894015 – Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control results in inconsistent configuration

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 894015 - Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control results in inconsistent configuration

Summary: Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control res...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.0
Assignee:	Rich Megginson
QA Contact:	Sankar Ramalingam
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-10 14:22 UTC by Ján Rusnačko
Modified:	2020-09-13 20:22 UTC (History)
CC List:	6 users (show)
Fixed In Version:	389-ds-base-1.3.1.2-1.el7
Doc Type:	Bug Fix
Doc Text:	Cause: There were no checks to validate configuration changes to the Root DN Access Control Plugin. Consequence: When restarting the server, after making invalid configuration changes, the server would fail to start. Fix: Validate config changes when they happen, and not at server startup Result: An error is returned when making invalid configuration changes.
Clone Of:
Environment:
Last Closed:	2014-06-13 13:28:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 552	0	None	None	None	2020-09-13 20:22:13 UTC

Description Ján Rusnačko 2013-01-10 14:22:58 UTC

Description of problem:
RootDN Access Control plugin allows to configure additional restrictions for root account. Attributes rootdn-open-time and rootdn-close-time specify time of day when rootDN can bind. Specifying one without another is meaningless. Despite this DS allows to specify just one of these.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-9.el6.x86_64

Steps to Reproduce:
[jrusnack@rhel-63-ds dstet]$ ldapsearch -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Root DN Access Control
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Root DN Access Control plugin

[jrusnack@rhel-63-ds dstet]$ ldapmodify -h localhost -p 22222 -D "cn=Directory manager" -w Secret123 -v <<EOF
dn: cn=RootDN Access Control,cn=plugins,cn=config
changetype: modify
add: rootdn-open-time
rootdn-open-time: 0800
EOF
ldap_initialize( ldap://localhost:22222 )
add rootdn-open-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete

[jrusnack@rhel-63-ds dstet]$ /usr/lib64/dirsrv/slapd-dstet/restart-slapd
[10/Jan/2013:09:10:06 -0500] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time
[10/Jan/2013:09:10:06 -0500] rootdn-access-control-plugin - rootdn_start: unable to load plug-in configuration
[10/Jan/2013:09:10:06 -0500] - Init function "rootdn_init" for "RootDN Access Control" plugin in library "librootdn-access-plugin.so" failed
[10/Jan/2013:09:10:06 -0500] - Unable to load plugin "cn=RootDN Access Control,cn=plugins,cn=config"

Expected results:
DS should refuse operation that results in inconsistent configuration.

Comment 2 mreynolds 2013-01-10 15:00:49 UTC

Created ticket:

https://fedorahosted.org/389/ticket/552

Comment 3 mreynolds 2013-01-10 20:22:38 UTC

There is no easy way to reject a modify operation that will result in a misconfiguration.  

At startup we just log a new error message, ignore the time based settings, and allow the server to startup.

Also, for this type of plugin (internalpreoperation), any modification to the plugin does require a server restart for that change to take effect.

Fix is out for review.

Comment 4 Nathan Kinder 2013-01-10 20:35:41 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/552

Comment 5 mreynolds 2013-01-10 21:00:32 UTC

Fix has been pushed to 1.3.1

commit hash: 00349f6e05fdc66fe24e8034ce072234aa0cacfa

Comment 7 Rich Megginson 2013-10-01 23:24:44 UTC

moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.

Comment 9 Amita Sharma 2013-11-07 10:18:20 UTC

[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> add: rootdn-close-time
> rootdn-close-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
ldap_bind: Server is unwilling to perform (53)
	additional info: RootDN access control violation

[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> replace: rootdn-open-time
> rootdn-open-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
replace rootdn-open-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete

[root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-days-allowed: Sat, Wed, Mon, Thu
rootdn-open-time: 0800

[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> add: rootdn-close-time
> rootdn-close-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
add rootdn-close-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete
=================================================================================
But if I do it manually in dse.ldif file then no error ::
[root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/stop-slapd 
[root@dhcp201-149 yum.repos.d]# vim /etc/dirsrv/slapd-dhcp201-149/dse.ldif
[root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd 
[root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-days-allowed: Sat, Wed, Mon, Thu
rootdn-close-time: 0800

====================================================================
Sometimes it gives error in error log as::
[07/Nov/2013:15:21:20 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time.  Ignoring time based settings.

This behavior is inconsistent.

====================================================================
Please add verification steps and check for the inconsistency.

Comment 10 Amita Sharma 2013-11-07 11:04:26 UTC

[root@dhcp201-149 yum.repos.d]# rpm -qa | grep 389
389-ds-base-1.3.1.6-8.el7.x86_64
389-ds-base-libs-1.3.1.6-8.el7.x86_64

Comment 11 Ján Rusnačko 2013-11-11 09:58:49 UTC

Verification steps:
1) Add rootdn-open-time: 0800, do NOT add rootdn-close-time
2) Restart server
3) Verify that server start and error message is logged.

Bug is, in this situation server refused to start, because plugin has open-time but not close-time.

Fix is, in this situation DS starts but plugin ignores open-time and logs the error message. Steps above should suffice to verify.

Comment 12 Amita Sharma 2013-11-11 10:35:50 UTC

After testing https://bugzilla.redhat.com/show_bug.cgi?id=894015#c11 , 
Checked error msg in error logs ::
[11/Nov/2013:15:44:00 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time.  Ignoring time based settings.

Marking bug as VERIFIED.

Comment 13 Ludek Smid 2014-06-13 13:28:51 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 14 mreynolds 2014-06-16 13:51:26 UTC

previous requested info was provided...

Note You need to log in before you can comment on or make changes to this bug.