Bug 602456 - Allow to add any cn=config attributes; allow to delete some cn=config attributes
Summary: Allow to add any cn=config attributes; allow to delete some cn=config attributes
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Directory Server (Show other bugs)
(Show other bugs)
Version: 1.2.6
Hardware: All All
low
low
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 389_1.2.7 639035 642782
TreeView+ depends on / blocked
 
Reported: 2010-06-09 21:19 UTC by Endi Sukma Dewata
Modified: 2015-12-07 16:36 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 642782 (view as bug list)
Environment:
Last Closed: 2015-12-07 16:36:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
git patch file (master) (7.89 KB, patch)
2010-10-13 00:41 UTC, Noriko Hosoi
no flags Details | Diff
git patch file (master) (8.12 KB, patch)
2010-10-13 16:35 UTC, Noriko Hosoi
nkinder: review+
Details | Diff
git patch file (master) (8.33 KB, patch)
2010-10-13 18:31 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
git patch file (master) (4.01 KB, patch)
2010-12-15 22:56 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff

Description Endi Sukma Dewata 2010-06-09 21:19:25 UTC
Sometimes deleting cn=config attributes is necessary, but currently the operation is not supported.

For example, to configure the server to listen to all interfaces any existing value of nsslapd-listenhost should be deleted:

% ldapmodify -x -D "cn=Directory Manager" -w Secret123
dn: cn=config
changetype: modify
delete: nsslapd-listenhost

Currently the above operation will be rejected:

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
        additional info: Deleting attributes is not allowed

The current workaround for this problem is to shutdown the server, edit the dse.ldif, and start the server again.

Certain attributes should be allowed to be deleted from cn=config.

Comment 2 Noriko Hosoi 2010-10-12 21:46:51 UTC
Noriko Hosoi wrote:
Basically, config params are supposed not to allow to add and delete.  The check is done at the line 399 and 400.  Endi ran into this problem when he was trying to delete nsslapd-listenhost.  But he did not have a problem to add it on-line (I guess).  The reason why he could add it was LDAP_MOD_ADD was not "set".  Well, it cannot be set, actually.  The macro is defined to '0', which is true in the mozldap header and the openldap header...

Should the DS be strict not to allow to add config params, as well?  I'm afraid we may hear complaints from customers: "We could do this before, but suddenly it's rejected with LDAP_UNWILLING_TO_PERFORM!!!"...

Rich Megginson wrote:
We should use the macros that Nathan added for this - SLAPI_IS_MOD_ADD() - see slapi-plugin.h

This is tough - yes, we should not use MOD_ADD for replace, but like you say, someone (including us - the console) may expect to be able to do this.  So I think we're just going to have to allow it, and log it. 

373 int
374 modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e    , int *returncode, char *returntext, void *arg)
375 {
            [...]
399             if ((mods[i]->mod_op & LDAP_MOD_DELETE) ||
400                 (mods[i]->mod_op & LDAP_MOD_ADD)) {
401                 rc= LDAP_UNWILLING_TO_PERFORM;

/usr/include/ldap.h:#define LDAP_MOD_ADD        (0x0000)
/usr/include/ldap.h:#define LDAP_MOD_DELETE        (0x0001)
/usr/include/ldap.h:#define LDAP_MOD_REPLACE    (0x0002)
/usr/include/ldap.h:#define LDAP_MOD_INCREMENT    (0x0003) /* OpenLDAP extension */
/usr/include/ldap.h:#define LDAP_MOD_BVALUES    (0x0080)

/usr/include/mozldap/ldap-standard.h:#define LDAP_MOD_ADD            0x00
/usr/include/mozldap/ldap-standard.h:#define LDAP_MOD_DELETE         0x01
/usr/include/mozldap/ldap-standard.h:#define LDAP_MOD_REPLACE        0x02
/usr/include/mozldap/ldap-standard.h:#define LDAP_MOD_BVALUES        0x80

Comment 3 Noriko Hosoi 2010-10-13 00:41:40 UTC
Created attachment 453046 [details]
git patch file (master)

Description:
1. Originally, configuration attributes are designed not to allow
adding or deleting, but just replacing.  Due to the defect in
checking the add operation, add (LDAP_MOD_ADD) is not rejected.
Instead of fixing the add operation check to disallow the add,
log the operation in the error log.
2. Deleting configuration attributes is rejected with
LDAP_UNWILLING_TO_PERFORM.  We have a request that some attributes
need to be allowed to delete.  This patch introduces a config
attribute nsslapd-allowed-to-delete-attrs, which value is
configuration attributes separated by a space ' '.  If an
attribute is in the list, the attribute is allowed to delete.

Files:
 ldap/servers/slapd/configdse.c
 ldap/servers/slapd/libglobs.c
 ldap/servers/slapd/proto-slap.h
 ldap/servers/slapd/slap.h

Comment 4 Noriko Hosoi 2010-10-13 00:45:03 UTC
(In reply to comment #0)
> Certain attributes should be allowed to be deleted from cn=config.

Note: nsslapd-listenhost value is evaluated only at the server's startup time.  Even if the attribute is deleted, the server needs to be restarted to take effect.

Comment 5 Noriko Hosoi 2010-10-13 01:09:55 UTC
Comment on attachment 453046 [details]
git patch file (master)

Found a memory leak.

Comment 6 Noriko Hosoi 2010-10-13 16:35:32 UTC
Created attachment 453248 [details]
git patch file (master)

Description:
1. Originally, configuration attributes are designed not to allow
adding or deleting, but to allow just replacing.  Due to a defect
in checking the add operation, adding (LDAP_MOD_ADD) is not rejected.
Instead of fixing the add checking to disallow adding, this patch
logs the operation in the error log.
2. On the other hand, deleting configuration attributes is rejected
by LDAP_UNWILLING_TO_PERFORM.  We have a request that some attributes
need to allow to delete.  This patch introduces a config attribute
nsslapd-allowed-to-delete-attrs, which value is configuration
attributes separated by a space ' '.  If an attribute is in the list,
the attribute is allowed to delete.  The delete operation is also
logged in the error log.

Files:
 ldap/servers/slapd/configdse.c
 ldap/servers/slapd/libglobs.c
 ldap/servers/slapd/proto-slap.h
 ldap/servers/slapd/slap.h

Comment 7 Noriko Hosoi 2010-10-13 16:36:38 UTC
Steps to verify:
* nsslapd-allowed-to-delete-attrs is not defined in the config file dse.ldif, by default.
* The default value of nsslapd-allowed-to-delete-attrs is "nsslapd-listenhost".
* add nsslapd-listenhost
  ldapmodify ...
  dn: cn=config
  changetype: modify
  add: nsslapd-listenhost
  nsslapd-listenhost: <your FQDN>
* restart the server
  error log:
  slapd started.  Listening on <you IP addr> port <your port> for LDAP requests
* delete nsslapd-listenhost
  ldapmodify ...
  dn: cn=config
  changetype: modify
  delete: nsslapd-listenhost
  <== This operation should be successful.
* delete other attr, e.g., nsslapd-rewrite-rfc1274
  ldapmodify ...
  dn: cn=config
  changetype: modify
  delete: nsslapd-rewrite-rfc1274
  <== This operation should fail
  ldap_modify: DSA is unwilling to perform
  ldap_modify: additional info: Deleting attributes is not allowed
* to add nsslapd-rewrite-rfc1274 to the delete-attrs list, replace the
  value of nsslapd-allowed-to-delete-attrs as follows:
  ldapmodify ...
  dn: cn=config
  changetype: modify
  replace: nsslapd-allowed-to-delete-attrs
  nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-rewrite-rfc1274
* delete nsslapd-rewrite-rfc1274
  ldapmodify ...
  dn: cn=config
  changetype: modify
  delete: nsslapd-rewrite-rfc1274
  <== This operation should be successful.
* add nsslapd-rewrite-rfc1274 back
  ldapmodify ...
  dn: cn=config
  changetype: modify
  add: nsslapd-rewrite-rfc1274
  nsslapd-rewrite-rfc1274: off
* check the error log:
   Warning: Adding configuration attribute "nsslapd-listenhost"
   Warning: Deleting configuration attribute "nsslapd-listenhost"
   Warning: Deleting configuration attribute "nsslapd-rewrite-rfc1274"
   Warning: Adding configuration attribute "nsslapd-rewrite-rfc1274"

Comment 8 Rich Megginson 2010-10-13 16:44:37 UTC
Comment on attachment 453248 [details]
git patch file (master)

should add nsslapd-securelistenhost to the list of attributes allowed to be deleted

Also, MOD_ADD should be able to add multi-valued attributes.  I don't know if we have any?

Comment 9 Noriko Hosoi 2010-10-13 16:54:06 UTC
(In reply to comment #8)
> Comment on attachment 453248 [details]
> git patch file (master)
> 
> should add nsslapd-securelistenhost to the list of attributes allowed to be
> deleted

A good catch!  I'm adding it to the default nsslapd-allowed-to-delete-attrs value.

> Also, MOD_ADD should be able to add multi-valued attributes.  I don't know if
> we have any?

In cn=config?  I see objectClass is, but nothing else...

Comment 10 Rich Megginson 2010-10-13 17:01:38 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > Comment on attachment 453248 [details] [details]
> > git patch file (master)
> > 
> > should add nsslapd-securelistenhost to the list of attributes allowed to be
> > deleted
> 
> A good catch!  I'm adding it to the default nsslapd-allowed-to-delete-attrs
> value.
> 
> > Also, MOD_ADD should be able to add multi-valued attributes.  I don't know if
> > we have any?
> 
> In cn=config?  I see objectClass is, but nothing else...

aci is - but I think that is not handled by the config_set() code.

just looked at the CONFIG_CHARRAY attrs in libglobs.c - the only ones listed are read-only, so we're safe there.

Comment 11 Noriko Hosoi 2010-10-13 18:31:06 UTC
Created attachment 453261 [details]
git patch file (master)


Following the suggestion by Rich, adding "nsslapd-securelistenhost" to the default nsslapd-allowed-to-delete-attrs list.

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6b58dde..a7cc1bc 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1013,6 +1013,8 @@ FrontendConfig_init () {
   cfg->entryusn_global = LDAP_OFF; 
   slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
                      slapi_ch_strdup("nsslapd-listenhost"));
+  slapi_ch_array_add(&(cfg->allowed_to_delete_attrs),
+                     slapi_ch_strdup("nsslapd-securelistenhost"));
 
 #ifdef MEMPOOL_EXPERIMENTAL
   cfg->mempool_switch = LDAP_ON;

Comment 12 Noriko Hosoi 2010-10-13 18:47:53 UTC
Reviewed and commented by Nathan and Rich (Thanks!!)

Pushed to master.

$ git merge work
Updating c5cd4dd..e6c0ce5
Fast-forward
 ldap/servers/slapd/configdse.c  |   50 ++++++++++++++++++++++++++++++++------
 ldap/servers/slapd/libglobs.c   |   39 +++++++++++++++++++++++++++++-
 ldap/servers/slapd/proto-slap.h |    2 +
 ldap/servers/slapd/slap.h       |    2 +
 4 files changed, 84 insertions(+), 9 deletions(-)

$ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 2.18 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   c5cd4dd..e6c0ce5  master -> master

Comment 13 Deon Ballard 2010-12-13 22:14:36 UTC
Hey. What's the format of the value for nsslapd-allowed-to-delete-attrs? It looks like it is hashed:

[root@dell-gx240-03 slapd-dell-gx240-03]# /usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret12
dn: cn=config
changetype: modify
replace: nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-rewrite-rfc1274

modifying entry cn=config

[root@dell-gx240-03 slapd-dell-gx240-03]# /usr/lib/mozldap/ldapsearch -D "cn=directory manager" -w secret12 -s sub -b "cn=config" objectclass=* | grep nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs:: QOnAs7DxwLM=


=================

How is it possible for someone to check the list of server config attributes they're allowed to delete?

Thanks!

Comment 14 Noriko Hosoi 2010-12-13 22:57:22 UTC
Yeah, you are right, Deon.  My ldapsearch command also returns a base64 encoded attr value.  Let me investigate it.

If you grep nsslapd-allowed-to-delete-attrs in your config file, it'd return the clear test, though...
 # egrep nsslapd-allowed-to-delete-attrs /etc/dirsrv/slapd-jiji/dse.ldif
 nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-rewrite-rfc1274

Comment 15 Noriko Hosoi 2010-12-15 22:56:41 UTC
Created attachment 468988 [details]
git patch file (master)

Description:
commit e6c0ce5d97a78689722fe3c627f7a99cf81f6b77 included a
config param value type mismatch.  The value is a string,
not an array of strings.

To verify the fix, the following command line should return
the space separated config attribute list.
$ ldapsearch ... -b "cn=config" "(cn=*)" nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost

Comment 16 Noriko Hosoi 2010-12-16 00:06:30 UTC
Reviewed by Rich (Thanks!!)

Pushed to master.

$ git merge 602456
Updating 7aef407..ad544f2
Fast-forward
 ldap/servers/slapd/configdse.c  |   15 ++++++++++-----
 ldap/servers/slapd/libglobs.c   |   16 ++++++----------
 ldap/servers/slapd/proto-slap.h |    2 +-
 3 files changed, 17 insertions(+), 16 deletions(-)

$ git push
Counting objects: 15, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.26 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   7aef407..ad544f2  master -> master

Comment 17 Amita Sharma 2011-07-08 12:19:16 UTC
[root@rhel61 export]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" "(cn=*)" | grep nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost


[root@rhel61 export]# ldapmodify -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-listenhost
> nsslapd-listenhost: rhel6.pnq.redhat.com
> EOF
modifying entry "cn=config"

[root@rhel61 export]# tail -f /var/log/dirsrv/slapd-rhel61/errors
[08/Jul/2011:17:42:39 +051800] slapd_listenhost2addr - PR_GetAddrInfoByName(pnq.redhat.com) failed - Netscape Portable Runtime error 0 (unknown)
[08/Jul/2011:17:43:58 +051800] - 389-Directory/1.2.8.5 B2011.187.02 starting up
[08/Jul/2011:17:43:58 +051800] - slapd started.  Listening on 10.65.201.213 port 1389 for LDAP requests
[08/Jul/2011:17:44:04 +051800] - slapd shutting down - signaling operation threads
[08/Jul/2011:17:44:04 +051800] - slapd shutting down - closing down internal subsystems and plugins
[08/Jul/2011:17:44:04 +051800] - Waiting for 4 database threads to stop
[08/Jul/2011:17:44:04 +051800] - All database threads now stopped
[08/Jul/2011:17:44:04 +051800] - slapd stopped.
[08/Jul/2011:17:44:07 +051800] - 389-Directory/1.2.8.5 B2011.187.02 starting up
[08/Jul/2011:17:44:07 +051800] - slapd started.  Listening on 10.65.201.213 port 1389 for LDAP requests

But after this, I am not able to bind to my DS:
[root@rhel61 export]# service dirsrv status
dirsrv rhel61 (pid 21730) is running...
[root@rhel61 export]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=config" "(cn=*)" | grep nsslapd-listenhost
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Please guide here.....

Comment 18 Amita Sharma 2011-07-08 12:27:37 UTC
ok, I used IP instead of localhost in the ldap commands then It is working fine..

[root@rhel61 export]# ldapmodify -x -h 10.65.201.213 -p 1389 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> delete: nsslapd-listenhost
> EOF
modifying entry "cn=config


But is that fine/ as expected?

Comment 19 Rich Megginson 2011-07-08 13:32:40 UTC
(In reply to comment #18)
> ok, I used IP instead of localhost in the ldap commands then It is working
> fine..
> 
> [root@rhel61 export]# ldapmodify -x -h 10.65.201.213 -p 1389 -D "cn=Directory
> Manager" -w Secret123 << EOF
> > dn: cn=config
> > changetype: modify
> > delete: nsslapd-listenhost
> > EOF
> modifying entry "cn=config
> 
> 
> But is that fine/ as expected?

Yes.

Comment 20 Amita Sharma 2011-07-08 13:44:25 UTC
Based on comment#19 - marking the bug as VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.