Re: [Freeipa-devel] [PATCH 0229] dsinstance: Detect dynamic plugin support and restart server

2014-06-26 Thread Petr Viktorin 

On 06/18/2014 05:14 PM, Tomas Babej wrote:

Hi,

With 389-ds-base 1.3.3. comes the dynamic plugin support. We need to
restart the server right after modifying the schema, as the plugins
will be enabled at the point they are added (and not at the next
server restart).

Properly handle both situations in the installer.

https://fedorahosted.org/freeipa/ticket/4203


Installation succeeded with normal DS, but with a build with dynamic 
plugins, the DS didn't start and installation failed.



There were some plugin-related failures in the DS error log:

[26/Jun/2014:10:11:41 +0200] ipapwd_start - [file ipa_pwd_extop.c, line 
1243]: No config Entry extop?
[26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 
1019]: Internal error, couldn't find pluginextension ?!
[26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 
1019]: Internal error, couldn't find pluginextension ?!
[26/Jun/2014:10:13:15 +0200] ipa_winsync_config - [file 
ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already 
configured.  Please remove the plugin config entry 
[cn=ipa-winsync,cn=plugins,cn=config]
[26/Jun/2014:10:13:15 +0200] ipa_winsync_plugin_start - [file 
ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap 
routine)
[26/Jun/2014:10:13:15 +0200] - Failed to start preoperation plugin 
ipa-winsync
[26/Jun/2014:10:13:15 +0200] - plugin_restart: Plugin 
(cn=ipa-winsync,cn=plugins,cn=config) failed to restart after 
configuration change (Failed to start plugin ipa-winsync.  See errors 
log.).  Reverting to original plugin entry.
[26/Jun/2014:10:13:16 +0200] ipa_winsync_config - [file 
ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already 
configured.  Please remove the plugin config entry 
[cn=ipa-winsync,cn=plugins,cn=config]
[26/Jun/2014:10:13:16 +0200] ipa_winsync_plugin_start - [file 
ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap 
routine)
[26/Jun/2014:10:13:16 +0200] - Failed to start preoperation plugin 
ipa-winsync
[26/Jun/2014:10:13:16 +0200] dse_post_modify_plugin - The configuration 
change for plugin (cn=ipa-winsync,cn=plugins,cn=config) could not be 
applied dynamically, and will be ignored until the server is restarted.


...

[26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:31 +0200] memberof-plugin - Memberof task finished 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:32 +0200] memberof-plugin - Memberof task finished 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target 
cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist
[26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target 
cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist
[26/Jun/2014:10:15:19 +0200] - Entry cn=adtrust 
agents,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 
-- attribute memberOf not allowed
[26/Jun/2014:10:15:19 +0200] memberof-plugin - memberof_postop_add: 
failed to add dn(cn=System: Read system trust 
accounts,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com), 
error (-1)



If you want I can give access to the VM.



For the record, here's how to build 389-ds with the plugins enabled.

1.) Build dependencies  source:

yum install 389-ds-base* libicu* icu* bzip* net-snmp net-snmp-devel
pcre* pam* mod-nss gdb gcc* perl-Archive-Tar -y --skip-broken

git clone git://git.fedorahosted.org/git/389/ds.git
cd ds

2.) Apply this diff:

diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 85662a3..f4b32c7 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -58,7 +58,7 @@ nsslapd-maxdescriptors: 1024
 nsslapd-max-filter-nest-level: 40
 nsslapd-ndn-cache-enabled: on
 nsslapd-sasl-mapping-fallback: off
-nsslapd-dynamic-plugins: off
+nsslapd-dynamic-plugins: on
 nsslapd-allow-hashed-passwords: off

 dn: cn=features,cn=config
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index e890aed..e13c468 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1567,7 +1567,7 @@ FrontendConfig_init () {
   init_plugin_logging = cfg-plugin_logging = LDAP_OFF;
   init_listen_backlog_size = cfg-listen_backlog_size = 
DAEMON_LISTEN_SIZE;

   init_ignore_time_skew = cfg-ignore_time_skew = LDAP_OFF;
-  init_dynamic_plugins = cfg-dynamic_plugins = LDAP_OFF;
+  init_dynamic_plugins = cfg-dynamic_plugins = LDAP_ON;
   init_cn_uses_dn_syntax_in_dns = cfg-cn_uses_dn_syntax_in_dns = 
LDAP_OFF;

 #if defined(LINUX)
   init_malloc_mxfast = cfg-malloc_mxfast = DEFAULT_MALLOC_UNSET;

3.) Build
make -j1 -f rpm.mk rpms




--
PetrĀ³


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0229] dsinstance: Detect dynamic plugin support and restart server

2014-06-18 Thread Tomas Babej 
Hi,

With 389-ds-base 1.3.3. comes the dynamic plugin support. We need to
restart the server right after modifying the schema, as the plugins
will be enabled at the point they are added (and not at the next
server restart).

Properly handle both situations in the installer.

https://fedorahosted.org/freeipa/ticket/4203

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 


From 8149018cfb81a3e9ec9cb164617f1875656d9354 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 17 Jun 2014 15:18:49 +0200
Subject: [PATCH] dsinstance: Detect dynamic plugin support and restart server
 accordingly

With 389-ds-base 1.3.3. come the dynamic plugin support. We need to
restart the server right after modifying the schema, as the plugins
will be enabled at the point they are added (and not at the next
server restart).

Properly handle both situations in the installer.

https://fedorahosted.org/freeipa/ticket/4203
---
 ipaserver/install/dsinstance.py | 31 ---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2a9f3b618cc8e165821fefb9cede602cad8d6999..6d208047243019292877624932d5b988be980541 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -262,6 +262,7 @@ class DsInstance(service.Service):
 self.step(creating directory server user, create_ds_user)
 self.step(creating directory server instance, self.__create_instance)
 self.step(adding default schema, self.__add_default_schemas)
+self.step(detecting dynamic plugin support, self.__detect_dynamic_plugin_support)
 self.step(enabling memberof plugin, self.__add_memberof_module)
 self.step(enabling winsync plugin, self.__add_winsync_module)
 self.step(configuring replication version plugin, self.__config_version_module)
@@ -283,7 +284,7 @@ class DsInstance(service.Service):
 self.step(configure new location for managed entries, self.__repoint_managed_entries)
 self.step(configure dirsrv ccache, self.configure_dirsrv_ccache)
 self.step(enable SASL mapping fallback, self.__enable_sasl_mapping_fallback)
-self.step(restarting directory server, self.__restart_instance)
+self.step(restarting directory server, self.__restart_instance_final)
 
 def __common_post_setup(self):
 self.step(initializing group membership, self.init_memberof)
@@ -387,6 +388,23 @@ class DsInstance(service.Service):
 
 self.start_creation(runtime=60)
 
+def __detect_dynamic_plugin_support(self):
+if not self.admin_conn:
+self.ldap_connect()
+
+# Check that dynamic plugins are enabled
+result = self.admin_conn.conn.search_s(
+  DN(cn=config),
+  ldap.SCOPE_BASE,
+  attrlist=[nsslapd-dynamic-plugins])[0]
+
+enabled = result.get(nsslapd-dynamic-plugins) == ['on']
+self.dynamic_plugins_enabled = enabled
+
+# If the dynamic plugins are enabled, we need to restart to apply the
+# new schema
+if enabled:
+self.__restart_instance()
 
 def __setup_replica(self):
 replication.enable_replication_version_checking(self.fqdn,
@@ -503,13 +521,20 @@ class DsInstance(service.Service):
 try:
 super(DsInstance, self).restart(instance)
 if not is_ds_running(instance):
-root_logger.critical(Failed to restart the directory server. See the installation log for details.)
+root_logger.critical(Failed to restart the directory server. 
+ See the installation log for details.)
 sys.exit(1)
 except SystemExit, e:
 raise e
 except Exception, e:
 # TODO: roll back here?
-root_logger.critical(Failed to restart the directory server (%s). See the installation log for details. % e)
+root_logger.critical(Failed to restart the directory server (%s). 
+ See the installation log for details. % e)
+
+def __restart_instance_final(self):
+# This restart is necessary only if dynamic plugins are not allowed
+if not self.dynamic_plugins_enabled:
+self.__restart_instance()
 
 def __restart_instance(self):
 self.restart(self.serverid)
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel