Bug 994690 - [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart
Summary: [RFE] Allow dynamically adding/enabling/disabling/removing plugins without re...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: rc
: 7.1
Assignee: mreynolds
QA Contact: Viktor Ashirov
Depends On: 1162997 1166252
TreeView+ depends on / blocked
Reported: 2013-08-07 19:08 UTC by Sankar Ramalingam
Modified: 2020-09-13 20:40 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Enhancement
Doc Text:
Feature: Allow plugins to be stopped/started/configured without requiring a server restart for it to take effect. Reason: The server can be configured without having to stop the server, and disrupt a live production environment. Result (if any):
Clone Of:
Last Closed: 2015-03-05 09:31:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 788 0 None None None 2020-09-13 20:40:19 UTC
Red Hat Product Errata RHSA-2015:0416 0 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Sankar Ramalingam 2013-08-07 19:08:58 UTC
Description of problem: Directory server should support dynamic configuration changes for the plugins. Currently, it requires a server restart for plugin configuration changes. 

Version-Release number of selected component (if applicable): 389-ds-base-

How reproducible: Consistently.

Steps to Reproduce:

# Add container for automembers plugin
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
objectClass: top
objectClass: nscontainer

# Configure nsslapd-pluginConfigArea
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
changetype: modify
add: nsslapd-pluginConfigArea
nsslapd-pluginConfigArea: $ROOT
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

# Add rules that conlict with pluginConfigArea
ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=replsubGroups,$PLUGIN_ROOT
objectclass: autoMemberDefinition
autoMemberScope: cn=Employees,$ROOT
autoMemberFilter: objectclass=posixAccount
autoMemberDefaultGroup: cn=SubDef1,$ROOT
autoMemberDefaultGroup: cn=SubDef2,$ROOT
autoMemberDefaultGroup: cn=SubDef3,$ROOT
autoMemberDefaultGroup: cn=SubDef4,$ROOT
autoMemberDefaultGroup: cn=SubDef5,$ROOT
autoMemberGroupingAttr: member: dn

dn: cn=Managers,cn=replsubGroups,$PLUGIN_ROOT
objectclass: autoMemberRegexRule
description: Group placement for Managers
cn: Managers
autoMemberTargetGroup: cn=Managers,cn=replsubGroups,$ROOT
autoMemberInclusiveRegex: uidNumber=^5..5$
autoMemberInclusiveRegex: gidNumber=^[1-4]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Manager$|^Supervisor$
autoMemberExclusiveRegex: uidNumber=^999$
autoMemberExclusiveRegex: gidNumber=^[6-8].0$
autoMemberExclusiveRegex: nsAdminGroupName=^Junior$

objectclass: autoMemberRegexRule
description: Group placement for Contractors
cn:  Contractors
autoMemberTargetGroup: cn=Contractors,cn=replsubGroups,$ROOT
autoMemberInclusiveRegex: uidNumber=^8..5$
autoMemberInclusiveRegex: gidNumber=^[5-9]..3$
autoMemberInclusiveRegex: nsAdminGroupName=^Contract|^Temporary$
autoMemberExclusiveRegex: uidNumber=^[1,3,8]99$
autoMemberExclusiveRegex: gidNumber=^[2-4]00$
autoMemberExclusiveRegex: nsAdminGroupName=^Employee$

Actual results: Automembership plugin accepts invalid configuration. It requires a server restart to reject the configuration.

Expected results: Plugin should reject the invalid configuration dynamically.

Additional info: 
Associated upstream ticket - https://fedorahosted.org/389/ticket/47451

Comment 2 Nathan Kinder 2013-08-07 19:23:28 UTC
Upstream ticket:

Comment 6 Amita Sharma 2014-11-18 06:43:44 UTC
Test Plan created :: 

Few plugins tested :: DNA, memberof, automember.

One new crash bug reported during testing of this bug :: https://bugzilla.redhat.com/show_bug.cgi?id=1162997 

Marking this bug as VERIFIED, new bugs will be opened at later stage when detailed testing will be performed.

Comment 7 Jiri Herrmann 2014-12-12 15:32:01 UTC
If this Feature should be included in the 7.1 Release Notes, could you please change the Doc Type from Enhancement to "Release Note"?

Note that the Release Notes are intended to list the most prominent and customer-relevant new features rather than every single enhancement.


Comment 8 mreynolds 2014-12-16 20:30:03 UTC
Fixed upstream

Comment 11 errata-xmlrpc 2015-03-05 09:31:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.