Config attribute - nsslapd-allowed-sasl-mechanisms - behaviour

Simon Pichugin <spichugi@xxxxxxxxxx> · Thu, 20 Apr 2017 22:54:00 +0200

Hello William,
I think my question is for you in the first place.
It regards the default attributes for cn=config feature.

Version tested: 389-ds-base-1.3.6.1-9.el7.x86_64

During TET troubleshooting I've faced two issues:
1. By default, we have:
[root@qeos-126 dirsrv-tet-install]# ldapsearch -h localhost -p 389 -D "cn=Directory manager"
    -w Secret123 -b "cn=config" "objectclass=*" | grep nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms:

Empty value.

We can modify it and set something. (I'll skip the output, it works as expected.
And after this, the server allows to do like this:
[root@qeos-126 dirsrv-tet-install]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123
dn: cn=config
changetype: modify
delete: nsslapd-allowed-sasl-mechanisms

modifying entry "cn=config"

[root@qeos-126 dirsrv-tet-install]# ldapsearch -h localhost -p 389 -D "cn=Directory manager"
    -w Secret123 -b "cn=config" "objectclass=*" | grep nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms:

Empty once again.
In the ldap/servers/slapd/libglobs.c:8185, we have the info that:
/*
 * Check the SASL mechanism values
 *
 * As per RFC 4422:
 * SASL mechanisms are named by character strings, from 1 to 20
 * characters in length, consisting of ASCII [ASCII] uppercase letters,
 * digits, hyphens, and/or underscores.
 */

And:
8204     if(strlen(str) < 1){
8205         /* ignore empty values */
8206         return 0;
8207     }

2. Second one is a known issue, but still I'd like to clarify the expected behaviour:
[root@qeos-126 dirsrv-tet-install]# ldapsearch -h localhost -p 389 -D "cn=Directory manager"
    -w Secret123 -b "cn=config" "objectclass=*" | grep nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: A
[root@qeos-126 dirsrv-tet-install]# ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w Secret123
dn: cn=config
changetype: modify
add: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: B
[root@qeos-126 dirsrv-tet-install]# ldapsearch -h localhost -p 389 -D "cn=Directory manager"
    -w Secret123 -b "cn=config" "objectclass=*" | grep nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: B

So it wouldn't be a multivalued attribute? if we'll do the 'add' operation, it would replace the existing value with a new.

Please, comment of a both cases. First looks more like a bug to me though, and I will file it if you'll confirm it.

Thanks,
Simon
Attachment:
signature.asc

Description: PGP signature
_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx