Bug 894015 - Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control results in inconsistent configuration
Summary: Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control res...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 7.0
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-10 14:22 UTC by Ján Rusnačko
Modified: 2014-06-18 02:55 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.3.1.2-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: There were no checks to validate configuration changes to the Root DN Access Control Plugin. Consequence: When restarting the server, after making invalid configuration changes, the server would fail to start. Fix: Validate config changes when they happen, and not at server startup Result: An error is returned when making invalid configuration changes.
Clone Of:
Environment:
Last Closed: 2014-06-13 13:28:51 UTC


Attachments (Terms of Use)

Description Ján Rusnačko 2013-01-10 14:22:58 UTC
Description of problem:
RootDN Access Control plugin allows to configure additional restrictions for root account. Attributes rootdn-open-time and rootdn-close-time specify time of day when rootDN can bind. Specifying one without another is meaningless. Despite this DS allows to specify just one of these.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-9.el6.x86_64

Steps to Reproduce:
[jrusnack@rhel-63-ds dstet]$ ldapsearch -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Root DN Access Control
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Root DN Access Control plugin

[jrusnack@rhel-63-ds dstet]$ ldapmodify -h localhost -p 22222 -D "cn=Directory manager" -w Secret123 -v <<EOF
dn: cn=RootDN Access Control,cn=plugins,cn=config
changetype: modify
add: rootdn-open-time
rootdn-open-time: 0800
EOF
ldap_initialize( ldap://localhost:22222 )
add rootdn-open-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete

[jrusnack@rhel-63-ds dstet]$ /usr/lib64/dirsrv/slapd-dstet/restart-slapd
[10/Jan/2013:09:10:06 -0500] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time
[10/Jan/2013:09:10:06 -0500] rootdn-access-control-plugin - rootdn_start: unable to load plug-in configuration
[10/Jan/2013:09:10:06 -0500] - Init function "rootdn_init" for "RootDN Access Control" plugin in library "librootdn-access-plugin.so" failed
[10/Jan/2013:09:10:06 -0500] - Unable to load plugin "cn=RootDN Access Control,cn=plugins,cn=config"

Expected results:
DS should refuse operation that results in inconsistent configuration.

Comment 2 mreynolds 2013-01-10 15:00:49 UTC
Created ticket:

https://fedorahosted.org/389/ticket/552

Comment 3 mreynolds 2013-01-10 20:22:38 UTC
There is no easy way to reject a modify operation that will result in a misconfiguration.  

At startup we just log a new error message, ignore the time based settings, and allow the server to startup.

Also, for this type of plugin (internalpreoperation), any modification to the plugin does require a server restart for that change to take effect.

Fix is out for review.

Comment 4 Nathan Kinder 2013-01-10 20:35:41 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/552

Comment 5 mreynolds 2013-01-10 21:00:32 UTC
Fix has been pushed to 1.3.1

commit hash: 00349f6e05fdc66fe24e8034ce072234aa0cacfa

Comment 7 Rich Megginson 2013-10-01 23:24:44 UTC
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.

Comment 9 Amita Sharma 2013-11-07 10:18:20 UTC
[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> add: rootdn-close-time
> rootdn-close-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
ldap_bind: Server is unwilling to perform (53)
	additional info: RootDN access control violation

[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> replace: rootdn-open-time
> rootdn-open-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
replace rootdn-open-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete

[root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-days-allowed: Sat, Wed, Mon, Thu
rootdn-open-time: 0800

[root@dhcp201-149 yum.repos.d]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123 -v <<EOF
> dn: cn=RootDN Access Control,cn=plugins,cn=config
> changetype: modify
> add: rootdn-close-time
> rootdn-close-time: 0800
> EOF
ldap_initialize( ldap://localhost:389 )
add rootdn-close-time:
	0800
modifying entry "cn=RootDN Access Control,cn=plugins,cn=config"
modify complete
=================================================================================
But if I do it manually in dse.ldif file then no error ::
[root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/stop-slapd 
[root@dhcp201-149 yum.repos.d]# vim /etc/dirsrv/slapd-dhcp201-149/dse.ldif
[root@dhcp201-149 yum.repos.d]# /usr/lib64/dirsrv/slapd-dhcp201-149/start-slapd 
[root@dhcp201-149 yum.repos.d]# ldapsearch -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "cn=RootDN Access Control,cn=plugins,cn=config " -LL
version: 1

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginPath: librootdn-access-plugin.so
nsslapd-pluginInitfunc: rootdn_init
nsslapd-pluginType: internalpreoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: RootDN Access Control
nsslapd-pluginVersion: 1.3.1.6
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: RootDN Access Control plugin
rootdn-days-allowed: Sat, Wed, Mon, Thu
rootdn-close-time: 0800

====================================================================
Sometimes it gives error in error log as::
[07/Nov/2013:15:21:20 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time.  Ignoring time based settings.

This behavior is inconsistent.

====================================================================
Please add verification steps and check for the inconsistency.

Comment 10 Amita Sharma 2013-11-07 11:04:26 UTC
[root@dhcp201-149 yum.repos.d]# rpm -qa | grep 389
389-ds-base-1.3.1.6-8.el7.x86_64
389-ds-base-libs-1.3.1.6-8.el7.x86_64

Comment 11 Ján Rusnačko 2013-11-11 09:58:49 UTC
Verification steps:
1) Add rootdn-open-time: 0800, do NOT add rootdn-close-time
2) Restart server
3) Verify that server start and error message is logged.

Bug is, in this situation server refused to start, because plugin has open-time but not close-time.

Fix is, in this situation DS starts but plugin ignores open-time and logs the error message. Steps above should suffice to verify.

Comment 12 Amita Sharma 2013-11-11 10:35:50 UTC
After testing https://bugzilla.redhat.com/show_bug.cgi?id=894015#c11 , 
Checked error msg in error logs ::
[11/Nov/2013:15:44:00 +051800] rootdn-access-control-plugin - rootdn_load_config: there must be a open and a close time.  Ignoring time based settings.

Marking bug as VERIFIED.

Comment 13 Ludek Smid 2014-06-13 13:28:51 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 14 mreynolds 2014-06-16 13:51:26 UTC
previous requested info was provided...


Note You need to log in before you can comment on or make changes to this bug.