Bug 430364 - setup-ds-admin.pl does not correctly set the admin server ip address
Summary: setup-ds-admin.pl does not correctly set the admin server ip address
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Install/Uninstall
Version: 1.1.2
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 432070 (view as bug list)
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2008-01-26 22:36 UTC by Andrey Ivanov
Modified: 2015-01-04 23:30 UTC (History)
5 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 23:02:11 UTC


Attachments (Terms of Use)
Adminserver diffs (4.26 KB, patch)
2009-01-27 23:13 UTC, Nathan Kinder
no flags Details | Diff
Additional diffs (3.67 KB, patch)
2009-01-29 20:12 UTC, Nathan Kinder
no flags Details | Diff
console patches (6.34 KB, patch)
2009-01-29 21:14 UTC, Rich Megginson
no flags Details | Diff
cvs commit log - console (938 bytes, text/plain)
2009-01-29 21:24 UTC, Rich Megginson
no flags Details

Description Andrey Ivanov 2008-01-26 22:36:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Description of problem:
The setup-ds-admin.pl script (or, to be more precise,/usr/lib64/dirsrv/cgi-bin/config which is called by /usr/lib64/dirsrv/perl/AdminServer.pm) does not correctly set up the ip adress of the administration server if this adress is different from the ldap server adress. It should set the attribute nsServerAddress of the entry cn=configuration, cn=admin-serv-<short hostname>, cn=Fedora Administration Server, cn=Server Group, cn=<full hostname>, ou=<admin domain>, o=NetscapeRoot.
However it leaves this attribute clear. In turn in this case the fds java console on a distant workstation cannot correctly determine the adress of the admin server and tries to connect to the ip adress of the slapd (without success if the firewall is correctly configured).

Other than that, logically, the /etc/dirsrv/admin-serv/console.conf file should contain the directive "Listen <admin-server-ip>:<admin-server-port>" instead of "Listen 0.0.0.0:<admin-server-port>". But this is not a critical point, it does not prevent the distant console from functioning.

Version-Release number of selected component (if applicable):
fedora-ds-admin-1.1.1-1.fc6 and fedora-ds-base-1.1.0-3.fc6

How reproducible:
Always


Steps to Reproduce:
1. For example, the physical server has two IPs - 192.168.69.50 (ldap-model.polytechnique.fr) for slapd and 192.168.69.51 (ldap-model-admin.polytechnique.fr) for admin server. Let us take this setup.inf :
[General]
AdminDomain = polytechnique.fr
SuiteSpotGroup = ldap
ConfigDirectoryLdapURL = ldap://ldap-model.polytechnique.fr:389/o=NetscapeRoot
ConfigDirectoryAdminID = admin
SuiteSpotUserID = ldap
ConfigDirectoryAdminPwd = totoshka
FullMachineName = ldap-model.polytechnique.fr

[admin]
ServerAdminID = admin
ServerAdminPwd = totoshka
SysUser = ldap
ServerIpAddress = 192.168.69.51
Port = 10166


[slapd]
InstallLdifFile = none
ServerIdentifier = dmz
ServerPort = 389
AddOrgEntries = No
RootDN = cn=Directory Manager
RootDNPwd = totoshka
SlapdConfigForMC = yes
Suffix = dc=polytechnique,dc=fr
UseExistingMC = 0
AddSampleEntries = No

2. setup-ds-admin.pl -f /setup.inf

3. ldapsearch -x -W -D "cn=Directory Manager" -b "o=NetscapeRoot"  nsServerPort=10166

Actual Results:
The line in console.conf :
Listen 0.0.0.0:10166

The results of ldapsearch :
dn: cn=configuration, cn=admin-serv-ldap-model, cn=Fedora Administration Serve
 r, cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=Ne
 tscapeRoot
nsServerPort: 10166
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname: com.netscape.management.admserv.AdminServer@fedora-admin-1.1.jar@
 cn=admin-serv-ldap-model, cn=Fedora Administration Server, cn=Server Group, c
 n=ldap-model.polytechnique.fr, ou=polytechnique.fr, o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server Group, cn=ldap-model.polytechnique.fr, ou=polyte
 chnique.fr, o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: ldap
nsAdminEnableDSGW: on
nsAdminAccessHosts: *.polytechnique.fr
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress:
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on

Expected Results:
The same but

the line console.conf should be:
Listen 192.168.69.51:10166

ldapsearch results should be:
nsServerAddress: 192.168.69.51

Additional info:
The setup script with the same sort of ip redistribution worked fine in fds 1.0.4.

I tried to compile from the sources, the result is the same.

I don't know whether the architecture x86_64 is important.

Comment 1 Andrey Ivanov 2008-01-27 02:06:47 UTC
Tested on CentOS 5.1 x86_64 with all the latest updates.

Comment 4 Nathan Kinder 2009-01-27 23:13:19 UTC
Created attachment 330174 [details]
Adminserver diffs

There were numerous issues contributing to this problem.

The first issue is that an error was being returned by the config CGI when attempting to set the IP address in console.conf, but the AdminServer.pm code was not detecting this error.  This caused the install to not error out reporting that there was a problem with the IP address.

The second issue is that the validation of the IP address in the config CGI was too strict.  To validate the IP address, we were getting the hostname of the system, doing a reverse lookup to get the addresses associated with that hostname, then checking if any of those addresses matched the one form the .inf file.  If the requested address is assigned to a different hostname, this validation will fail.  The fix is to simply try to bind the address to a socket to see if the address is valid.  We don't need to care what hostname it is associated with, we just need to know that the address is assigned to the system.

The third issue is that the template file for the "o=NetscapeRoot" entry was missing a replace macro for the "nsServerAddress" attribute.  The fix just adds the macro and maps it to the ServerIpAddress .inf directive.

Comment 5 Nathan Kinder 2009-01-28 21:26:39 UTC
Checked into adminserver (HEAD).  Thanks to Noriko for her review!

Checking in admserv/cgi-src40/config.c;
/cvs/dirsec/adminserver/admserv/cgi-src40/config.c,v  <--  config.c
new revision: 1.17; previous revision: 1.16
done
Checking in admserv/newinst/src/AdminServer.pm.in;
/cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v  <--  AdminServer.pm.in
new revision: 1.15; previous revision: 1.14
done
Checking in admserv/newinst/src/adminserver.map.in;
/cvs/dirsec/adminserver/admserv/newinst/src/adminserver.map.in,v  <--  adminserver.map.in
new revision: 1.11; previous revision: 1.10
done
Checking in admserv/schema/ldif/20asdata.ldif.tmpl;
/cvs/dirsec/adminserver/admserv/schema/ldif/20asdata.ldif.tmpl,v  <--  20asdata.ldif.tmpl
new revision: 1.7; previous revision: 1.6
done

Comment 6 Nathan Kinder 2009-01-28 23:49:30 UTC
*** Bug 432070 has been marked as a duplicate of this bug. ***

Comment 7 Nathan Kinder 2009-01-29 20:12:25 UTC
Created attachment 330399 [details]
Additional diffs

It turns out that my previous fix broke a regular interactive setup.  When performing a typical interactive setup, you are not prompted for the adminserver IP address.  This was causing the value to be undefined in the inf, which would make setup error out.

The fix is to set a default answer of "0.0.0.0" if the adminserver IP is not specified via inf already.

Comment 8 Rich Megginson 2009-01-29 21:14:58 UTC
Created attachment 330404 [details]
console patches

Comment 9 Rich Megginson 2009-01-29 21:24:37 UTC
Created attachment 330405 [details]
cvs commit log - console

Reviewed by: nkinder (Thanks!)
Fix Description: If the admin server advertises its IP address in its cn=config nsServerAddress, the console will attempt to use the address instead of hostname (which will break https, btw).  If the address is set to 0.0.0.0, clients cannot use this, so must fall back on the hostname.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 10 Nathan Kinder 2009-01-29 21:34:36 UTC
Checked in changes from comment#7 to adminserver (HEAD).  Thanks to Noriko for her review!

Checking in Makefile.am;
/cvs/dirsec/adminserver/Makefile.am,v  <--  Makefile.am
new revision: 1.43; previous revision: 1.42
done
Checking in Makefile.in;
/cvs/dirsec/adminserver/Makefile.in,v  <--  Makefile.in
new revision: 1.51; previous revision: 1.50
done
Checking in aclocal.m4;
/cvs/dirsec/adminserver/aclocal.m4,v  <--  aclocal.m4
new revision: 1.44; previous revision: 1.43
done
Checking in configure;
/cvs/dirsec/adminserver/configure,v  <--  configure
new revision: 1.48; previous revision: 1.47
done
Checking in configure.ac;
/cvs/dirsec/adminserver/configure.ac,v  <--  configure.ac
new revision: 1.29; previous revision: 1.28
done
Checking in admserv/cfgstuff/console.conf.in;
/cvs/dirsec/adminserver/admserv/cfgstuff/console.conf.in,v  <--  console.conf.in
new revision: 1.4; previous revision: 1.3
done
Checking in admserv/newinst/src/ASDialogs.pm.in;
/cvs/dirsec/adminserver/admserv/newinst/src/ASDialogs.pm.in,v  <--  ASDialogs.pm.in
new revision: 1.7; previous revision: 1.6
done
Checking in mod_admserv/Makefile.in;
/cvs/dirsec/mod_admserv/Makefile.in,v  <--  Makefile.in
new revision: 1.27; previous revision: 1.26
done
Checking in mod_admserv/aclocal.m4;
/cvs/dirsec/mod_admserv/aclocal.m4,v  <--  aclocal.m4
new revision: 1.19; previous revision: 1.18
done
Checking in mod_admserv/configure;
/cvs/dirsec/mod_admserv/configure,v  <--  configure
new revision: 1.29; previous revision: 1.28
done
Checking in mod_admserv/ltmain.sh;
/cvs/dirsec/mod_admserv/ltmain.sh,v  <--  ltmain.sh
new revision: 1.7; previous revision: 1.6
done

Comment 11 Jenny Severance 2009-04-02 12:39:17 UTC
fix verified RHEL 4 DS 8.1

ini file:

[General]
AdminDomain = example.com
SuiteSpotGroup = nobody
ConfigDirectoryLdapURL = ldap://jennyv4.bos.redhat.com:389/o=NetscapeRoot
ConfigDirectoryAdminID = admin
SuiteSpotUserID = nobody
ConfigDirectoryAdminPwd = Secret123
FullMachineName = jennyv4.bos.redhat.com

[admin]
ServerAdminID = admin
ServerAdminPwd = Secret123
SysUser = nobody
ServerIpAddress = 10.16.0.49
Port = 10166


[slapd]
InstallLdifFile = none
ServerIdentifier = jennyv4
ServerPort = 389
AddOrgEntries = No
RootDN = cn=Directory Manager
RootDNPwd = Secret123
SlapdConfigForMC = yes
Suffix = dc=example, dc=com
UseExistingMC = 0
AddSampleEntries = No



[root@jennyv4 jenny]# ldapsearch -x -w Secret123 -D "cn=Directory Manager" -b "o=NetscapeRoot"  nsServerPort=10166
# extended LDIF
#
# LDAPv3
# base <o=NetscapeRoot> with scope sub
# filter: nsServerPort=10166
# requesting: ALL
#

# configuration, admin-serv-jennyv4, Red Hat Administration Server, Server Gr
 oup, jennyv4.bos.redhat.com, example.com, NetscapeRoot
dn: cn=configuration, cn=admin-serv-jennyv4, cn=Red Hat Administration Server,
  cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot
nsServerPort: 10166
objectClass: nsConfig
objectClass: nsAdminConfig
objectClass: nsAdminObject
objectClass: nsDirectoryInfo
objectClass: top
nsClassname: com.netscape.management.admserv.AdminServer@redhat-admin-8.1.jar@
 cn=admin-serv-jennyv4, cn=Red Hat Administration Server, cn=Server Group, cn=
 jennyv4.bos.redhat.com, ou=example.com, o=NetscapeRoot
cn: Configuration
nsDirectoryInfoRef: cn=Server Group, cn=jennyv4.bos.redhat.com, ou=example.com
 , o=NetscapeRoot
nsAdminAccessAddresses: *
nsSuiteSpotUser: nobody
nsAdminEnableDSGW: on
nsAdminAccessHosts: *.example.com
nsAdminCacheLifetime: 600
nsDefaultAcceptLanguage: en
nsServerAddress: 10.16.0.49
nsAdminOneACLDir: adminacl
nsErrorLog: /var/log/dirsrv/admin-serv/error
nsAdminUsers: /etc/dirsrv/admin-serv/admpw
nsPidLog: admin-serv.pid
nsAccessLog: /var/log/dirsrv/admin-serv/access
nsAdminEnableEnduser: on


console.conf:

Listen 10.16.0.49:10166

Comment 12 Chandrasekar Kannan 2009-04-29 23:02:11 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.