[Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing
Fraser Tweedale
ftweedal at redhat.com
Wed Jun 22 09:53:16 UTC 2016
The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
See commit message and bz1323400[1] for full history and details.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400
The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
10.2.x release cut for f23.
I have an f23 COPR build containing the fix for anyone wishing to
test:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/
Huge props to Adam Williamson for doing a lot of legwork in tracking
down the cause of this issue.
Thanks,
Fraser
-------------- next part --------------
From 4cbaf297690bf95fffc864cb109bdd6ae49c9dc3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 22 Jun 2016 13:34:01 +1000
Subject: [PATCH] Add profiles container to LDAP if missing
CMS startup was changed a while back to wait for
LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
initialisation waits for all known profiles to be loaded by the LDAP
persistent search thread. If the ou=certificateProfiles container
object does not exist, startup hangs.
This can cause a race condition in FreeIPA upgrade. FreeIPA
switches the Dogtag instance to the LDAPProfileSubsystem and
restarts it. The restart fails because the container object does
not get added until after the restart.
Update LDAPProfileSubsystem to add the container object itself, if
it is missing, before commencing the persistent search.
Fixes: https://fedorahosted.org/pki/ticket/2285
---
.../cmscore/profile/LDAPProfileSubsystem.java | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 28b34cda889cc6c2eba4fc3392863df36717fa14..6dea1a0d88beaefeea489ea58ad9ad13d2da8bd7 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -27,6 +27,7 @@ import java.util.TreeSet;
import java.util.concurrent.CountDownLatch;
import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPDN;
import netscape.ldap.LDAPEntry;
@@ -400,6 +401,23 @@ public class LDAPProfileSubsystem
initialLoadDone.countDown();
}
+ private void ensureProfilesOU(LDAPConnection conn) throws LDAPException {
+ try {
+ conn.search(dn, LDAPConnection.SCOPE_BASE, "(objectclass=*)", null, false);
+ } catch (LDAPException e) {
+ if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
+ CMS.debug("Adding LDAP certificate profiles container");
+ LDAPAttribute[] attrs = {
+ new LDAPAttribute("objectClass", "organizationalUnit"),
+ new LDAPAttribute("ou", "certificateProfiles")
+ };
+ LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
+ LDAPEntry entry = new LDAPEntry(dn, attrSet);
+ conn.add(entry);
+ }
+ }
+ }
+
public void run() {
int op = LDAPPersistSearchControl.ADD
| LDAPPersistSearchControl.MODIFY
@@ -416,6 +434,7 @@ public class LDAPProfileSubsystem
forgetAllProfiles();
try {
conn = dbFactory.getConn();
+ ensureProfilesOU(conn);
LDAPSearchConstraints cons = conn.getSearchConstraints();
cons.setServerControls(persistCtrl);
cons.setBatchSize(1);
--
2.5.5
More information about the Pki-devel
mailing list