Bug 455331 - setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1-1.fc8
setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1...
Product: Dogtag Certificate System
Classification: Community
Component: Cloning (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-07-14 16:27 EDT by Ade Lee
Modified: 2015-01-04 18:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:29:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for replication setup issue (1.49 KB, patch)
2008-07-14 16:46 EDT, Ade Lee
no flags Details | Diff
patch take 2 (3.35 KB, patch)
2008-07-15 16:12 EDT, Ade Lee
no flags Details | Diff
patch take 3 (2.99 KB, text/x-patch)
2008-07-21 15:57 EDT, Ade Lee
no flags Details

  None (edit)
Description Ade Lee 2008-07-14 16:27:18 EDT
Description of problem:
When the replication agreement is set up for a clone CA, we attempt to create
the directory for the changelog on the master and replica servers as follows:

String filter = "(objectclass=nsslapdConfig)";
String[] attrs = {"nsslapd-instancedir"};
LDAPSearchResults results = conn.search("cn=config", LDAPv3.SCOPE_SUB,
               filter, attrs, false);

and set the changelog directory to be the value of the nsslapd-instancedir

In Fedora 1.1, this attribute is no longer populated.  A new attribute must be
used - specifically: 

String filter = "(objectclass=*)";
String[] attrs = {"nsslapd-directory"};
LDAPSearchResults results = conn.search("cn=config,cn=ldbm     
database,cn=plugins,cn=config", LDAPv3.SCOPE_SUB, filter, attrs, false);

This attribute should work for Fedora DS 1.0 and RHDS/FDS 7.1 as well.

Version-Release number of selected component (if applicable):
Dogtag 1.0
fedora-ds-base 1.1

How reproducible:
try to clone a CA.

Steps to Reproduce:
Actual results:

Setting up replication agreement fails.

Expected results:

Replication succeeds.

Additional info:
Comment 1 Ade Lee 2008-07-14 16:46:46 EDT
Created attachment 311776 [details]
patch for replication setup issue
Comment 2 Ade Lee 2008-07-14 16:48:22 EDT
cfu please review.
Comment 3 Ade Lee 2008-07-15 16:12:11 EDT
Created attachment 311881 [details]
patch take 2
Comment 4 Ade Lee 2008-07-15 16:14:24 EDT
cfu and mharmsen - please review.

Patch includes changes to make ds_removal script actually try to stop the ds for
Fedora 1.1  As the code was written, this step was effectively bypassed.
Comment 5 Christina Fu 2008-07-16 10:54:19 EDT
attachment (id=311881) +cfu

Please make sure mharmsen reviews the scripts part
Comment 6 Matthew Harmsen 2008-07-17 21:57:50 EDT
The line "+if ( -d "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {" in both
script files should be either:

  "+if ( -d "/usr/lib/dirsrv" ) {", OR

  "+if ( -x "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {"
  since "stop-slapd" is an executable.

That being said, this script, for the most part, was taken verbatim from the
"/usr/lib64/dirsrv/cgi-bin/ds_remove" script in "fedora-ds-admin", and is
included as a subscript to be called by "remove_ds_instance".  This was done 
for convenience in Dogtag (so users don't need to install
"fedora-ds-admin-1.1.5-1.fc8").  It is possible that I have introduced a problem
in my port of this executable, but I hadn't seen any problem prior to this.

So, if this code is incorrect here, it may be a problem in Directory Server as
well.  Can you check with rmeggins, nhosoi, or nkinder?
Comment 7 Matthew Harmsen 2008-07-17 23:25:36 EDT
Actually, if you exercised your code as written in these scripts, you were
actually running the exact same code that was already there, since the test for
a directory called '.../stop-slapd' would always yield 'false', and the "else"
clause is basically the same code that was already there.
Comment 8 Ade Lee 2008-07-21 15:57:05 EDT
Created attachment 312295 [details]
patch take 3
Comment 9 Ade Lee 2008-07-21 15:59:29 EDT
Patch contains spec file changes and just java changes for now.

Separate patch for the perl scripts to be added later.  This does in fact turn
out to be a problem in FDS as well.  Submitting a bug and patch for that too.
(Oh, and agreed on the -x flag).
Comment 10 Matthew Harmsen 2008-07-21 16:39:17 EDT
+ mharmsen attachment (id=312295)
Comment 11 Ade Lee 2008-07-21 17:00:13 EDT

[builder@goofy-vm1 src]$ svn ci --username alee --password pki4all pki -m "Fix
for Bug 455331"
Sending        pki/linux/common/pki-common.spec
Transmitting file data ..
Committed revision 72.
Comment 12 Chandrasekar Kannan 2008-08-26 20:29:37 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+

Note You need to log in before you can comment on or make changes to this bug.