819111 – non-existent container ou=cmsusers breaks replication

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 819111 - non-existent container ou=cmsusers breaks replication

Summary: non-existent container ou=cmsusers breaks replication

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ade Lee
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-04 21:15 UTC by Ade Lee
Modified:	2012-05-14 18:34 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The following text was added to the problem description area of RHBA-2012:12464-01: * The CS replication code was recently changed so that the replication user was created in the container ou=csusers, cn=config., rather than directly under cn=config. This container may not exist in older updated servers, and for those servers, the replication user would not be created, and replication would not succeed. The replication setup code has been modified to create the ou=csusers container if it does not exist. (BZ#819111)
Clone Of:
Environment:
Last Closed:	2012-05-14 18:34:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ade Lee 2012-05-04 21:15:36 UTC

Description of problem:

Changes recently checked in https://www.redhat.com/archives/pki-devel/2012-March/msg00029.html  moved the replication user under the ou=cmusers,cn=config instead of just cn=config.  This works just fine when doing replication between two NEW servers.  On old updated servers though, this container does not exist - and so the attempt to create a replication user under that container fails.  As a result, setting up replication agreements with old updated servers fails.

There is a workaround, which is to manually create the container first.  But this is better fixed in code, by adding coding to create the ou if it does not exist when setting up the replication agreement.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2012-05-04 21:18:51 UTC

Note: the effect of this bug is to break replication in IPA as described above.

Comment 3 Ade Lee 2012-05-08 18:03:58 UTC

Patch checked into dogtag 9, 10 and rhel 6.3

rhel 6.3 checkin:

commit e11f90c85738eebc1af16fc9180109df4cab9538
Author: Ade Lee <alee>
Date:   Tue May 8 13:38:44 2012 -0400

    Resolves #819111 - non-existent container ou=csusers breaks replication

Patch as below:

diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/base/common/src/com/
index bdd0b0d..8a26ce4 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
@@ -1210,7 +1210,27 @@ public class DatabasePanel extends WizardPanelBase {
       throws LDAPException {
         LDAPAttributeSet attrs = null;
         LDAPEntry entry = null;
-        String dn = "cn=" + bindUser + ",cn=config";
+
+        // for older subsystems, the container ou=csusers, cn=config may not yet exist
+        String dn = "ou=csusers, cn=config";
+        try {
+            attrs = new LDAPAttributeSet();
+            attrs.add(new LDAPAttribute("objectclass", "top"));
+            attrs.add(new LDAPAttribute("objectclass", "organizationalUnit"));
+            attrs.add(new LDAPAttribute("ou", "csusers"));
+            entry = new LDAPEntry(dn, attrs);
+            conn.add(entry);
+        } catch (LDAPException e) {
+            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
+                CMS.debug("createReplicationManager: containing ou already exists");
+            } else {
+                CMS.debug("createReplicationManager: Failed to create containing ou. Exception: "
+                        + e.toString());
+                throw e;
+            }
+        }
+
+        dn = "cn=" + bindUser + ",ou=csusers,cn=config";
         try {
             attrs = new LDAPAttributeSet();
             attrs.add(new LDAPAttribute("objectclass", "top"));

Comment 5 Matthew Harmsen 2012-05-08 19:01:21 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The following text was added to the problem description area of RHBA-2012:12464-01:

* The CS replication code was recently changed so that the replication user was created in the container ou=csusers, cn=config., rather than directly under cn=config. This container may not exist in older updated servers, and for those servers, the replication user would not be created, and replication would not succeed. The replication setup code has been modified to create the ou=csusers container if it does not exist. (BZ#819111)

Comment 6 Scott Poore 2012-05-09 23:24:56 UTC

Just to confirm this wasn't fixed until 5/8/2012 in pki-core-9.0.3-25.el6?

This only affects RHEL IPA servers upgraded from 6.2 and earlier right?

How can I see the replication user?  

I tried this on a couple of new IPA RHEL 6.3 servers and can't find it:

ldapsearch -LLL -x -D "cn=Directory Manager" -w "$ROOTDNPWD" -b "ou=csusers, cn=config"

I also tried grepping ldapsearch of all of cn=config but, didn't find anything.

Comment 7 Ade Lee 2012-05-14 18:34:03 UTC

This fix is not needed because the ou=csusers change was not ported to the rhel branch.  It only exists in dogtag 9.

We will be reverting to the previous build in dogtag 9 -- pki-core-9.0.3-24

Note You need to log in before you can comment on or make changes to this bug.