Hide Forgot
Upstream ticket: https://fedorahosted.org/389/ticket/196
This fix has been checked into the main trunk. To verify fix: Replication: manually create an agreement and set the nsDS5ReplicaHost with the IPv6 address, and make sure you can replicate entries Chaining: use an IPv6 address for nsfarmserverurl. Note: For LDAP urls, the IPv6 Address must be in brackets: ldap://[fe80::250:45ff:fe02:7fe8]:389 Access Control: Example of aci that uses IPv6: aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(version 3.0;acl "Anonymous IPv6 read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");)
This fix will be rhel 6.4(DS 9), and in 389-ds-base-1.3.0.a1.
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA.
Successfully Added ACI using IPv6 address:: [root@dhcp201-149 ~]# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: dc=example,dc=com > changetype: modify > replace: aci > aci: (target ="ldap:///dc=example,dc=com")(targetattr !="userPassword")(version 3.0;acl "Anonymous IPv6 read-search access";allow (read, search, compare)(userdn = "ldap:///anyone") and (ip="2000:db8:0:f101::12");) > EOF modifying entry "dc=example,dc=com"
Successfully tested replication: [root@localhost admin-serv]# ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" -LLL dn: cn=test,cn=replica,cn=ou\3Dtest\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree, cn=config objectClass: top objectClass: nsDS5ReplicationAgreement description: test cn: test nsDS5ReplicaRoot: ou=test,dc=example,dc=com nsDS5ReplicaHost: [::1] nsDS5ReplicaPort: 1389 nsDS5ReplicaBindDN: uid=replmgr,dc=example,dc=com nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaCredentials: {DES}3iMsHyML5/QgiI3nMoqaYw== nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20131112120823Z nsds5replicaLastUpdateEnd: 20131112120826Z nsds5replicaChangesSentSinceStartup:: MToxLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20131112120728Z nsds5replicaLastInitEnd: 20131112120730Z nsds5replicaLastInitStatus: 0 Total update succeeded Feature is implemented in latest RHEL7 389, testing is yet to be done - bugs in this feature will be filed separately.
Configured replication with IPv6 address and encountering "function not implemented" errors. ==> /var/log/dirsrv/slapd-M2/errors <== [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620") ==> /var/log/dirsrv/slapd-M1/errors <== [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5992 (function not implemented.), network error 115 (Operation now in progress, host "[2620")
(In reply to Sankar Ramalingam from comment #13) > Configured replication with IPv6 address and encountering "function not > implemented" errors. > > ==> /var/log/dirsrv/slapd-M2/errors <== > [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind > request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: > error -1 (Can't contact LDAP server), system error -5992 (function not > implemented.), network error 115 (Operation now in progress, host "[2620") > > ==> /var/log/dirsrv/slapd-M1/errors <== > [12/Nov/2013:08:52:00 -0500] slapi_ldap_bind - Error: could not send bind > request for id [cn=SyncManager,cn=config] authentication mechanism [SIMPLE]: > error -1 (Can't contact LDAP server), system error -5992 (function not > implemented.), network error 115 (Operation now in progress, host "[2620") Looks like the replication fails for SSL configured instances, not for non-ssl. [root@ibm-x3650m4-01-vm-14 MMR_WINSYNC]# /usr/bin/ldapsearch -x -h 2620:52:0:102f:5054:1ff:fe3c:e136 -p 1289 -D "cn=Directory Manager" -w Secret123 -b "cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo # extended LDIF # # LDAPv3 # base <cn=replica,cn="dc=passsync,dc=com",cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: nsds5replicaLastUpdateStatus nsDS5ReplicaTransportInfo # # replica, dc\3Dpasssync\2Cdc\3Dcom, mapping tree, config dn: cn=replica,cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config # 1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1389_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsDS5ReplicaTransportInfo: LDAP # 1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1489_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s tartup nsDS5ReplicaTransportInfo: LDAP # 1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com, replica, dc\3D passsync\2Cdc\3Dcom, mapping tree, config dn: cn=1289_to_1616_on_ibm-x3650m4-01-vm-14.lab.eng.bos.redhat.com,cn=replica, cn=dc\3Dpasssync\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsDS5ReplicaTransportInfo: SSL
SSL requires a hostname, not an IPv4/IPv6 address. This is for the hostname checking for the cn in the server cert subject DN. What you have to do, in this case, is ensure that the hostname resolves to an IPv6 address.
Since the feature is implemented and the hostname issue is addressed by comment #15, marking as VERIFIED. Testplan for this feature is pending and new bugs will be filed separately.
FWIW, ACIs with ip addresses on multihomed servers are still broken in 1.3.1.6-10
(In reply to Zailo Leite from comment #17) > FWIW, ACIs with ip addresses on multihomed servers are still broken in > 1.3.1.6-10 Hi Zailo, Could you please open a ticket (if not yet) at https://fedorahosted.org/389/newticket with the sample ACIs and the broken results? Thanks! --noriko
Looks OK in 1.3.2.9-1 . Thanks! Z
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.