Description of problem: It is not possible to do an online deletion of an attribute from cn=config (probably a good thing). It would be nice to be able to have an exception that acis can be removed online. Version-Release number of selected component (if applicable): 389-ds-base-1.2.3-1.fc12.x86_64
Created attachment 402899 [details] 0001-Bug-566320-RFE-add-exception-to-removal-of-attribute.patch The modify_config_dse() has been modified to check the ignore_attr_type() for all types of modify operation.
To ssh://git.fedorahosted.org/git/389/ds.git 48d50e8..6e839e9 master -> master commit 6e839e9cc2acb957dc3435ee46aa9d2942cf1bcc Author: Endi S. Dewata <edewata> Date: Mon Mar 22 17:53:33 2010 -0500 Fix description: The modify_config_dse() has been modified to check the ignore_attr_type() for all types of modify operation. Reviewed by: rmeggins (and pushed by)
which attribute should I try deleting from config? Please guide.
The only attributes allowed to be deleted at this time are nsslapd-listenhost and nsslapd-securelistenhost
I just tried to reproduce - it works fine for me - please also confirm what version of 389-ds-base you are using.
[root@snmaptest ~]# rpm -qa | grep 389 389-adminutil-1.1.14-1.el6.x86_64 389-adminutil-devel-1.1.14-1.el6.x86_64 389-ds-base-1.2.8.2-1.el6_1.12.x86_64 389-console-1.1.7-1.el6.noarch 389-ds-base-libs-1.2.8.2-1.el6_1.12.x86_64 What is wrong here: ============================ [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF dn: cn=config changetype: modify delete: nsslapd-listenhost EOF modifying entry "cn=config" ldap_modify: No such attribute (16) [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF dn: cn=config changetype: modify delete: nsslapd-allowed-to-delete-attrs EOF modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Deleting attributes is not allowed [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF dn: cn=config changetype: modify delete: nsslapd-securelistenhost EOF modifying entry "cn=config" ldap_modify: No such attribute (16) [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access [16/Sep/2011:12:38:59 +051800] conn=39 op=1 RESULT err=53 tag=103 nentries=0 etime=0 [16/Sep/2011:12:38:59 +051800] conn=39 op=2 UNBIND [16/Sep/2011:12:38:59 +051800] conn=39 op=2 fd=64 closed - U1 [16/Sep/2011:12:39:18 +051800] conn=40 fd=64 slot=64 connection from ::1 to ::1 [16/Sep/2011:12:39:18 +051800] conn=40 op=0 BIND dn="cn=directory manager" method=128 version=3 [16/Sep/2011:12:39:18 +051800] conn=40 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [16/Sep/2011:12:39:18 +051800] conn=40 op=1 MOD dn="cn=config" [16/Sep/2011:12:39:18 +051800] conn=40 op=2 UNBIND [16/Sep/2011:12:39:18 +051800] conn=40 op=2 fd=64 closed - U1 [16/Sep/2011:12:39:18 +051800] conn=40 op=1 RESULT err=16 tag=103 nentries=0 etime=0 ^C [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors [15/Sep/2011:17:40:30 +051800] - Waiting for 4 database threads to stop [15/Sep/2011:17:40:31 +051800] - All database threads now stopped [15/Sep/2011:17:40:31 +051800] - slapd stopped. [15/Sep/2011:17:40:39 +051800] - 389-Directory/1.2.8.10 B2011.244.2149 starting up [15/Sep/2011:17:40:39 +051800] - slapd started. Listening on All Interfaces port 34206 for LDAP requests [15/Sep/2011:17:40:39 +051800] - Listening on All Interfaces port 34216 for LDAPS requests [16/Sep/2011:11:56:18 +051800] chaining database - Insufficient 'add' privilege to add the entry 'uid=sghai1,ou=people,o=airius.com'. [16/Sep/2011:12:38:42 +051800] - Warning: Deleting configuration attribute "nsslapd-listenhost" [16/Sep/2011:12:39:18 +051800] - Warning: Deleting configuration attribute "nsslapd-securelistenhost" ^C [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
(In reply to comment #9) > [root@snmaptest ~]# rpm -qa | grep 389 > 389-adminutil-1.1.14-1.el6.x86_64 > 389-adminutil-devel-1.1.14-1.el6.x86_64 > 389-ds-base-1.2.8.2-1.el6_1.12.x86_64 > 389-console-1.1.7-1.el6.noarch > 389-ds-base-libs-1.2.8.2-1.el6_1.12.x86_64 > > What is wrong here: > ============================ > [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p > 34206 -h localhost << EOF > dn: cn=config > changetype: modify > delete: nsslapd-listenhost > EOF > > modifying entry "cn=config" > ldap_modify: No such attribute (16) > > [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p > 34206 -h localhost << EOF > dn: cn=config > changetype: modify > delete: nsslapd-allowed-to-delete-attrs > EOF > > modifying entry "cn=config" > ldap_modify: Server is unwilling to perform (53) > additional info: Deleting attributes is not allowed > > [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p > 34206 -h localhost << EOF > dn: cn=config > changetype: modify > delete: nsslapd-securelistenhost > EOF > > modifying entry "cn=config" > ldap_modify: No such attribute (16) > > [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access > [16/Sep/2011:12:38:59 +051800] conn=39 op=1 RESULT err=53 tag=103 nentries=0 > etime=0 > [16/Sep/2011:12:38:59 +051800] conn=39 op=2 UNBIND > [16/Sep/2011:12:38:59 +051800] conn=39 op=2 fd=64 closed - U1 > [16/Sep/2011:12:39:18 +051800] conn=40 fd=64 slot=64 connection from ::1 to ::1 > [16/Sep/2011:12:39:18 +051800] conn=40 op=0 BIND dn="cn=directory manager" > method=128 version=3 > [16/Sep/2011:12:39:18 +051800] conn=40 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=directory manager" > [16/Sep/2011:12:39:18 +051800] conn=40 op=1 MOD dn="cn=config" > [16/Sep/2011:12:39:18 +051800] conn=40 op=2 UNBIND > [16/Sep/2011:12:39:18 +051800] conn=40 op=2 fd=64 closed - U1 > [16/Sep/2011:12:39:18 +051800] conn=40 op=1 RESULT err=16 tag=103 nentries=0 > etime=0 > ^C > [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors > [15/Sep/2011:17:40:30 +051800] - Waiting for 4 database threads to stop > [15/Sep/2011:17:40:31 +051800] - All database threads now stopped > [15/Sep/2011:17:40:31 +051800] - slapd stopped. > [15/Sep/2011:17:40:39 +051800] - 389-Directory/1.2.8.10 B2011.244.2149 starting > up > [15/Sep/2011:17:40:39 +051800] - slapd started. Listening on All Interfaces > port 34206 for LDAP requests > [15/Sep/2011:17:40:39 +051800] - Listening on All Interfaces port 34216 for > LDAPS requests > [16/Sep/2011:11:56:18 +051800] chaining database - Insufficient 'add' privilege > to add the entry 'uid=sghai1,ou=people,o=airius.com'. > > [16/Sep/2011:12:38:42 +051800] - Warning: Deleting configuration attribute > "nsslapd-listenhost" > [16/Sep/2011:12:39:18 +051800] - Warning: Deleting configuration attribute > "nsslapd-securelistenhost" > ^C > [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" > -w Secret123 -b "cn=config" | grep nsslapd-listenhost > nsslapd-listenhost: > nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost This is as expected. Since the attribute has no value nsslapd-listenhost: you cannot delete it, and it returns the correct error code No such attribute (16). Try this: stop slapd edit dse.ldif - add nsslapd-listenhost: localhost start slapd do ldapsearch to confirm the value is listed then ldapmodify to delete the value
[root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost [root@snmaptest ~]# ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF > dn: cn=config > changetype: modify > delete: nsslapd-listenhost > EOF modifying entry "cn=config" [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/errors [21/Sep/2011:12:01:43 +051800] - slapd shutting down - signaling operation threads [21/Sep/2011:12:01:43 +051800] - slapd shutting down - closing down internal subsystems and plugins [21/Sep/2011:12:01:43 +051800] - Waiting for 4 database threads to stop [21/Sep/2011:12:01:43 +051800] - All database threads now stopped [21/Sep/2011:12:01:43 +051800] - slapd stopped. [21/Sep/2011:12:02:46 +051800] - 389-Directory/1.2.9.11 B2011.259.2023 starting up [21/Sep/2011:12:02:46 +051800] - slapd started. Listening on IPv6 Loopback port 34206 for LDAP requests [21/Sep/2011:12:02:47 +051800] - Listening on Loopback port 34206 for LDAP requests [21/Sep/2011:12:02:47 +051800] - Listening on All Interfaces port 34216 for LDAPS requests [21/Sep/2011:12:03:01 +051800] - Warning: Deleting configuration attribute "nsslapd-listenhost" ^C [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access [21/Sep/2011:12:03:04 +051800] conn=3 op=1 RESULT err=0 tag=101 nentries=193 etime=0 [21/Sep/2011:12:03:04 +051800] conn=3 op=2 UNBIND [21/Sep/2011:12:03:04 +051800] conn=3 op=2 fd=64 closed - U1 [21/Sep/2011:12:03:23 +051800] conn=4 fd=64 slot=64 connection from ::1 to ::1 [21/Sep/2011:12:03:23 +051800] conn=4 op=0 BIND dn="cn=directory manager" method=128 version=3 [21/Sep/2011:12:03:23 +051800] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [21/Sep/2011:12:03:23 +051800] conn=4 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [21/Sep/2011:12:03:23 +051800] conn=4 op=1 RESULT err=0 tag=101 nentries=193 etime=0 [21/Sep/2011:12:03:23 +051800] conn=4 op=2 UNBIND [21/Sep/2011:12:03:23 +051800] conn=4 op=2 fd=64 closed - U1 ^C [root@snmaptest ~]# rpm -qa | grep 389 389-adminutil-1.1.14-1.el6.x86_64 389-adminutil-devel-1.1.14-1.el6.x86_64 389-ds-base-libs-1.2.9.11-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-ds-base-1.2.9.11-1.el6.x86_64 [root@snmaptest ~]# rpm -qf `which setup-ds.pl` 389-ds-base-1.2.9.11-1.el6.x86_64 But then I restarted the Instances, and then It got actually deleted which is not online :( [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost [root@snmaptest ~]# service dirsrv restart Shutting down dirsrv: c1... [ OK ] c2... [ OK ] s1... [ OK ] s2... [ OK ] snmaptest... [ OK ] Starting dirsrv: c1... [ OK ] c2... [ OK ] s1... [ OK ] s2... [ OK ] snmaptest... [ OK ] [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost Please help?
Thanks to mniranja for highlighting more imp points here : 1. If I re-delete the attribute without a restart, It will give me error as "No such attribute" , but ldapsearch will show the attribute as below: a). Set the attribute first: [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost b). Delete the attribute first time: ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << EOF > dn: cn=config > changetype: modify > delete: nsslapd-listenhost > EOF modifying entry "cn=config" c). Try to delete again : [root@snmaptest ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 -h localhost -p 34206 << EOF > dn: cn=config > changetype: modify > delete: nsslapd-listenhost > EOF modifying entry "cn=config" ldap_modify: No such attribute (16) d). Try to search the attribute, : ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep nsslapd-listenhost nsslapd-listenhost: localhost nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost * This is the inconsistency between ldapsearch and ldapdelete. 2. There are few questions : a. nsslapd-listenhost is the attribute which says that on which hostname the slapd is listening, so when we remove the attribute online, it would still work because slapd is already started using that hostname. Though we are not sure why one would want to delete that attribute, (as in what's the use case here) b. Initially Rob wanted to that for ACI (chk https://bugzilla.redhat.com/show_bug.cgi?id=566320#c0), how these attributes - nsslapd-listenhost nsslapd-securelistenhost, are connected to the acis? Please guide. Thanks, Amita
(In reply to comment #12) > Thanks to mniranja for highlighting more imp points here : > > 1. If I re-delete the attribute without a restart, It will give me error as "No > such attribute" , but ldapsearch will show the attribute as below: > > a). Set the attribute first: > [root@snmaptest ~]# ldapsearch -h localhost -p 34206 -D "cn=directory manager" > -w Secret123 -b "cn=config" | grep nsslapd-listenhost > nsslapd-listenhost: localhost > nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost > > b). Delete the attribute first time: > ldapmodify -x -D "cn=directory manager" -w Secret123 -p 34206 -h localhost << > EOF > > dn: cn=config > > changetype: modify > > delete: nsslapd-listenhost > > EOF > modifying entry "cn=config" > > c). Try to delete again : > [root@snmaptest ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 -h > localhost -p 34206 << EOF > > dn: cn=config > > changetype: modify > > delete: nsslapd-listenhost > > EOF > modifying entry "cn=config" > ldap_modify: No such attribute (16) > > d). Try to search the attribute, : > ldapsearch -h localhost -p 34206 -D "cn=directory manager" -w Secret123 -b > "cn=config" | grep nsslapd-listenhost > nsslapd-listenhost: localhost > nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost > > * This is the inconsistency between ldapsearch and ldapdelete. > > 2. There are few questions : > a. nsslapd-listenhost is the attribute which says that on which hostname the > slapd is listening, so when we remove the attribute online, it would still work > because slapd is already started using that hostname. Though we are not sure > why one would want to delete that attribute, (as in what's the use case here) Ok - looks like the bug wasn't completely fixed. The attribute is deleted, and it will not be in dse.ldif/cn=config upon restart, but it still shows up in ldapsearch after deletion. So we need to reopen this bug in order to fix the ldapsearch issue. > > b. Initially Rob wanted to that for ACI (chk > https://bugzilla.redhat.com/show_bug.cgi?id=566320#c0), how these attributes - > nsslapd-listenhost nsslapd-securelistenhost, are connected to the acis? acis are handled separately, by a different part of the code, so you should be able to add/modify/delete acis without being affected by this bug. > > Please guide. > > Thanks, > Amita
as Rich suggested to mark it as assigned hence marking it as assigned.
Upstream ticket: https://fedorahosted.org/389/ticket/92
Please see also https://fedorahosted.org/389/ticket/92. *** This bug has been marked as a duplicate of bug 853106 ***