#185 rhds82 dnascope with unnormalized dn, dna stops working after a 8.1 migration
Closed: wontfix None Opened 12 years ago by rmeggins.

https://bugzilla.redhat.com/show_bug.cgi?id=727659

Description of problem:

After a RHDS migration from 8.1 to 8.2, DNA stops working, the dnamagicregen
attribute are no longer translated simply added as their names into the new
created entries, without any indications of errors, even replication may be
attempted if set.

There were spaces in the DN of the dnascope attribute value that were left
after the migration, un-normalized.

The cause of this may be related (and fixed for ds90) in bz 509897 for DN input
validation and normalization in
/ldap/servers/plugins/dna/dna.c

Version-Release number of selected component (if applicable):
cat /etc/redhat-release ; uname -a
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
Linux ca1.example.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64
x86_64 x86_64 GNU/Linux

rpm -q redhat-ds-base
redhat-ds-base-8.2.5-1.el5dsrv


How reproducible:
always


Steps to Reproduce:

detailed steps, broken part in step 7:

1. have an instance set with
redhat-ds-base-8.2.5-1.el5dsrv

all paswords are set to either the strings password or redhat123

2. have a suffix dc=example,dc=com
with entries in ou=people,dc=example,dc=com

3. set dna with a good working test
example using uidNumber and gidNumber
set dnamagicregen to strings 0 and magic respectively in this test case

Note: make sure the DN in dnascope and dnasharedcfgdn have NO spaces

vi /etc/dirsrv/slapd-ca1/dse.ldif

dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment
nsslapd-pluginVersion: 8.2.5
nsslapd-pluginVendor: Red Hat
nsslapd-pluginDescription: Distributed Numeric Assignment plugin
modifiersName: cn=directory manager
modifyTimestamp: 20110722041912Z
numSubordinates: 2

dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: Account GIDs
dnatype: gidNumber
dnainterval: 1
dnamaxvalue: 20200
dnamagicregen: 0
dnathreshold: 20100
dnafilter: (objectclass=posixAccount)
dnascope: ou=people,dc=example,dc=com
dnasharedcfgdn: cn=Account GIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 20006
dnanextrange: 20201-20300
creatorsName: cn=directory manager
modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
createTimestamp: 20110722051346Z
modifyTimestamp: 20110802005611Z

dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnainterval: 1
dnamaxvalue: 20200
dnamagicregen: magic
dnathreshold: 20100
dnafilter: (objectclass=posixAccount)
dnascope: ou=people,dc=example,dc=com
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 20009
dnanextrange: 20201-20300
creatorsName: cn=directory manager
modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
createTimestamp: 20110722051346Z
modifyTimestamp: 20110802005611Z


4. set some logging if necessary, and start ns-slapd instance

  grep level /etc/dirsrv/slapd-ca1/dse.ldif
nsslapd-accesslog-level: 260
nsslapd-max-filter-nest-level: 40
nsslapd-errorlog-level: 65536

tail -f /var/log/dirsrv/slapd-ca1/errors | grep dna-plug &
tail -f /var/log/dirsrv/slapd-ca1/access &

/etc/init.d/dirsrv start ca1


5. prepare a test entry for DNA

vi ~/add.user.entry.2.dna.ldif
dn: uid=guest10002,ou=people,dc=example,dc=com
homeDirectory: /home/guests/guest10002
gidNumber: 0
uidNumber: magic
loginShell: /bin/bash
shadowWarning: 7
shadowMax: 111111
shadowLastChange: 13670
userPassword:: e2NyeXB0fSQxJFF4NGxVS3VjJFZ6MHdrN3JvT1Y1Z2tTM1JFa3FBWjA=
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: posixGroup
objectClass: top
objectClass: shadowAccount
mail: guest10002@example.com
sn: guest10002
cn: guest10002
uid: guest10002


6. verify the good working DNA configuration

ldapmodify -x -a -D "cn=directory manager" -w password -p 389 -h ca1 -f
~/add.user.entry.2.dna.ldif
adding new entry "uid=guest10002,ou=people,dc=example,dc=com"

ldapsearch -xLLL -D "cn=directory manager" -w password -p 389 -h ca1 -b
ou=people,dc=example,dc=com  uid=guest10002 uidnumber gidnumber
dn: uid=guest10002,ou=people,dc=example,dc=com
uidnumber: 20008
gidnumber: 20005


7. and now break it:

7.1 stop ns-slapd

/etc/init.d/dirsrv stop ca1

7.2 edit dse.ldif to insert spaces after comma in dnascope attribute value,
this was the condition the customer reported after a 8.1 migration:

vi /etc/dirsrv/slapd-ca1/dse.ldif

change from
dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
...
dnascope: ou=people,dc=example,dc=com
...
dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
...
dnascope: ou=people,dc=example,dc=com

to
dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
...
dnascope: ou=people, dc=example, dc=com
...
dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=con
...
dnascope: ou=people, dc=example, dc=com


7.3 start ns-slapd

/etc/init.d/dirsrv start ca1

7.4 remove previous test entry

ldapdelete -x -D "cn=directory manager" -w password -h ca1 -p 389
"uid=guest10002,ou=people,dc=example,dc=com"

7.5 add it back

ldapmodify -x -a -D "cn=directory manager" -w password -p 389 -h ca1 -f
~/add.user.entry.2.dna.ldif
adding new entry "uid=guest10002,ou=people,dc=example,dc=com"

7.6 verify what was created

ldapsearch -xLLL -D "cn=directory manager" -w password -p 389 -h ca1 -b
ou=people,dc=example,dc=com  uid=guest10002 uidnumber gidnumber


Actual results:

dn: uid=guest10002,ou=people,dc=example,dc=com
uidnumber: magic
gidnumber: 0

dnamagicregen attribute are no longer translated simply added as their names
into the new created entries, without any indications of errors, even
replication may be attempted if set:



/var/log/dirsrv/slapd-ca1/access
[01/Aug/2011:18:31:15 -0700] conn=4 fd=65 slot=65 connection from 10.14.5.22 to
10.14.5.22
[01/Aug/2011:18:31:15 -0700] conn=4 op=0 BIND dn="cn=directory manager"
method=128 version=3
[01/Aug/2011:18:31:15 -0700] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=directory manager"
[01/Aug/2011:18:31:15 -0700] conn=4 op=1 ADD
dn="uid=guest10002,ou=people,dc=example,dc=com"
[01/Aug/2011:18:31:15 -0700] conn=4 op=1 RESULT err=0 tag=105 nentries=0
etime=0 csn=4e375364000000010000
[01/Aug/2011:18:31:15 -0700] conn=4 op=2 UNBIND
[01/Aug/2011:18:31:15 -0700] conn=4 op=2 fd=65 closed - U1
[01/Aug/2011:18:31:15 -0700] conn=3 op=17 EXT oid="2.16.840.1.113730.3.5.3"
name="Netscape Replication Start Session"
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH
base="cn=dc\5c3Dexample\5c2Cdc\5c3Dcom,cn=mapping tree,cn=config" scope=0
filter="objectclass=nsMappingTree" attrs="nsslapd-referral"
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1
etime=0
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH
base="cn=dc\5c3Dexample\5c2Cdc\5c3Dcom,cn=mapping tree,cn=config" scope=0
filter="objectclass=nsMappingTree" attrs="nsslapd-state"
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1
etime=0
[01/Aug/2011:18:31:15 -0700] conn=3 op=17 RESULT err=0 tag=120 nentries=0
etime=0
[01/Aug/2011:18:31:15 -0700] conn=3 op=18 MOD
dn="dnahostname=ca1.example.com+dnaportnum=390,cn=account
uids,ou=ranges,dc=example,dc=com"
[01/Aug/2011:18:31:15 -0700] conn=3 op=18 RESULT err=0 tag=103 nentries=0
etime=0 csn=4e375364000200020000
[01/Aug/2011:18:31:15 -0700] conn=5 fd=65 slot=65 connection from 10.14.5.22 to
10.14.5.22
[01/Aug/2011:18:31:15 -0700] conn=5 op=0 BIND dn="cn=repman,cn=config"
method=128 version=3
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 SRCH
base="cn=repman,cn=config" scope=0
filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[01/Aug/2011:18:31:15 -0700] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1
etime=0
[01/Aug/2011:18:31:15 -0700] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=repman,cn=config"
[01/Aug/2011:18:31:15 -0700] conn=5 op=1 EXT oid="2.16.840.1.113730.3.5.10"
name="DNA Range Extension Request"
[01/Aug/2011:18:31:15 -0700] conn=5 op=1 RESULT err=53 tag=120 nentries=0
etime=0
[01/Aug/2011:18:31:15 -0700] conn=5 op=2 UNBIND
[01/Aug/2011:18:31:15 -0700] conn=5 op=2 fd=65 closed - U1
[01/Aug/2011:18:31:17 -0700] conn=3 op=20 EXT oid="2.16.840.1.113730.3.5.5"
name="Netscape Replication End Session"
[01/Aug/2011:18:31:17 -0700] conn=3 op=20 RESULT err=0 tag=120 nentries=0
etime=0


/var/log/dirsrv/slapd-ca1/errors
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD begin
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD
target=uid=guest10002,ou=people,dc=example,dc=com
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - ADD subtree=dc=example,dc=com
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7-bit checking begin
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - 7 bit check result = 0
[01/Aug/2011:18:31:15 -0700] NSMMReplicationPlugin - changelog program -
cl5WriteOperation: successfully written entry with csn (4e375364000000010000)
[01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_post_op
[01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_cache_change_notify
[01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_cache_change_notify: not
a role entry
[01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_post_op
[01/Aug/2011:18:31:15 -0700] NS7bitAttr - MODIFY begin
[01/Aug/2011:18:31:15 -0700] NSMMReplicationPlugin - changelog program -
cl5WriteOperation: successfully written entry with csn (4e375364000200020000)
[01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_post_op
[01/Aug/2011:18:31:15 -0700] roles-plugin - --> roles_cache_change_notify
[01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_cache_change_notify: not
a role entry
[01/Aug/2011:18:31:15 -0700] roles-plugin - <-- roles_post_op
[01/Aug/2011:18:31:15 -0700] dna-plugin - dna_extend_exop: received range
extension request for range [cn=Account UIDs,ou=Ranges,dc=example,dc=com]


Expected results:
Working DNA after migration from 8.1 to 8.2

Additional info:

The cause of this may be related (and fixed) in bz 509897 for DN input
validation and normalization in
/ldap/servers/plugins/dna/dna.c

batch update moving tickets to future

set default ticket origin to Community

Added initial screened field value.

Metadata Update from @nkinder:
- Issue set to the milestone: N/A

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/185

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata