https://bugzilla.redhat.com/show_bug.cgi?id=727659
Description of problem: After a RHDS migration from 8.1 to 8.2, DNA stops working, the dnamagicregen attribute are no longer translated simply added as their names into the new created entries, without any indications of errors, even replication may be attempted if set. There were spaces in the DN of the dnascope attribute value that were left after the migration, un-normalized. The cause of this may be related (and fixed for ds90) in bz 509897 for DN input validation and normalization in /ldap/servers/plugins/dna/dna.c Version-Release number of selected component (if applicable): cat /etc/redhat-release ; uname -a Red Hat Enterprise Linux Server release 5.7 (Tikanga) Linux ca1.example.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux rpm -q redhat-ds-base redhat-ds-base-8.2.5-1.el5dsrv How reproducible: always Steps to Reproduce: detailed steps, broken part in step 7: 1. have an instance set with redhat-ds-base-8.2.5-1.el5dsrv all paswords are set to either the strings password or redhat123 2. have a suffix dc=example,dc=com with entries in ou=people,dc=example,dc=com 3. set dna with a good working test example using uidNumber and gidNumber set dnamagicregen to strings 0 and magic respectively in this test case Note: make sure the DN in dnascope and dnasharedcfgdn have NO spaces vi /etc/dirsrv/slapd-ca1/dse.ldif dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 8.2.5 nsslapd-pluginVendor: Red Hat nsslapd-pluginDescription: Distributed Numeric Assignment plugin modifiersName: cn=directory manager modifyTimestamp: 20110722041912Z numSubordinates: 2 dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con fig objectClass: top objectClass: extensibleObject cn: Account GIDs dnatype: gidNumber dnainterval: 1 dnamaxvalue: 20200 dnamagicregen: 0 dnathreshold: 20100 dnafilter: (objectclass=posixAccount) dnascope: ou=people,dc=example,dc=com dnasharedcfgdn: cn=Account GIDs,ou=Ranges,dc=example,dc=com dnanextvalue: 20006 dnanextrange: 20201-20300 creatorsName: cn=directory manager modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config createTimestamp: 20110722051346Z modifyTimestamp: 20110802005611Z dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con fig objectClass: top objectClass: extensibleObject cn: Account UIDs dnatype: uidNumber dnainterval: 1 dnamaxvalue: 20200 dnamagicregen: magic dnathreshold: 20100 dnafilter: (objectclass=posixAccount) dnascope: ou=people,dc=example,dc=com dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnanextvalue: 20009 dnanextrange: 20201-20300 creatorsName: cn=directory manager modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config createTimestamp: 20110722051346Z modifyTimestamp: 20110802005611Z 4. set some logging if necessary, and start ns-slapd instance grep level /etc/dirsrv/slapd-ca1/dse.ldif nsslapd-accesslog-level: 260 nsslapd-max-filter-nest-level: 40 nsslapd-errorlog-level: 65536 tail -f /var/log/dirsrv/slapd-ca1/errors | grep dna-plug & tail -f /var/log/dirsrv/slapd-ca1/access & /etc/init.d/dirsrv start ca1 5. prepare a test entry for DNA vi ~/add.user.entry.2.dna.ldif dn: uid=guest10002,ou=people,dc=example,dc=com homeDirectory: /home/guests/guest10002 gidNumber: 0 uidNumber: magic loginShell: /bin/bash shadowWarning: 7 shadowMax: 111111 shadowLastChange: 13670 userPassword:: e2NyeXB0fSQxJFF4NGxVS3VjJFZ6MHdrN3JvT1Y1Z2tTM1JFa3FBWjA= objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: posixGroup objectClass: top objectClass: shadowAccount mail: guest10002@example.com sn: guest10002 cn: guest10002 uid: guest10002 6. verify the good working DNA configuration ldapmodify -x -a -D "cn=directory manager" -w password -p 389 -h ca1 -f ~/add.user.entry.2.dna.ldif adding new entry "uid=guest10002,ou=people,dc=example,dc=com" ldapsearch -xLLL -D "cn=directory manager" -w password -p 389 -h ca1 -b ou=people,dc=example,dc=com uid=guest10002 uidnumber gidnumber dn: uid=guest10002,ou=people,dc=example,dc=com uidnumber: 20008 gidnumber: 20005 7. and now break it: 7.1 stop ns-slapd /etc/init.d/dirsrv stop ca1 7.2 edit dse.ldif to insert spaces after comma in dnascope attribute value, this was the condition the customer reported after a 8.1 migration: vi /etc/dirsrv/slapd-ca1/dse.ldif change from dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con ... dnascope: ou=people,dc=example,dc=com ... dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con ... dnascope: ou=people,dc=example,dc=com to dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con ... dnascope: ou=people, dc=example, dc=com ... dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con ... dnascope: ou=people, dc=example, dc=com 7.3 start ns-slapd /etc/init.d/dirsrv start ca1 7.4 remove previous test entry ldapdelete -x -D "cn=directory manager" -w password -h ca1 -p 389 "uid=guest10002,ou=people,dc=example,dc=com" 7.5 add it back ldapmodify -x -a -D "cn=directory manager" -w password -p 389 -h ca1 -f ~/add.user.entry.2.dna.ldif adding new entry "uid=guest10002,ou=people,dc=example,dc=com" 7.6 verify what was created ldapsearch -xLLL -D "cn=directory manager" -w password -p 389 -h ca1 -b ou=people,dc=example,dc=com uid=guest10002 uidnumber gidnumber Actual results: dn: uid=guest10002,ou=people,dc=example,dc=com uidnumber: magic gidnumber: 0 dnamagicregen attribute are no longer translated simply added as their names into the new created entries, without any indications of errors, even replication may be attempted if set: /var/log/dirsrv/slapd-ca1/access [01/Aug/2011:18:31:15 -0700] conn=4 fd=65 slot=65 connection from 10.14.5.22 to 10.14.5.22 [01/Aug/2011:18:31:15 -0700] conn=4 op=0 BIND dn="cn=directory manager" method=128 version=3 [01/Aug/2011:18:31:15 -0700] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [01/Aug/2011:18:31:15 -0700] conn=4 op=1 ADD dn="uid=guest10002,ou=people,dc=example,dc=com" [01/Aug/2011:18:31:15 -0700] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 csn=4e375364000000010000 [01/Aug/2011:18:31:15 -0700] conn=4 op=2 UNBIND [01/Aug/2011:18:31:15 -0700] conn=4 op=2 fd=65 closed - U1 [01/Aug/2011:18:31:15 -0700] conn=3 op=17 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH base="cn=dc\5c3Dexample\5c2Cdc\5c3Dcom,cn=mapping tree,cn=config" scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-referral" [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH base="cn=dc\5c3Dexample\5c2Cdc\5c3Dcom,cn=mapping tree,cn=config" scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-state" [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [01/Aug/2011:18:31:15 -0700] conn=3 op=17 RESULT err=0 tag=120 nentries=0 etime=0 [01/Aug/2011:18:31:15 -0700] conn=3 op=18 MOD dn="dnahostname=ca1.example.com+dnaportnum=390,cn=account uids,ou=ranges,dc=example,dc=com" [01/Aug/2011:18:31:15 -0700] conn=3 op=18 RESULT err=0 tag=103 nentries=0 etime=0 csn=4e375364000200020000 [01/Aug/2011:18:31:15 -0700] conn=5 fd=65 slot=65 connection from 10.14.5.22 to 10.14.5.22 [01/Aug/2011:18:31:15 -0700] conn=5 op=0 BIND dn="cn=repman,cn=config" method=128 version=3 [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH base="cn=repman,cn=config" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [01/Aug/2011:18:31:15 -0700] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=repman,cn=config" [01/Aug/2011:18:31:15 -0700] conn=5 op=1 EXT oid="2.16.840.1.113730.3.5.10" name="DNA Range Extension Request" [01/Aug/2011:18:31:15 -0700] conn=5 op=1 RESULT err=53 tag=120 nentries=0 etime=0 [01/Aug/2011:18:31:15 -0700] conn=5 op=2 UNBIND [01/Aug/2011:18:31:15 -0700] conn=5 op=2 fd=65 closed - U1 [01/Aug/2011:18:31:17 -0700] conn=3 op=20 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [01/Aug/2011:18:31:17 -0700] conn=3 op=20 RESULT err=0 tag=120 nentries=0 etime=0 /var/log/dirsrv/slapd-ca1/errors [01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD begin [01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD target=uid=guest10002,ou=people,dc=example,dc=com [01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0 [01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0 [01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin [01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0 [01/Aug/2011:18:31:15 -0700] NSMMReplicationPlugin - changelog program - cl5WriteOperation: successfully written entry with csn (4e375364000000010000) [01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_post_op [01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_cache_change_notify [01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_cache_change_notify: not a role entry [01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_post_op [01/Aug/2011:18:31:15 -0700] NS7bitAttr - MODIFY begin [01/Aug/2011:18:31:15 -0700] NSMMReplicationPlugin - changelog program - cl5WriteOperation: successfully written entry with csn (4e375364000200020000) [01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_post_op [01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_cache_change_notify [01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_cache_change_notify: not a role entry [01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_post_op [01/Aug/2011:18:31:15 -0700] dna-plugin - dna_extend_exop: received range extension request for range [cn=Account UIDs,ou=Ranges,dc=example,dc=com] Expected results: Working DNA after migration from 8.1 to 8.2 Additional info: The cause of this may be related (and fixed) in bz 509897 for DN input validation and normalization in /ldap/servers/plugins/dna/dna.c
batch update moving tickets to future
set default ticket origin to Community
Added initial screened field value.
Metadata Update from @nkinder: - Issue set to the milestone: N/A
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/185
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.