Changes in imanager are not being read by proxy

  • 7002915
  • 06-Apr-2009
  • 07-Jun-2013

Environment

Novell BorderManager 3.9 Support Pack 1
Novell BorderManager 3.9 Support Pack 2

Situation

After submit changes in imanager 2.7, brdsrvs/proxy reloads but the new changes
are not in place, like for example, enabling ftp proxy or add a new group to a ACL control rule.

console.log shows this error:

3-26-2009 11:15:11 am: BRDSRV-3.70-3
Unable to read configuration from NDS (error - -672).

Normally a stopbrd/startbrd will force border to read the settings.

Resolution


This has been reported to engineering but as workaround,
assign to [public] object, supervisor rights to the BRDSRVS:configchange attribute.

Additional Information

the actual eDirectory verb being called here is DSAModifyEntry, which implies
the client is trying to make changes to the BM Server object.

This will most likely fail with a -672 and rightly so because .public only has
Browse rights to the tree by default. It could be authorized to read this
attribute, but definitely not to modify it.

I also see DSAModifyEntry being attempted for the same attribute and succeeding
as identity .GONZALO-NW6.nts.GONZALO-NW6-TREE. (server name)

The random nature of the problem might be because the DSAModifyEntry is only
attempted as public under certain conditions.



AREQ: [2009/03/26 11:15:11.312] DEBUG: Calling DSAModifyEntry conn:17 for
client .GONZALO-NW6.nts.GONZALO-NW6-TREE.
ABUF: [2009/03/26 11:15:11.312] DEBUG: Request - (54)
0000 02 00 00 00 00 00 00 00 FF FF FF FF 53 80 00 00 ............S...
0010 01 00 00 00 05 00 00 00 2C 00 00 00 42 00 52 00 ........,...B.R.
0020 44 00 53 00 52 00 56 00 53 00 3A 00 20 00 43 00 D.S.R.V.S.:...C.
0030 6F 00 6E 00 66 00 69 00 67 00 43 00 68 00 61 00 o.n.f.i.g.C.h.a.
0040 6E 00 67 00 65 00 00 00 01 00 00 00 04 00 00 00 n.g.e...........
0050 01 00 00 00 ....

LOCK: [2009/03/26 11:15:11.312] DEBUG: Exclusive Lock Obtained(autolock=true:
LOCK: [2009/03/26 11:15:11.312] DEBUG: 1 [DSAModifyEntry]
COLL: [2009/03/26 11:15:11.313] DEBUG: Overwriting present value.
LOST: [2009/03/26 11:15:11.315] DEBUG: DSAModifyEntry (done) entry
.GONZALO-NW6.nts.GONZALO-NW6-TREE., cts 2003/08/20 13:25:42, 1, 37


AREQ: [2009/03/26 11:15:11.947] DEBUG: Calling DSAModifyEntry conn:17 for
client .[Public].
ABUF: [2009/03/26 11:15:11.947] DEBUG: Request - (54)
0000 02 00 00 00 00 00 00 00 FF FF FF FF 53 80 00 00 ............S...
0010 01 00 00 00 05 00 00 00 2C 00 00 00 42 00 52 00 ........,...B.R.
0020 44 00 53 00 52 00 56 00 53 00 3A 00 20 00 43 00 D.S.R.V.S.:...C.
0030 6F 00 6E 00 66 00 69 00 67 00 43 00 68 00 61 00 o.n.f.i.g.C.h.a.
0040 6E 00 67 00 65 00 00 00 01 00 00 00 04 00 00 00 n.g.e...........
0050 01 00 00 00 ....

ABUF: [2009/03/26 11:15:11.950] DEBUG: Reply - (0)
AREQ: [2009/03/26 11:15:11.950] DEBUG: DSAModifyEntry failed, no access (-672).