Patch Name: PHSS_18139 Patch Description: s700_800 10.20 DomainGuard Access A.01.10 patch 1 Creation Date: 99/07/27 Post Date: 99/07/29 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: DomainGuard A.01.10 Filesets: DomainGuard.DG-ADMIN,A.01.10 DomainGuard.DG-CORE,A.01.10 Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_18139 Symptoms: PHSS_18139: 1. Symptoms for CR # JAGab03972 If a user is removed from the LDAP (for example if they leave the organization), if they still exist in the ACL entry they cannot be removed. 2. Symptoms for CR # JAGab03978 Search for Distinguished Names not done correctly: DGconfig changes required. 3. Symptoms for CR # JAGab03984 Search for Distinguished Names not done correctly: changes to aclmgr required. 4. Symptoms for CR # JAGab21121 Crash or hang in Webserver. 5. Symptoms for CR # JAGab03981 DGConfig does not allow 0 public directories in list. Defect Description: PHSS_18139: 1. Defect description for CR # JAGab03972 Need capability to delete from an ACL entry a user that does not exist in the LDAP. 2. Defect description for CR # JAGab03978 Changes to DGconfig to allow separation of the LDAP search parameters for correct Distinguished Name search. 3. Defect description for CR # JAGab03984 Changes to aclmgr to support the separation of the LDAP search parameters so that Distinguished Name search is done correctly. 4. Defect description for CR # JAGab21121 CMA threads problem. 5. Defect description for CR # JAGab03981 NT version does not force users to have a public directory. DGConfig on HP-UX should not force this either. Resolution: 1. Defect description for CR # JAGab03972 Changes were made to the plugin and aclmgr to allow deletion from ACL entry of a user that does not exist in the LDAP. 2. Defect description for CR # JAGab03978 Change in DGconfig. 3. Defect description for CR # JAGab03984 Change in aclmgr. 4. Defect description for CR # JAGab21121 Change type of socket to use Netscape's socket wrappers instead of CMA's. 5. Defect description for CR # JAGab03981 DGConfig modified to allow 0 public directories. SR: 0000000000 Patch Files: /opt/hpdg/bin/DGConfig /opt/hpdg/bin/aclmgr /opt/hpdg/bin/dg_adm /opt/hpdg/dgadmin/ACLEditor.zip /opt/hpdg/dgadmin/aclmgr_en.msg /opt/hpdg/lib/aclmgr.conf /opt/hpdg/lib/dgpi.sl what(1) Output: /opt/hpdg/bin/DGConfig: DomainGuard Version 1.1 PHSS_18139 /opt/hpdg/bin/aclmgr: HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R evision: 74.03 $ DomainGuard Version 1.1 PHSS_18139 db.c 10.75 (Sleepycat) 12/3/98 db_appinit.c 10.66 (Sleepycat) 12/7/98 lock.c 10.60 (Sleepycat) 12/16/98 txn.c 10.65 (Sleepycat) 10/17/98 bt_compare.c 10.14 (Sleepycat) 10/9/98 bt_conv.c 10.7 (Sleepycat) 9/20/98 bt_open.c 10.39 (Sleepycat) 11/21/98 bt_recno.c 10.53 (Sleepycat) 12/11/98 db_am.c 10.13 (Sleepycat) 12/3/98 db_apprec.c 10.33 (Sleepycat) 10/5/98 Copyright (c) 1996, 1997, 1998 db_byteorder.c 10.5 (Sleepycat) 4/10/98 db_dispatch.c 10.20 (Sleepycat) 10/10/98 db_err.c 10.42 (Sleepycat) 11/24/98 db_iface.c 10.39 (Sleepycat) 11/25/98 db_log2.c 10.5 (Sleepycat) 4/26/98 db_pr.c 10.40 (Sleepycat) 11/22/98 db_region.c 10.53 (Sleepycat) 11/10/98 db_salloc.c 10.14 (Sleepycat) 11/16/98 hash.c 10.63 (Sleepycat) 12/11/98 hash_conv.c 10.5 (Sleepycat) 4/10/98 lock_deadlock.c 10.37 (Sleepycat) 10/4/98 lock_util.c 10.10 (Sleepycat) 9/20/98 lock_region.c 10.21 (Sleepycat) 10/19/98 log.c 10.63 (Sleepycat) 10/10/98 log_compare.c 10.3 (Sleepycat) 4/10/98 log_get.c 10.38 (Sleepycat) 10/3/98 log_put.c 10.44 (Sleepycat) 11/3/98 log_register.c 10.22 (Sleepycat) 9/27/98 mp_fopen.c 10.59 (Sleepycat) 12/11/98 mp_open.c 10.27 (Sleepycat) 10/1/98 mp_region.c 10.35 (Sleepycat) 12/11/98 mp_sync.c 10.31 (Sleepycat) 12/11/98 mutex.c 10.52 (Sleepycat) 11/8/98 os_abs.c 10.9 (Sleepycat) 7/21/98 os_alloc.c 10.10 (Sleepycat) 10/12/98 os_fid.c 10.12 (Sleepycat) 7/21/98 os_oflags.c 10.6 (Sleepycat) 4/19/98 os_open.c 10.33 (Sleepycat) 10/12/98 os_rw.c 10.11 (Sleepycat) 10/12/98 os_sleep.c 10.12 (Sleepycat) 10/12/98 os_stat.c 10.18 (Sleepycat) 10/12/98 os_tmpdir.c 10.3 (Sleepycat) 10/13/98 bt_cursor.c 10.81 (Sleepycat) 12/16/98 bt_delete.c 10.43 (Sleepycat) 12/7/98 bt_page.c 10.16 (Sleepycat) 10/25/98 bt_put.c 10.54 (Sleepycat) 12/6/98 bt_rec.c 10.28 (Sleepycat) 9/27/98 bt_rsearch.c 10.21 (Sleepycat) 12/2/98 bt_search.c 10.25 (Sleepycat) 12/16/98 bt_split.c 10.33 (Sleepycat) 10/13/98 bt_stat.c 10.27 (Sleepycat) 11/25/98 db_conv.c 10.13 (Sleepycat) 4/26/98 db_dup.c 10.35 (Sleepycat) 12/2/98 db_join.c 10.10 (Sleepycat) 10/9/98 db_overflow.c 10.21 (Sleepycat) 9/27/98 db_rec.c 10.19 (Sleepycat) 9/27/98 db_ret.c 10.16 (Sleepycat) 10/4/98 db_shash.c 10.9 (Sleepycat) 4/10/98 hash_dup.c 10.27 (Sleepycat) 12/6/98 hash_func.c 10.8 (Sleepycat) 4/10/98 hash_page.c 10.54 (Sleepycat) 12/6/98 hash_rec.c 10.22 (Sleepycat) 10/21/98 hash_stat.c 10.11 (Sleepycat) 9/27/98 lock_conflict.c 10.4 (Sleepycat) 11/20/98 log_findckp.c 10.17 (Sleepycat) 9/17/98 log_rec.c 10.26 (Sleepycat) 10/21/98 mp_bh.c 10.45 (Sleepycat) 11/25/98 mp_fget.c 10.53 (Sleepycat) 11/16/98 mp_fput.c 10.24 (Sleepycat) 9/27/98 mp_pr.c 10.30 (Sleepycat) 10/1/98 os_config.c 10.30 (Sleepycat) 10/12/98 os_dir.c 10.19 (Sleepycat) 10/12/98 os_fsync.c 10.7 (Sleepycat) 10/12/98 os_map.c 10.24 (Sleepycat) 10/12/98 os_rpath.c 10.3 (Sleepycat) 4/10/98 os_seek.c 10.11 (Sleepycat) 10/12/98 os_spin.c 10.10 (Sleepycat) 10/12/98 os_unlink.c 10.7 (Sleepycat) 10/12/98 txn_rec.c 10.14 (Sleepycat) 10/11/98 bt_curadj.c 10.69 (Sleepycat) 12/2/98 mp_fset.c 10.16 (Sleepycat) 9/27/98 /opt/hpdg/bin/dg_adm: None /opt/hpdg/dgadmin/ACLEditor.zip: None /opt/hpdg/dgadmin/aclmgr_en.msg: None /opt/hpdg/lib/aclmgr.conf: None /opt/hpdg/lib/dgpi.sl: DomainGuard Version 1.1 PHSS_18139 cksum(1) Output: 275931760 82198 /opt/hpdg/bin/DGConfig 3927489631 2029920 /opt/hpdg/bin/aclmgr 1931349489 5485 /opt/hpdg/bin/dg_adm 585649899 84992 /opt/hpdg/dgadmin/ACLEditor.zip 4109417278 684 /opt/hpdg/dgadmin/aclmgr_en.msg 805801585 11302 /opt/hpdg/lib/aclmgr.conf 1545057822 1339740 /opt/hpdg/lib/dgpi.sl Patch Conflicts: None Patch Dependencies: s700: 10.20: PHCO_8108 s800: 10.20: PHCO_8108 Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 3560 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_18139 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_18139.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_18139. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_18139.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_18139.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: You must be sure to stop your Web Server and the DomainGuard server prior to installing this patch. Detailed steps are as follows: 1. Login as root. 2. Stop the Web Server which is protected by DomainGuard. If you are not sure which Web Server that is, then stop all Web Servers. You can do this from a browser using the Netscape Server Administration page, or you can use the stop command located in your Web Server's root directory. For example, if your Web Server root is located at /usr/netscape/suitespot/https-myserver, you would use the command: /usr/netscape/suitespot/https-myserver/stop 3. Stop the DomainGuard server (aclmgr) using the following command: /opt/hpdg/bin/dg_adm -stop 4. Now install this patch using the standard patch installation instructions. 5. After the patch is successfully installed, you should start the DomainGuard server (aclmgr) using the following command: /opt/hpdg/bin/dg_adm -start 6. Start the Web Server which is protected by DomainGuard. If you stopped all Web Servers above, then start all Web Servers. You can do this from a browser using the Netscape Server Administration web page, or you can use the start command located in your Web Server's root directory. Using the example above, you would use the command: /usr/netscape/suitespot/https-myserver/start Your system should now operate normally with the patch installed. If you ever need to remove this patch, you will need to follow the instructions below. Because this patch makes configuration changes that the unpatched software can not handle, you must unconfigure DomainGuard from your Web Server before removing the patch. If you try to remove the patch without unconfiguring DomainGuard, the swremove command will fail. 1. Login as root. 2. Stop the Web Server which is protected by DomainGuard. You can do this from a browser using the Netscape Server Administration page, or you can use the stop command located in your Web Server's root directory. Using the same example as above, you would use the command: /usr/netscape/suitespot/https-myserver/stop 3. Stop the DomainGuard server (aclmgr) using the following command: /opt/hpdg/bin/dg_adm -stop 4. Unconfigure DomainGuard using a command similar to the following example: /opt/hpdg/bin/DGConfig -u \ /usr/netscape/suitespot/https-myserver/config/obj.conf 5. Now remove the patch using the command: swremove -v PHSS_18139 6. After the patch is successfully removed, you can reconfigure your Web Server to use DomainGuard. Most of your configuration will be remembered so the reconfiguration should not be difficult. The DGConfig command would be similar to this example: /opt/hpdg/bin/DGConfig -c \ /usr/netscape/suitespot/https-myserver/config/obj.conf 7. When DomainGuard is reconfigured, start the DomainGuard server (aclmgr) using the following command: /opt/hpdg/bin/dg_adm -start 8. Start the Web Server which is protected by DomainGuard. You can do this from a browser using the Netscape Server Administration web page, or you can use the start command located in your Web Server's root directory. Using the example above, you would use the command: /usr/netscape/suitespot/https-myserver/start Your system should now operate normally with the patch removed.