Bug 455331 - setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1-1.fc8
Summary: setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1...
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Cloning
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
Reported: 2008-07-14 20:27 UTC by Ade Lee
Modified: 2015-01-04 23:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-07-22 23:29:26 UTC

Attachments (Terms of Use)
patch for replication setup issue (1.49 KB, patch)
2008-07-14 20:46 UTC, Ade Lee
no flags Details | Diff
patch take 2 (3.35 KB, patch)
2008-07-15 20:12 UTC, Ade Lee
no flags Details | Diff
patch take 3 (2.99 KB, text/x-patch)
2008-07-21 19:57 UTC, Ade Lee
no flags Details

Description Ade Lee 2008-07-14 20:27:18 UTC
Description of problem:
When the replication agreement is set up for a clone CA, we attempt to create
the directory for the changelog on the master and replica servers as follows:

String filter = "(objectclass=nsslapdConfig)";
String[] attrs = {"nsslapd-instancedir"};
LDAPSearchResults results = conn.search("cn=config", LDAPv3.SCOPE_SUB,
               filter, attrs, false);

and set the changelog directory to be the value of the nsslapd-instancedir

In Fedora 1.1, this attribute is no longer populated.  A new attribute must be
used - specifically: 

String filter = "(objectclass=*)";
String[] attrs = {"nsslapd-directory"};
LDAPSearchResults results = conn.search("cn=config,cn=ldbm     
database,cn=plugins,cn=config", LDAPv3.SCOPE_SUB, filter, attrs, false);

This attribute should work for Fedora DS 1.0 and RHDS/FDS 7.1 as well.

Version-Release number of selected component (if applicable):
Dogtag 1.0
fedora-ds-base 1.1

How reproducible:
try to clone a CA.

Steps to Reproduce:
Actual results:

Setting up replication agreement fails.

Expected results:

Replication succeeds.

Additional info:

Comment 1 Ade Lee 2008-07-14 20:46:46 UTC
Created attachment 311776 [details]
patch for replication setup issue

Comment 2 Ade Lee 2008-07-14 20:48:22 UTC
cfu please review.

Comment 3 Ade Lee 2008-07-15 20:12:11 UTC
Created attachment 311881 [details]
patch take 2

Comment 4 Ade Lee 2008-07-15 20:14:24 UTC
cfu and mharmsen - please review.

Patch includes changes to make ds_removal script actually try to stop the ds for
Fedora 1.1  As the code was written, this step was effectively bypassed.

Comment 5 Christina Fu 2008-07-16 14:54:19 UTC
attachment (id=311881) +cfu

Please make sure mharmsen reviews the scripts part

Comment 6 Matthew Harmsen 2008-07-18 01:57:50 UTC
The line "+if ( -d "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {" in both
script files should be either:

  "+if ( -d "/usr/lib/dirsrv" ) {", OR

  "+if ( -x "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {"
  since "stop-slapd" is an executable.

That being said, this script, for the most part, was taken verbatim from the
"/usr/lib64/dirsrv/cgi-bin/ds_remove" script in "fedora-ds-admin", and is
included as a subscript to be called by "remove_ds_instance".  This was done 
for convenience in Dogtag (so users don't need to install
"fedora-ds-admin-1.1.5-1.fc8").  It is possible that I have introduced a problem
in my port of this executable, but I hadn't seen any problem prior to this.

So, if this code is incorrect here, it may be a problem in Directory Server as
well.  Can you check with rmeggins, nhosoi, or nkinder?

Comment 7 Matthew Harmsen 2008-07-18 03:25:36 UTC
Actually, if you exercised your code as written in these scripts, you were
actually running the exact same code that was already there, since the test for
a directory called '.../stop-slapd' would always yield 'false', and the "else"
clause is basically the same code that was already there.

Comment 8 Ade Lee 2008-07-21 19:57:05 UTC
Created attachment 312295 [details]
patch take 3

Comment 9 Ade Lee 2008-07-21 19:59:29 UTC
Patch contains spec file changes and just java changes for now.

Separate patch for the perl scripts to be added later.  This does in fact turn
out to be a problem in FDS as well.  Submitting a bug and patch for that too.
(Oh, and agreed on the -x flag).

Comment 10 Matthew Harmsen 2008-07-21 20:39:17 UTC
+ mharmsen attachment (id=312295)

Comment 11 Ade Lee 2008-07-21 21:00:13 UTC

[builder@goofy-vm1 src]$ svn ci --username alee --password pki4all pki -m "Fix
for Bug 455331"
Sending        pki/linux/common/pki-common.spec
Transmitting file data ..
Committed revision 72.

Comment 12 Chandrasekar Kannan 2008-08-27 00:29:37 UTC
Bug already MODIFIED. setting target CS8.0 and marking screened+

Note You need to log in before you can comment on or make changes to this bug.