Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455331 - setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1-1.fc8
Summary: setting up replication agreement for cloned CA fails for fedora-ds-base-1.1.1...
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Cloning
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
Reported: 2008-07-14 20:27 UTC by Ade Lee
Modified: 2015-01-04 23:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-07-22 23:29:26 UTC

Attachments (Terms of Use)
patch for replication setup issue (deleted)
2008-07-14 20:46 UTC, Ade Lee
no flags Details | Diff
patch take 2 (deleted)
2008-07-15 20:12 UTC, Ade Lee
no flags Details | Diff
patch take 3 (deleted)
2008-07-21 19:57 UTC, Ade Lee
no flags Details

Description Ade Lee 2008-07-14 20:27:18 UTC
Description of problem:
When the replication agreement is set up for a clone CA, we attempt to create
the directory for the changelog on the master and replica servers as follows:

String filter = "(objectclass=nsslapdConfig)";
String[] attrs = {"nsslapd-instancedir"};
LDAPSearchResults results ="cn=config", LDAPv3.SCOPE_SUB,
               filter, attrs, false);

and set the changelog directory to be the value of the nsslapd-instancedir

In Fedora 1.1, this attribute is no longer populated.  A new attribute must be
used - specifically: 

String filter = "(objectclass=*)";
String[] attrs = {"nsslapd-directory"};
LDAPSearchResults results ="cn=config,cn=ldbm     
database,cn=plugins,cn=config", LDAPv3.SCOPE_SUB, filter, attrs, false);

This attribute should work for Fedora DS 1.0 and RHDS/FDS 7.1 as well.

Version-Release number of selected component (if applicable):
Dogtag 1.0
fedora-ds-base 1.1

How reproducible:
try to clone a CA.

Steps to Reproduce:
Actual results:

Setting up replication agreement fails.

Expected results:

Replication succeeds.

Additional info:

Comment 1 Ade Lee 2008-07-14 20:46:46 UTC
Created attachment 311776 [details]
patch for replication setup issue

Comment 2 Ade Lee 2008-07-14 20:48:22 UTC
cfu please review.

Comment 3 Ade Lee 2008-07-15 20:12:11 UTC
Created attachment 311881 [details]
patch take 2

Comment 4 Ade Lee 2008-07-15 20:14:24 UTC
cfu and mharmsen - please review.

Patch includes changes to make ds_removal script actually try to stop the ds for
Fedora 1.1  As the code was written, this step was effectively bypassed.

Comment 5 Christina Fu 2008-07-16 14:54:19 UTC
attachment (id=311881) +cfu

Please make sure mharmsen reviews the scripts part

Comment 6 Matthew Harmsen 2008-07-18 01:57:50 UTC
The line "+if ( -d "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {" in both
script files should be either:

  "+if ( -d "/usr/lib/dirsrv" ) {", OR

  "+if ( -x "/usr/lib/dirsrv/slapd-${instname}/stop-slapd" ) {"
  since "stop-slapd" is an executable.

That being said, this script, for the most part, was taken verbatim from the
"/usr/lib64/dirsrv/cgi-bin/ds_remove" script in "fedora-ds-admin", and is
included as a subscript to be called by "remove_ds_instance".  This was done 
for convenience in Dogtag (so users don't need to install
"fedora-ds-admin-1.1.5-1.fc8").  It is possible that I have introduced a problem
in my port of this executable, but I hadn't seen any problem prior to this.

So, if this code is incorrect here, it may be a problem in Directory Server as
well.  Can you check with rmeggins, nhosoi, or nkinder?

Comment 7 Matthew Harmsen 2008-07-18 03:25:36 UTC
Actually, if you exercised your code as written in these scripts, you were
actually running the exact same code that was already there, since the test for
a directory called '.../stop-slapd' would always yield 'false', and the "else"
clause is basically the same code that was already there.

Comment 8 Ade Lee 2008-07-21 19:57:05 UTC
Created attachment 312295 [details]
patch take 3

Comment 9 Ade Lee 2008-07-21 19:59:29 UTC
Patch contains spec file changes and just java changes for now.

Separate patch for the perl scripts to be added later.  This does in fact turn
out to be a problem in FDS as well.  Submitting a bug and patch for that too.
(Oh, and agreed on the -x flag).

Comment 10 Matthew Harmsen 2008-07-21 20:39:17 UTC
+ mharmsen attachment (id=312295)

Comment 11 Ade Lee 2008-07-21 21:00:13 UTC

[builder@goofy-vm1 src]$ svn ci --username alee --password pki4all pki -m "Fix
for Bug 455331"
Sending        pki/linux/common/pki-common.spec
Transmitting file data ..
Committed revision 72.

Comment 12 Chandrasekar Kannan 2008-08-27 00:29:37 UTC
Bug already MODIFIED. setting target CS8.0 and marking screened+

Note You need to log in before you can comment on or make changes to this bug.