Please support setting defaultNamingContext in the rootdse.

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/26

• Created at 2012-01-04 19:20:44 by mkosek
• Closed as Fixed
• Assigned to nhosoi (@nhosoi)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=742317

---

https://bugzilla.redhat.com/show_bug.cgi?id=742317

When multiple naming contexts are available it is hard to find out what a
client should use by default (usually the identity mgmt related tree where to
find users/groups).

It would be really helpful to allow cn=Directory Manager to be able to write
the 'defaultNamingcontext' attribute to the rootdse so that clients do not need
to do strange probings.

AD and also openldap apparently have it so many clients already know how to
handle this attribute.

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-01-07 05:50:35

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=766322

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-11 00:57:43

Proposal:
. Introduce nsslapd-defaultNamingContext to cn=config to store defaultNamingContext.
. If no namingContexts are found, none is assigned to defaultNamingContext.
. When the first namingContext is added, it will be assigned to defaultNamingContext.
. Once one namingContext (e.g., dc=test,dc=com) is assigned to defaultNamingContext, the following config attribute is added to cn=config.
nsslapd-defaultNamingContext: dc=test,dc=com
. It could be switched to other namingContext by replacing the value. The modify fails if the new value is not found in the namingContexts.
. If the namingContext is removed (i.e., the backend as well as the suffix are deleted), the defaultNamingContext is removed, as well.
Note that the nsslapd-defaultNamingContext attribute value pair will be entirely removed.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-14 04:03:52

Valgrind reports this invalid read on deleting a suffix/backend.
==10342== Invalid read of size 4
==10342== at 0x404953F: dse_call_callback (dse.c:2198)
==10342== by 0x40493B3: dse_delete (dse.c:2153)
==10342== by 0x404057F: op_shared_delete (delete.c:365)
==10342== by 0x403FDAD: do_delete (delete.c:128)
==10342== by 0x8057D29: connection_dispatch_operation (connection.c:573)
==10342== by 0x805951A: connection_threadmain (connection.c:2328)
==10342== by 0x361A964: _pt_root (ptthread.c:187)
==10342== by 0x789E98: start_thread (in /lib/libpthread-2.13.so)
==10342== by 0x6CFD2D: clone (in /lib/libc-2.13.so)
==10342== Address 0x41bf7c8 is 32 bytes inside a block of size 36 free'd
==10342== at 0x4005B0A: free (vg_replace_malloc.c:325)
==10342== by 0x403BB0F: slapi_ch_free (ch_malloc.c:363)
==10342== by 0x40458E0: dse_callback_delete (dse.c:261)
==10342== by 0x4045B1B: dse_callback_removefromlist (dse.c:351)
==10342== by 0x40494BA: dse_remove_callback (dse.c:2171)
==10342== by 0x4049758: slapi_config_remove_callback (dse.c:2247)
==10342== by 0x639ABF4: vlv_remove_callbacks (vlv.c:465)
==10342== by 0x6380794: ldbm_instance_unregister_callbacks (ldbm_instance_config.c:1062)
==10342== by 0x6380AB7: ldbm_instance_post_delete_instance_entry_callback (ldbm_instance_config.c:1161)
==10342== by 0x40495F6: dse_call_callback (dse.c:2206)
==10342== by 0x40493B3: dse_delete (dse.c:2153)
==10342== by 0x404057F: op_shared_delete (delete.c:365)
==10342== by 0x403FDAD: do_delete (delete.c:128)
==10342== by 0x8057D29: connection_dispatch_operation (connection.c:573)
==10342== by 0x805951A: connection_threadmain (connection.c:2328)
==10342== by 0x361A964: _pt_root (ptthread.c:187)
==10342== by 0x789E98: start_thread (in /lib/libpthread-2.13.so)
==10342== by 0x6CFD2D: clone (in /lib/libc-2.13.so)

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-17 00:29:25

Thanks for the review, Nathan. I ran more tests over the weekend and found some deadlocks. :(

Thread 35 (Thread 0x7f46248ed700 (LWP 10163)):
0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:140
1 0x0000003240609b0c in _L_lock_911 () from /lib64/libpthread.so.0
2 0x0000003240609ac5 in __pthread_mutex_lock (mutex=0x2467d50)
at pthread_mutex_lock.c:105
3 0x0000003253e22df9 in PR_Lock (lock=0x2467d50)
at ../../../mozilla/nsprpub/pr/src/pthreads/ptsynch.c:206
4 0x00000031340c0f37 in slapi_lock_mutex (mutex=0x2467d50)
at ldap/servers/slapd/slapi2nspr.c:101
5 0x00007f462a447e94 in cos_cache_backend_state_change (
handle=0x7f462a447e6f, be_name=0x7f460c003900 "multiple2", old_be_state=3,
new_be_state=1) at ldap/servers/plugins/cos/cos_cache.c:3590
6 0x0000003134083528 in mtn_be_state_change (
be_name=0x7f460c003900 "multiple2", old_state=3, new_state=1)
at ldap/servers/slapd/mapping_tree.c:235
7 0x0000003134085ea9 in mapping_tree_entry_add_callback (pb=0x1e6e010,
entryBefore=0x7f460c002e00, e=0x0, returncode=0x7f46248e6ae4,
returntext=0x7f46248e68e0 "", arg=0x0)
at ldap/servers/slapd/mapping_tree.c:1416
8 0x0000003134057b6d in dse_call_callback (pdse=0x1ccc160, pb=0x1e6e010,
operation=16, flags=1, entryBefore=0x7f460c002e00, entryAfter=0x0,
returncode=0x7f46248e6ae4, returntext=0x7f46248e68e0 "")
at ldap/servers/slapd/dse.c:2196
9 0x0000003134057421 in dse_add (pb=0x1e6e010)
at ldap/servers/slapd/dse.c:2034
10 0x0000003134040117 in op_shared_add (pb=0x1e6e010)
at ldap/servers/slapd/add.c:680
11 0x000000313403f2a1 in do_add (pb=0x1e6e010) at ldap/servers/slapd/add.c:258
12 0x0000000000413cbc in connection_dispatch_operation (conn=0x7f46248f3410,
op=0x1d00840, pb=0x1e6e010) at ldap/servers/slapd/connection.c:568
13 0x0000000000415654 in connection_threadmain ()
at ldap/servers/slapd/connection.c:2328
14 0x0000003253e28553 in _pt_root (arg=0x2466490)
at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
15 0x0000003240607b31 in start_thread (arg=0x7f46248ed700)
at pthread_create.c:305
16 0x000000323fedfd2d in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-17 00:31:15

I'm going to separate the Invalid read issue and open a new ticket for it.

Ticket 259 (new defect)
Valgrind reports Invalid read on removing a suffix/backend

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-17 07:41:05

git patch file (master)
0001-Trac-Ticket-26-Please-support-setting.patch

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-18 00:18:31

Pushed to master.

$ git merge trac26
Updating c43a508..a8bacba
Fast-forward
ldap/admin/src/scripts/DSCreate.pm.in | 1 +
ldap/servers/plugins/usn/usn.c | 8 --
ldap/servers/slapd/entry.c | 11 +++-
ldap/servers/slapd/libglobs.c | 88 +++++++++++++++++++++-
ldap/servers/slapd/mapping_tree.c | 131 ++++++++++++++++++++++++++++++---
ldap/servers/slapd/plugin.c | 2 +-
ldap/servers/slapd/proto-slap.h | 3 +-
ldap/servers/slapd/rdn.c | 12 +++
ldap/servers/slapd/rootdse.c | 8 ++-
ldap/servers/slapd/slap.h | 2 +
ldap/servers/slapd/slapi-plugin.h | 14 +++-
11 files changed, 253 insertions(+), 27 deletions(-)

$ git push
Counting objects: 46, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (25/25), done.
Writing objects: 100% (26/26), 5.59 KiB, done.
Total 26 (delta 20), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
c43a508..a8bacba master -> master

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-01-18 01:14:19

Steps to verify:

1. install DS (preferably with the admin server and Console)
2. Search nsslapd-defaultnamingcontext in cn=config and defaultnamingcontext in the rootdse.
   $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "cn=config" -s base nsslapd-defaultnamingcontext
   dn: cn=config
   nsslapd-defaultnamingcontext: <default suffix (e.g., dc=example,dc=com)>
   $ ldapsearch -LLLx -h localhost -p -b "" -s base | egrep namingcontext
   namingContexts: dc=example,dc=com
   defaultnamingcontext: dc=example,dc=com
3. Add a new suffix "dc=test,dc=com" and verify nsslapd-defaultnamingcontext and defaultnamingcontext are not changed.
4. Remove the new suffix "dc=test,dc=com" and verify nsslapd-defaultnamingcontext and defaultnamingcontext are not changed.
5. Remove the original suffix "dc=example,dc=com" and verify nsslapd-defaultnamingcontext and defaultnamingcontext are both removed.
   $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "cn=config" -s base nsslapd-defaultnamingcontext
   dn: cn=config
   nsslapd-defaultnamingcontext:
   $ ldapsearch -LLLx -h localhost -p -b "" -s base | egrep namingcontext
   $
6. Add a new suffix "dc=newtest,dc=com" and verify the new suffix is set to nsslapd-defaultnamingcontext and defaultnamingcontext.
   $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "cn=config" -s base nsslapd-defaultnamingcontext
   dn: cn=config
   nsslapd-defaultnamingcontext: dc=newtest,dc=com
   $ ldapsearch -LLLx -h localhost -p 10389 -b "" -s base | egrep namingcontext
   namingContexts: dc=newtest,dc=com
   defaultnamingcontext: dc=newtest,dc=com

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-15 07:21:18

Fix description:
If a config param is set to nsslapd-allowed-to-delete-attrs,
the value is allowed to delete. nsslapd-defaultnamingcontext
is set to the value, by default. The config set API is not
designed to allow deleting a param. Instead, it sets NULL to
represent the deletion. But it turned out it was not allowed,
either. This patch allows to the config params set in the
nsslapd-allowed-to-delete-attrs to pass NULL value.

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-02-15 08:00:16

ok - but note that it is ok to pass a NULL to slapi_ch_strdup - it will just return a NULL - so you don't have to check for (value)

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-15 08:03:09

Replying to [comment:19 richm]:

ok - but note that it is ok to pass a NULL to slapi_ch_strdup - it will just return a NULL - so you don't have to check for (value)

Good point! I'm modifying it. Thanks, Rich!

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-15 08:17:39

revised git patch file (master)
0001-Trac-Ticket-26-Please-support-setting-defaultNamingC.patch

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-15 08:18:38

Reviewed by Rich (Thank you!!)

$ git merge work
Updating c013442..d664d54
Fast-forward
ldap/servers/slapd/configdse.c | 23 +---------------
ldap/servers/slapd/libglobs.c | 56 +++++++++++++++++++++++++++++++-------
ldap/servers/slapd/proto-slap.h | 2 +
3 files changed, 48 insertions(+), 33 deletions(-)

$ git push
Counting objects: 15, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.52 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
c013442..d664d54 master -> master

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-15 23:16:16

Cherry-picked and pushed to 389-ds-base-1.2.10

$ git cherry-pick d664d54
[ds1210 f676eb1] Trac Ticket 26 - Please support setting defaultNamingContext in the rootdse.
3 files changed, 48 insertions(+), 33 deletions(-)

$ git push origin ds1210:389-ds-base-1.2.10
Counting objects: 15, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.52 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
7373fbf..f676eb1 ds1210 -> 389-ds-base-1.2.10

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-02-23 21:56:59

commit changeset:f676eb16398958f376efaee72596d00fa4fbd8c3/389-ds-base
Author: Noriko Hosoi nhosoi@redhat.com
Date: Tue Feb 14 18:15:51 2012 -0800
1.2.10 branch

[389-ds-bot]

Comment from nkinder (@nkinder) at 2012-08-28 04:14:25

Added initial screened field value.

[389-ds-bot]

Comment from rmeggins (@richm) at 2017-02-11 23:13:06

Metadata Update from @richm:

• Issue assigned to nhosoi
• Issue set to the milestone: 1.2.10.a7