Bug 627906 - Console break when disabling anonymous binding
Summary: Console break when disabling anonymous binding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: 389
Classification: Retired
Component: Directory Console
Version: 1.2.6
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: mreynolds
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 638765 832618 832619 (view as bug list)
Depends On:
Blocks: 434915 832618 832619
TreeView+ depends on / blocked
 
Reported: 2010-08-27 11:00 UTC by Gerhardus Geldenhuis
Modified: 2018-11-28 21:05 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 832618 832619 (view as bug list)
Environment:
Last Closed: 2012-07-16 10:45:01 UTC


Attachments (Terms of Use)
Screenshot-Untitled Window.png (42.17 KB, image/png)
2012-07-11 14:50 UTC, Amita Sharma
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1079 normal SHIPPED_LIVE redhat-ds-admin bug fix update 2012-07-16 14:43:28 UTC

Description Gerhardus Geldenhuis 2010-08-27 11:00:57 UTC
Description of problem:
When anonymous binding is disabled.
nsslapd-allow-anonymous-access: off

You are not able to login to the console when running 389-console as cn=Directory Manager.

The logs shows that two anonymous bind attempts are done during the login process. 

Version-Release number of selected component (if applicable):
1.2.6rc7

Steps to Reproduce:
Disable anonymous access
Restart both admin and dirsrv
Try to login to console as cn=Directory Manager


Actual results:
Error Message

Expected results:
Ability to login

Additional info:
Original mailinglist thread:
http://lists.fedoraproject.org/pipermail/389-users/2010-August/011918.html

Comment 2 Rich Megginson 2010-09-29 19:51:54 UTC
The workaround is to use the full DN of the admin user instead of just the uid e.g. instead of "admin" use "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"

Comment 3 Gerhardus Geldenhuis 2010-10-02 13:45:32 UTC
I am confused here. The workaround states uid=admin... did you mean uid=Directory Manager? The bug was related to login it as Directory Manager with the privileges that comes with that user. To be fair I don't know if you are afforded less privileges as admin user so if you are not then the work around is clear to me.

Comment 4 Rich Megginson 2010-10-04 15:50:18 UTC
(In reply to comment #3)
> I am confused here. The workaround states uid=admin... did you mean
> uid=Directory Manager? The bug was related to login it as Directory Manager
> with the privileges that comes with that user. To be fair I don't know if you
> are afforded less privileges as admin user so if you are not then the work
> around is clear to me.

Actually, I misspoke - there is no workaround.

Comment 6 Marc Sauton 2010-12-22 01:14:28 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=661116
is likely the same as this report

similar finding in 389-users:
Date: Tue, 21 Dec 2010 16:50:31 -0500
Subject: [389-users] issues with 1.2.7.5

Comment 7 Scott Haines 2011-02-01 18:08:39 UTC
*** Bug 638765 has been marked as a duplicate of this bug. ***

Comment 8 Nathan Kinder 2011-02-04 22:06:00 UTC
This is working fine with recent builds.  I am running tests with the following packages:

389-adminutil-devel-1.1.13-1.fc14.x86_64
389-admin-1.1.14-1.fc14.x86_64
389-console-1.1.4-1.fc14.noarch
389-ds-console-1.2.3-1.fc14.noarch
389-admin-console-1.1.5-1.fc14.noarch
389-ds-base-1.2.8-0.1.a1.fc14.x86_64
389-adminutil-1.1.13-1.fc14.x86_64

I am able to disable anonymous access and login using the console as "cn=directory manager", "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot", and as a newly created user beneath "ou=TopologyManagement,o=NetscapeRoot".

The directory server access log shows that the console falls back to using the DN after the anonymous bind fails:

[04/Feb/2011:13:56:57 -0800] conn=15 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[04/Feb/2011:13:56:57 -0800] conn=15 op=0 BIND dn="" method=128 version=3
[04/Feb/2011:13:56:57 -0800] conn=15 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[04/Feb/2011:13:56:57 -0800] conn=15 op=1 BIND dn="uid=nkinder,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" method=128 version=3
[04/Feb/2011:13:56:57 -0800] conn=15 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nkinder,ou=administrators,ou=topologymanagement,o=netscaperoot

I believe this was likely fixed when Console was modified to work with the DN validation code.  I'm going to mark this as MODIFIED.

Comment 9 Amita Sharma 2011-05-24 07:41:55 UTC
Disable anonymous access
nsslapd-allow-anonymous-access: off in dse.ldif

Restart both admin and dirsrv
/etc/init.d/dirsrv-admin restart
service dirsrv restart

Try to login to console as cn=Directory Manager


check the access logs

[24/May/2011:13:09:46 +051800] conn=10 fd=64 slot=64 SSL connection from 10.65.201.218 to 10.65.201.218
[24/May/2011:13:09:46 +051800] conn=10 SSL 128-bit RC4
[24/May/2011:13:09:46 +051800] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[24/May/2011:13:09:46 +051800] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[24/May/2011:13:09:46 +051800] conn=10 op=1 SRCH base="ou=Accounting,dc=example,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock"
[24/May/2011:13:09:46 +051800] conn=10 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[24/May/2011:13:09:46 +051800] conn=10 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
[24/May/2011:13:09:46 +051800] conn=10 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[24/May/2011:13:09:46 +051800] conn=8 op=38 SRCH base="cn=ldbm database,cn=plugins,cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix"

Comment 10 Anthony Messina 2011-08-14 19:13:14 UTC
Unfortunately, I have this issue using:

nsslapd-allow-anonymous-access: rootdse

with the following packages installed:

389-admin-1.1.23-1.fc15.i686
389-admin-console-1.1.8-1.fc15.noarch
389-admin-console-doc-1.1.8-1.fc15.noarch
389-adminutil-1.1.14-1.fc15.i686
389-console-1.1.7-1.fc15.noarch
389-ds-base-1.2.9.6-1.fc15.i686
389-ds-base-libs-1.2.9.6-1.fc15.i686
389-ds-console-1.2.6-1.fc15.noarch
389-ds-console-doc-1.2.6-1.fc15.noarch

admin-serv errors:
[Sun Aug 14 13:57:16 2011] [notice] caught SIGTERM, shutting down
[Sun Aug 14 13:57:18 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Sun Aug 14 13:57:19 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-elburn,cn=389 Administration Server,cn=Server Group,cn=elburn.messinet.com,ou=messinet.com,o=NetscapeRoot] for LDAPConnection [elburn.messinet.com:636]
[Sun Aug 14 13:57:19 2011] [notice] Access Host filter is: *.messinet.com
[Sun Aug 14 13:57:19 2011] [notice] Access Address filter is: *
[Sun Aug 14 13:57:20 2011] [notice] Apache/2.2.17 (Unix) mod_nss/2.2.17 NSS/3.12.9.0 configured -- resuming normal operations
[Sun Aug 14 13:57:20 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-elburn,cn=389 Administration Server,cn=Server Group,cn=elburn.messinet.com,ou=messinet.com,o=NetscapeRoot] for LDAPConnection [elburn.messinet.com:636]
[Sun Aug 14 13:57:20 2011] [notice] Access Host filter is: *.messinet.com
[Sun Aug 14 13:57:20 2011] [notice] Access Address filter is: *

Comment 15 Jenny Severance 2012-07-10 14:28:20 UTC
This was fixed in DS 9.0 but not in DS 8.2 yet.  Not sure why the bug was set to VERIFIED.

Comment 16 Amita Sharma 2012-07-11 14:46:47 UTC
Disable anonymous access
nsslapd-allow-anonymous-access: off in dse.ldif

Restart both admin and dirsrv
/etc/init.d/dirsrv-admin restart
service dirsrv restart

Try to login to console as cn=Directory Manager and "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"

It was successful.

But if I just give admin as login user, it fails, PFA for screen shot
Also logs ::


[root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access 
127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417
10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312
10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar HTTP/1.0" 200 1465828
10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190
127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 373
127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359
127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359
127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417
127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359

tail -f /var/log/dirsrv/slapd-ipaqavmh/access
[11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com,o=NetscapeRoot" method=128 version=3
[11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND
[11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1
[11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from 10.16.98.193 to 10.16.98.193
[11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128 version=3
[11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0 etime=0

ALSO -- There is BIND dn="(null)" <--- null here.

Comment 17 Amita Sharma 2012-07-11 14:50:29 UTC
Created attachment 597598 [details]
Screenshot-Untitled Window.png

Comment 18 Amita Sharma 2012-07-11 14:51:40 UTC
[root@ipaqavmh ~]# rpm -qa | grep redhat-ds
redhat-ds-base-8.2.9-2.el5dsrv
redhat-ds-base-devel-8.2.9-2.el5dsrv
redhat-ds-console-8.2.0-4.el5dsrv
redhat-ds-admin-8.2.2-1.el5dsrv
redhat-ds-base-debuginfo-8.2.9-2.el5dsrv
redhat-ds-8.2.0-2.el5dsrv
redhat-ds-admin-debuginfo-8.2.2-1.el5dsrv

Comment 19 Rich Megginson 2012-07-11 14:52:51 UTC
(In reply to comment #16)
> Disable anonymous access
> nsslapd-allow-anonymous-access: off in dse.ldif
> 
> Restart both admin and dirsrv
> /etc/init.d/dirsrv-admin restart
> service dirsrv restart
> 
> Try to login to console as cn=Directory Manager and
> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
> 
> It was successful.
> 
> But if I just give admin as login user, it fails, PFA for screen shot
> Also logs ::
> 
> 
> [root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access 
> 127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate
> HTTP/1.0" 200 417
> 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET
> /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312
> 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar
> HTTP/1.0" 200 1465828
> 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET
> /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190
> 127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET
> /admin-serv/authenticate HTTP/1.0" 200 373
> 127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate
> HTTP/1.0" 200 359
> 127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate
> HTTP/1.0" 200 359
> 127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417
> 127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate
> HTTP/1.0" 200 359
> 
> tail -f /var/log/dirsrv/slapd-ipaqavmh/access
> [11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND
> dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server
> Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com,
> o=NetscapeRoot" method=128 version=3
> [11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0
> etime=0
> [11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND
> [11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1
> [11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from
> 10.16.98.193 to 10.16.98.193
> [11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128
> version=3
> [11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0
> etime=0
> 
> ALSO -- There is BIND dn="(null)" <--- null here.

I think this is correct - if anonymous access is turned off, you have to login with a full DN - Mark?

Comment 20 mreynolds 2012-07-11 15:21:24 UTC
(In reply to comment #19)
> (In reply to comment #16)
> > Disable anonymous access
> > nsslapd-allow-anonymous-access: off in dse.ldif
> > 
> > Restart both admin and dirsrv
> > /etc/init.d/dirsrv-admin restart
> > service dirsrv restart
> > 
> > Try to login to console as cn=Directory Manager and
> > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
> > 
> > It was successful.
> > 
> > But if I just give admin as login user, it fails, PFA for screen shot
> > Also logs ::
> > 
> > 
> > [root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access 
> > 127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate
> > HTTP/1.0" 200 417
> > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET
> > /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312
> > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar
> > HTTP/1.0" 200 1465828
> > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET
> > /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190
> > 127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET
> > /admin-serv/authenticate HTTP/1.0" 200 373
> > 127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate
> > HTTP/1.0" 200 359
> > 127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate
> > HTTP/1.0" 200 359
> > 127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> > [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417
> > 127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate
> > HTTP/1.0" 200 359
> > 
> > tail -f /var/log/dirsrv/slapd-ipaqavmh/access
> > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND
> > dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server
> > Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com,
> > o=NetscapeRoot" method=128 version=3
> > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0
> > etime=0
> > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND
> > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1
> > [11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from
> > 10.16.98.193 to 10.16.98.193
> > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128
> > version=3
> > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0
> > etime=0
> > 
> > ALSO -- There is BIND dn="(null)" <--- null here.
> 
> I think this is correct - if anonymous access is turned off, you have to
> login with a full DN - Mark?

Correct, the admin server will need to search DS for the "id".  It does this using an anonymous bind to search the db.

Comment 21 Amita Sharma 2012-07-12 09:23:37 UTC
Ok, We can mark the bug as VERIFIED.

Comment 23 errata-xmlrpc 2012-07-16 10:45:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1079.html

Comment 24 Arpit Tolani 2012-07-31 18:24:21 UTC
*** Bug 832618 has been marked as a duplicate of this bug. ***

Comment 25 Rich Megginson 2012-08-01 14:26:58 UTC
*** Bug 832619 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.