[OPENDJ-6977] DS expects root user password instead of admin user password in standalone DS , RS deployments Created: 25/Feb/20  Updated: 26/Oct/20

Status: Dev backlog
Project: OpenDJ
Component/s: backends
Affects Version/s: 6.5.2, 6.0.0, 5.5.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Akhil Kommadath Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: release-notes

Issue Links:
Regression
is caused by OPENDJ-3652 Implement model for installing OpenDJ... Done
Support Ticket IDs:

 Description   

In standalone DS and RS deployments, DS is not accepting the admin password with dsreplication commands. Instead, it is accepting only the Root User password. Please see details of my testing below:

I set up two DS 6.5.2 servers and 1 standalone RS server:

/OpenDJ/opendj/setup directory-server          --instancePath /OpenDJ/opendj          --rootUserDn cn=Directory\ Manager          --rootUserPassword password  --acceptLicense        --monitorUserDn uid=Monitor          --monitorUserPassword password          --hostname DS-55-A.fr.local          --adminConnectorPort 4444          --ldapPort 1389          --sampleData 2000          --baseDn dc=example,dc=com
 
/OpenDJ/opendj/setup directory-server          --instancePath /OpenDJ/opendj          --rootUserDn cn=Directory\ Manager          --rootUserPassword password --acceptLicense        --monitorUserDn uid=Monitor          --monitorUserPassword password          --hostname DS-55-B.fr.local          --adminConnectorPort 4444          --ldapPort 1389          --sampleData 2000          --baseDn dc=example,dc=com
/OpenDJ/opendj/setup replication-server \
          --instancePath /OpenDJ/opendj \
          --rootUserDn cn=Directory\ Manager \
          --rootUserPassword password \
          --monitorUserDn uid=Monitor \
          --monitorUserPassword password \
          --acceptLicense \
          --hostname DS600.fr.local \
          --adminConnectorPort 4444 \
          --replicationPort 8989

Root User password was setup as password ​ on all 3 servers.

 

Configured replication using admin and password as admin123 :

dsreplication  configure  --adminUID admin  --adminPassword admin123  --baseDN dc=example,dc=com  --host1 DS-55-A.fr.local  --port1 4444  --bindDN1 "cn=Directory Manager"  --bindPassword1 password  --noReplicationServer1  --host2 DS600.fr.local  --port2 4444  --bindDN2 "cn=Directory Manager"  --bindPassword2 password  --replicationPort2 8989  --onlyReplicationServer2  --trustAll  --no-prompt
dsreplication  configure  --adminUID admin  --adminPassword admin123 --baseDN dc=example,dc=com  --host1 DS-55-B.fr.local  --port1 4444  --bindDN1 "cn=Directory Manager"  --bindPassword1 password  --noReplicationServer1  --host2 DS600.fr.local  --port2 4444  --bindDN2 "cn=Directory Manager"  --bindPassword2 password  --replicationPort2 8989  --onlyReplicationServer2  --trustAll  --no-prompt

 

Following this, if I try dsreplication status using admin and admin123, it complains that the credentials are wrong. It works only when I provide the password as password (which is the root user password). 

dsreplication status --adminUID admin --adminPassword admin123 --hostname DS-55-B.fr.local --port 4444 --trustAll

The provided credentials are not valid in server DS-55-B.fr.local:4444.
Details: Invalid Credentials

>>>> Specify OpenDJ LDAP connection parameters

Directory server hostname or IP address [DS-55-B.fr.local]: 

Directory server administration port number [4444]: 

Global Administrator User ID [admin]: 

Password for user 'admin': 

The provided credentials are not valid in server DS-55-B.fr.local:4444.
Details: Invalid Credentials


Directory server hostname or IP address [DS-55-B.fr.local]: 

Directory server administration port number [4444]: 

Global Administrator User ID [admin]: 

Password for user 'admin': 

The equivalent non-interactive command-line is:
dsreplication status \
          --hostname DS-55-B.fr.local \
          --port 4444 \
          --adminUid admin \
          --adminPassword ****** \
          --no-prompt
Suffix DN         : Server                : Entries : Replication enabled : DS ID : RS ID : RS Port (1) : Delay (ms) : Security (2)
------------------:-----------------------:---------:---------------------:-------:-------:-------------:------------:-------------
dc=example,dc=com : DS-55-A.fr.local:4444 : 2002    : true                : 29349 : (3)   :             : 0          : 
dc=example,dc=com : DS-55-B.fr.local:4444 : 2002    : true                : 5389  : (3)   :             : 0          : 
uid=Monitor       : DS-55-A.fr.local:4444 : 1       :                     :       :       :             :            : 
uid=Monitor       : DS-55-B.fr.local:4444 : 1       :                     :       :       :             :            : 
uid=Monitor       : DS600.fr.local:4444  : 1        :                     :       :       :             :            : 
                  : DS600.fr.local:4444  : (4)      : true                :       : 28710 : 8989        : N/A        : false

 

The stored passwords are seen to be different:

# grep userPassword db/rootUser/rootUser.ldif
userPassword: {PBKDF2}10000:KbBOfV6NsjrQmdiC+j3rT/fY5idZbuHsctTPZA==
# grep userPassword db/adminRoot/admin-backend.ldif
userPassword: {PBKDF2}10000:a5QKukAl8T3BuyPn3IN1pVMZf4TLa1qtk6YbmQ==

 

In DS+RS servers, there is no problem.



 Comments   
Comment by Chris Ridd [ 28/Feb/20 ]

This occurs because when you run setup to create the replication-server, it always creates a global administrator user, and it only has one password provided, so it creates it with the replication-server's root password.

See ReplicationServerSetup.createGlobalAdministrator().

I think this triggers dsreplication configure into using the RS's copy of cn=admin data to initialize the DS you are connecting to it, and as a result the adminUID/adminPassword values provided to dsreplication configure are effectively ignored.

It is not clear why setup needs to create the global administrator in a pure RS.

Comment by Ludovic Poitou [ 28/Feb/20 ]

The global administrator is used for dsreplication status and should be present in each instance that has replication information.

Comment by Chris Ridd [ 28/Feb/20 ]

Patching ReplicationServerSetup to remove the call to createGlobalAdministrator() (the method is now unused and can be deleted) solves the stated problem, but I don't know what implications this might have.

Comment by Chris Ridd [ 28/Feb/20 ]

I agree, but until you've joined the RS to a topology there seems no reason to run dsreplication status.

FWIW this behaviour is documented in the installation guide: Setting up Standalone Servers

When connecting to a remote replication server, this server uses the global administrator account for the topology. The global administrator account must have ID admin, and must use the same password as the root user password for this server.

Generated at Mon Nov 30 13:59:07 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.