Comment 12 Chandrasekar Kannan 2009-04-29 19:02:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.