The Identity, Policy and Audit system
CentOS Sources
2015-03-26 0201d8c1f8891ab8748f106290dcc981c3346232
import ipa-4.1.0-18.el7_1.3
15 files added
1 files deleted
1 files renamed
3 files modified
2072 ■■■■■ changed files
SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch 103 ●●●●● patch | view | raw | blame | history
SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch 5 ●●●● patch | view | raw | blame | history
SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch 164 ●●●●● patch | view | raw | blame | history
SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch 776 ●●●●● patch | view | raw | blame | history
SOURCES/0120-extdom-make-nss-buffer-configurable.patch 254 ●●●●● patch | view | raw | blame | history
SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0122-extdom-fix-memory-leak.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch 128 ●●●●● patch | view | raw | blame | history
SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0125-client-Fix-ca_is_enabled-calls.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch 106 ●●●●● patch | view | raw | blame | history
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1010-Disable-DNSSEC-support.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1013-extdom-fix-wrong-realloc-size.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/1014-fix-Makefile.am-for-daemons.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 66 ●●●● patch | view | raw | blame | history
SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch
New file
@@ -0,0 +1,103 @@
From 9b01d87626de2c5a0cb9b5e0d10959b13f03fbba Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 15 Jan 2015 13:13:55 +0100
Subject: [PATCH] Always return absolute idnsname in dnszone commands
Ticket: https://fedorahosted.org/freeipa/ticket/4722
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/dns.py | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 34afc189866993481229bb68a5edd77e0a4eaff3..ea4c212b42631e8513a13d2a7f5a859b2176376b 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1848,6 +1848,18 @@ class DNSZoneBase(LDAPObject):
             except errors.NotFound:
                 raise e  # re-raise original exception
+    def _make_zonename_absolute(self, entry_attrs, **options):
+        """
+        Zone names can be relative in IPA < 4.0, make sure we always return
+        absolute zone name from ldap
+        """
+        if options.get('raw'):
+            return
+
+        if "idnsname" in entry_attrs:
+            entry_attrs.single_value['idnsname'] = (
+                entry_attrs.single_value['idnsname'].make_absolute())
+
 class DNSZoneBase_add(LDAPCreate):
@@ -1895,6 +1907,11 @@ class DNSZoneBase_del(LDAPDelete):
 class DNSZoneBase_mod(LDAPUpdate):
     has_output_params = LDAPUpdate.has_output_params + dnszone_output_params
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        assert isinstance(dn, DN)
+        self.obj._make_zonename_absolute(entry_attrs, **options)
+        return dn
+
 class DNSZoneBase_find(LDAPSearch):
     __doc__ = _('Search for DNS zones (SOA records).')
@@ -1929,6 +1946,11 @@ class DNSZoneBase_find(LDAPSearch):
         filter = _create_idn_filter(self, ldap, *args, **options)
         return (filter, base_dn, scope)
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        for entry_attrs in entries:
+            self.obj._make_zonename_absolute(entry_attrs, **options)
+        return truncated
+
 class DNSZoneBase_show(LDAPRetrieve):
     has_output_params = LDAPRetrieve.has_output_params + dnszone_output_params
@@ -1939,6 +1961,11 @@ class DNSZoneBase_show(LDAPRetrieve):
             self.obj.handle_not_found(*keys)
         return dn
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        assert isinstance(dn, DN)
+        self.obj._make_zonename_absolute(entry_attrs, **options)
+        return dn
+
 class DNSZoneBase_disable(LDAPQuery):
     has_output = output.standard_value
@@ -2539,7 +2566,8 @@ class dnszone_mod(DNSZoneBase_mod):
         return result
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
+        dn = super(dnszone_mod, self).post_callback(ldap, dn, entry_attrs,
+                                                    *keys, **options)
         self.obj._rr_zone_postprocess(entry_attrs, **options)
         return dn
@@ -2576,6 +2604,9 @@ class dnszone_find(DNSZoneBase_find):
         return (filter, base_dn, scope)
     def post_callback(self, ldap, entries, truncated, *args, **options):
+        truncated = super(dnszone_find, self).post_callback(ldap, entries,
+                                                            truncated, *args,
+                                                            **options)
         for entry_attrs in entries:
             self.obj._rr_zone_postprocess(entry_attrs, **options)
         return truncated
@@ -2592,7 +2623,8 @@ class dnszone_show(DNSZoneBase_show):
         return result
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
+        dn = super(dnszone_show, self).post_callback(ldap, dn, entry_attrs,
+                                                     *keys, **options)
         self.obj._rr_zone_postprocess(entry_attrs, **options)
         return dn
--
2.1.0
SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
File was renamed from SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
@@ -1,10 +1,13 @@
From 50b420b5f8ec1c4a6696b387ee5f3378dd0257bc Mon Sep 17 00:00:00 2001
From b46e3a309e8aa9a629037afb6ca7972d98e943e9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 10 Dec 2014 14:59:38 +0200
Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC
 policy
Fixes https://fedorahosted.org/freeipa/ticket/4788
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch
New file
@@ -0,0 +1,47 @@
From ce31d4124e20261cbd561f688110046945b082c1 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 19 Feb 2015 17:10:37 +0100
Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for
 fax
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.
https://fedorahosted.org/freeipa/ticket/4883
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ACI.txt                | 2 +-
 ipalib/plugins/user.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 67d583fabc295deb8aa5aab329bce5100c1b9088..fa1dcc4a8c9fd0c610dadcb2c368f700d26d4011 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -255,7 +255,7 @@ aci: (targetattr = "businesscategory || carlicense || cn || description || displ
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 56585b9f86593c0c5879139103bc71707b88e15f..abe5ee26b8e48681eeb0cbb3bcff8617e212225c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -276,7 +276,7 @@ class user(LDAPObject):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'seealso', 'telephonenumber',
-                'fax', 'l', 'ou', 'st', 'postalcode', 'street',
+                'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode', 'street',
                 'destinationindicator', 'internationalisdnnumber',
                 'physicaldeliveryofficename', 'postaladdress', 'postofficebox',
                 'preferreddeliverymethod', 'registeredaddress',
--
2.1.0
SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch
New file
@@ -0,0 +1,164 @@
From 0dfae3e9f16d91116a6769e25bbbee0ef1e485d2 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 4 Mar 2015 10:06:47 -0500
Subject: [PATCH] Restore default.conf and use it to build API.
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.
https://fedorahosted.org/freeipa/ticket/4896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ipa_restore.py | 64 ++++++++++++++++++++++++++++++----------
 1 file changed, 48 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index efe3b9b1c0c10775b3a72b9d843924263526209a..a5ecd5f62bc85918fe697d98109bd3a82120f355 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -27,7 +27,7 @@ from ConfigParser import SafeConfigParser
 import ldif
 import itertools
-from ipalib import api, errors
+from ipalib import api, errors, constants
 from ipapython import version, ipautil, certdb, dogtag
 from ipapython.ipautil import run, user_input
 from ipapython import admintool
@@ -203,15 +203,12 @@ class Restore(admintool.AdminTool):
         options = self.options
         super(Restore, self).run()
-        api.bootstrap(in_server=False, context='restore')
-        api.finalize()
-
         self.backup_dir = self.args[0]
         if not os.path.isabs(self.backup_dir):
             self.backup_dir = os.path.join(BACKUP_DIR, self.backup_dir)
         self.log.info("Preparing restore from %s on %s",
-                      self.backup_dir, api.env.host)
+                      self.backup_dir, constants.FQDN)
         self.header = os.path.join(self.backup_dir, 'header')
@@ -225,9 +222,6 @@ class Restore(admintool.AdminTool):
         else:
             restore_type = self.backup_type
-        instances = [realm_to_serverid(api.env.realm), 'PKI-IPA']
-        backends = ['userRoot', 'ipaca']
-
         # These checks would normally be in the validate method but
         # we need to know the type of backup we're dealing with.
         if restore_type == 'FULL':
@@ -241,6 +235,8 @@ class Restore(admintool.AdminTool):
         else:
             installutils.check_server_configuration()
+            self.init_api()
+
             if options.instance:
                 instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
                                 options.instance)
@@ -248,10 +244,10 @@ class Restore(admintool.AdminTool):
                     raise admintool.ScriptError(
                         "Instance %s does not exist" % options.instance)
-                instances = [options.instance]
+                self.instances = [options.instance]
             if options.backend:
-                for instance in instances:
+                for instance in self.instances:
                     db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
                               (instance, options.backend))
                     if os.path.exists(db_dir):
@@ -260,9 +256,10 @@ class Restore(admintool.AdminTool):
                     raise admintool.ScriptError(
                         "Backend %s does not exist" % options.backend)
-                backends = [options.backend]
+                self.backends = [options.backend]
-            for instance, backend in itertools.product(instances, backends):
+            for instance, backend in itertools.product(self.instances,
+                                                       self.backends):
                 db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
                           (instance, backend))
                 if os.path.exists(db_dir):
@@ -274,10 +271,10 @@ class Restore(admintool.AdminTool):
         self.log.info("Performing %s restore from %s backup" %
                       (restore_type, self.backup_type))
-        if self.backup_host != api.env.host:
+        if self.backup_host != constants.FQDN:
             raise admintool.ScriptError(
                 "Host name %s does not match backup name %s" %
-                (api.env.host, self.backup_host))
+                (constants.FQDN, self.backup_host))
         if self.backup_ipa_version != str(version.VERSION):
             self.log.warning(
@@ -307,9 +304,13 @@ class Restore(admintool.AdminTool):
             self.extract_backup(options.gpg_keyring)
+            if restore_type == 'FULL':
+                self.restore_default_conf()
+                self.init_api(confdir=self.dir + paths.ETC_IPA)
+
             databases = []
-            for instance in instances:
-                for backend in backends:
+            for instance in self.instances:
+                for backend in self.backends:
                     database = (instance, backend)
                     ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database)
                     if os.path.exists(ldiffile):
@@ -607,6 +608,30 @@ class Restore(admintool.AdminTool):
                 self.log.critical("bak2db failed: %s" % stderr)
+    def restore_default_conf(self):
+        '''
+        Restore paths.IPA_DEFAULT_CONF to temporary directory.
+
+        Primary purpose of this method is to get cofiguration for api
+        finalization when restoring ipa after uninstall.
+        '''
+        cwd = os.getcwd()
+        os.chdir(self.dir)
+        args = ['tar',
+                '--xattrs',
+                '--selinux',
+                '-xzf',
+                os.path.join(self.dir, 'files.tar'),
+                paths.IPA_DEFAULT_CONF[1:],
+               ]
+
+        (stdout, stderr, rc) = run(args, raiseonerr=False)
+        if rc != 0:
+            self.log.critical('Restoring %s failed: %s' %
+                              (paths.IPA_DEFAULT_CONF, stderr))
+        os.chdir(cwd)
+
+
     def file_restore(self, nologs=False):
         '''
         Restore all the files in the tarball.
@@ -803,3 +828,10 @@ class Restore(admintool.AdminTool):
         tasks.reload_systemwide_ca_store()
         services.knownservices.certmonger.restart()
+
+    def init_api(self, **overrides):
+        api.bootstrap(in_server=False, context='restore', **overrides)
+        api.finalize()
+
+        self.instances = [realm_to_serverid(api.env.realm), 'PKI-IPA']
+        self.backends = ['userRoot', 'ipaca']
--
2.1.0
SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch
New file
@@ -0,0 +1,62 @@
From 7a98d658d662f0cec33ba6207474d8271029b4bd Mon Sep 17 00:00:00 2001
From: root <root@vm-035.idm.lab.eng.brq.redhat.com>
Date: Wed, 4 Mar 2015 11:11:45 +0100
Subject: [PATCH] Limit deadlocks between DS plugin DNA and slapi-nis
    Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
    are updated at the same time.
    Schema-compat should ignore update on DNA config.
    https://fedorahosted.org/freeipa/ticket/4927
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 install/updates/10-schema_compat.update | 5 +++++
 1 file changed, 5 insertions(+)
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index b8c79012d121116f9cf53908fbe4eeeebe9d3d82..4484bdcce15736eeaffcc99edc694094b16fd0ed 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -22,6 +22,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
 remove: schema-compat-ignore-subtree: o=ipaca
 add: schema-compat-restrict-subtree: '$SUFFIX'
 add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
+add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
@@ -31,6 +32,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
 remove: schema-compat-ignore-subtree: o=ipaca
 add: schema-compat-restrict-subtree: '$SUFFIX'
 add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
+add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
 dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
 default:objectClass: top
@@ -49,6 +51,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
 remove: schema-compat-ignore-subtree: o=ipaca
 add: schema-compat-restrict-subtree: '$SUFFIX'
 add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
+add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
@@ -58,12 +61,14 @@ remove: schema-compat-ignore-subtree: cn=changelog
 remove: schema-compat-ignore-subtree: o=ipaca
 add: schema-compat-restrict-subtree: '$SUFFIX'
 add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
+add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
 dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
 remove: schema-compat-ignore-subtree: cn=changelog
 remove: schema-compat-ignore-subtree: o=ipaca
 add: schema-compat-restrict-subtree: '$SUFFIX'
 add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
+add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
 dn: cn=Schema Compatibility,cn=plugins,cn=config
 # We need to run schema-compat pre-bind callback before
--
2.1.0
SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch
New file
@@ -0,0 +1,53 @@
From d6ea80f9c0a5b7d6bd44e32297af3718c1e782ff Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Feb 2015 15:29:00 +0100
Subject: [PATCH] Add configure check for cwrap libraries
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as
AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/configure.ac | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index e81aa60e381e035aff73bf27475fc0f101a5fbf9..932a8f7fd5230c90071cf26cc83f6aee5173457d 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -224,6 +224,30 @@ PKG_CHECK_EXISTS(cmocka,
 )
 AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes])
+dnl A macro to check presence of a cwrap (http://cwrap.org) wrapper on the system
+dnl Usage:
+dnl     AM_CHECK_WRAPPER(name, conditional)
+dnl If the cwrap library is found, sets the HAVE_$name conditional
+AC_DEFUN([AM_CHECK_WRAPPER],
+[
+    FOUND_WRAPPER=0
+
+    AC_MSG_CHECKING([for $1])
+    PKG_CHECK_EXISTS([$1],
+                     [
+                        AC_MSG_RESULT([yes])
+                        FOUND_WRAPPER=1
+                     ],
+                     [
+                        AC_MSG_RESULT([no])
+                        AC_MSG_WARN([cwrap library $1 not found, some tests will not run])
+                     ])
+
+    AM_CONDITIONAL($2, [ test x$FOUND_WRAPPER = x1])
+])
+
+AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
+
 dnl -- dirsrv is needed for the extdom unit tests --
 PKG_CHECK_MODULES([DIRSRV], [dirsrv  >= 1.3.0])
 dnl -- sss_idmap is needed by the extdom exop --
--
2.1.0
SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch
New file
@@ -0,0 +1,776 @@
From 14310dab1698da8afbc107c5c76a3c01c9aeb20e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Feb 2015 15:33:39 +0100
Subject: [PATCH] extdom: handle ERANGE return code for getXXYYY_r() calls
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.
Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
Resolves https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am |  31 ++-
 .../ipa-extdom-extop/ipa_extdom.h                  |   9 +
 .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c     | 226 +++++++++++++++
 .../ipa-extdom-extop/ipa_extdom_common.c           | 309 +++++++++++++++------
 .../ipa-extdom-extop/test_data/group               |   2 +
 .../ipa-extdom-extop/test_data/passwd              |   2 +
 .../ipa-extdom-extop/test_data/test_setup.sh       |   3 +
 7 files changed, 498 insertions(+), 84 deletions(-)
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index 0008476796f5b20f62f2c32e7b291b787fa7a6fc..a1679812ef3c5de8c6e18433cbb991a99ad0b6c8 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -35,9 +35,20 @@ libipa_extdom_extop_la_LIBADD =     \
     $(SSSNSSIDMAP_LIBS)    \
     $(NULL)
+TESTS =
+check_PROGRAMS =
+
 if HAVE_CHECK
-TESTS = extdom_tests
-check_PROGRAMS = extdom_tests
+TESTS += extdom_tests
+check_PROGRAMS += extdom_tests
+endif
+
+if HAVE_CMOCKA
+if HAVE_NSS_WRAPPER
+TESTS_ENVIRONMENT = . ./test_data/test_setup.sh;
+TESTS += extdom_cmocka_tests
+check_PROGRAMS += extdom_cmocka_tests
+endif
 endif
 extdom_tests_SOURCES =     \
@@ -55,6 +66,22 @@ extdom_tests_LDADD =         \
     $(SSSNSSIDMAP_LIBS)    \
     $(NULL)
+extdom_cmocka_tests_SOURCES =         \
+    ipa_extdom_cmocka_tests.c    \
+    ipa_extdom_common.c        \
+    $(NULL)
+extdom_cmocka_tests_CFLAGS = $(CMOCKA_CFLAGS)
+extdom_cmocka_tests_LDFLAGS =     \
+    -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \
+    $(NULL)
+extdom_cmocka_tests_LDADD =     \
+    $(CMOCKA_LIBS)        \
+    $(LDAP_LIBS)        \
+    $(DIRSRV_LIBS)        \
+    $(SSSNSSIDMAP_LIBS)    \
+    $(NULL)
+
+
 appdir = $(IPA_DATA_DIR)
 app_DATA =                \
     ipa-extdom-extop-conf.ldif    \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 56ca5009b1aa427f6c059b78ac392c768e461e2e..40bf933920fdd2ca19e5ef195aaa8fb820446cc5 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -174,4 +174,13 @@ int check_request(struct extdom_req *req, enum extdom_version version);
 int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
                    struct berval **berval);
 int pack_response(struct extdom_res *res, struct berval **ret_val);
+int get_buffer(size_t *_buf_len, char **_buf);
+int getpwnam_r_wrapper(size_t buf_max, const char *name,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len);
+int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len);
+int getgrnam_r_wrapper(size_t buf_max, const char *name,
+                       struct group *grp, char **_buf, size_t *_buf_len);
+int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
+                       struct group *grp, char **_buf, size_t *_buf_len);
 #endif /* _IPA_EXTDOM_H_ */
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
new file mode 100644
index 0000000000000000000000000000000000000000..d5bacd7e8c9dc0a71eea70162406c7e5b67384ad
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
@@ -0,0 +1,226 @@
+/*
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2015 Red Hat
+
+    Extdom tests
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <sys/types.h>
+#include <pwd.h>
+
+
+#include "ipa_extdom.h"
+
+#define MAX_BUF (1024*1024*1024)
+
+void test_getpwnam_r_wrapper(void **state)
+{
+    int ret;
+    struct passwd pwd;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "non_exisiting_user", &pwd, &buf,
+                             &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "user", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12345);
+    assert_int_equal(pwd.pw_gid, 23456);
+    assert_string_equal(pwd.pw_gecos, "gecos");
+    assert_string_equal(pwd.pw_dir, "/home/user");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "user_big", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user_big");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12346);
+    assert_int_equal(pwd.pw_gid, 23457);
+    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
+    assert_string_equal(pwd.pw_dir, "/home/user_big");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(1024, "user_big", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getpwuid_r_wrapper(void **state)
+{
+    int ret;
+    struct passwd pwd;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 99999, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 12345, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12345);
+    assert_int_equal(pwd.pw_gid, 23456);
+    assert_string_equal(pwd.pw_gecos, "gecos");
+    assert_string_equal(pwd.pw_dir, "/home/user");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 12346, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user_big");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12346);
+    assert_int_equal(pwd.pw_gid, 23457);
+    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
+    assert_string_equal(pwd.pw_dir, "/home/user_big");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(1024, 12346, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getgrnam_r_wrapper(void **state)
+{
+    int ret;
+    struct group grp;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "non_exisiting_group", &grp, &buf, &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "group", &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 11111);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    assert_null(grp.gr_mem[2]);
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "group_big", &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group_big");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 22222);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(1024, "group_big", &grp, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getgrgid_r_wrapper(void **state)
+{
+    int ret;
+    struct group grp;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 99999, &grp, &buf, &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 11111, &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 11111);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    assert_null(grp.gr_mem[2]);
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 22222, &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group_big");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 22222);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(1024, 22222, &grp, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+int main(int argc, const char *argv[])
+{
+    const UnitTest tests[] = {
+        unit_test(test_getpwnam_r_wrapper),
+        unit_test(test_getpwuid_r_wrapper),
+        unit_test(test_getgrnam_r_wrapper),
+        unit_test(test_getgrgid_r_wrapper),
+    };
+
+    return run_tests(tests);
+}
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 20fdd62b20f28f5384cf83b8be5819f721c6c3db..cbe336963ffbafadd5a7b8029a65fafe506f75e8 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -49,6 +49,188 @@
 #define MAX(a,b) (((a)>(b))?(a):(b))
 #define SSSD_DOMAIN_SEPARATOR '@'
+#define MAX_BUF (1024*1024*1024)
+
+
+
+int get_buffer(size_t *_buf_len, char **_buf)
+{
+    long pw_max;
+    long gr_max;
+    size_t buf_len;
+    char *buf;
+
+    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
+    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
+
+    buf_len = MAX(16384, MAX(pw_max, gr_max));
+
+    buf = malloc(sizeof(char) * buf_len);
+    if (buf == NULL) {
+        return LDAP_OPERATIONS_ERROR;
+    }
+
+    *_buf_len = buf_len;
+    *_buf = buf;
+
+    return LDAP_SUCCESS;
+}
+
+static int inc_buffer(size_t buf_max, size_t *_buf_len, char **_buf)
+{
+    size_t tmp_len;
+    char *tmp_buf;
+
+    tmp_buf = *_buf;
+    tmp_len = *_buf_len;
+
+    tmp_len *= 2;
+    if (tmp_len > buf_max) {
+        return ERANGE;
+    }
+
+    tmp_buf = realloc(tmp_buf, tmp_len);
+    if (tmp_buf == NULL) {
+        return ENOMEM;
+    }
+
+    *_buf_len = tmp_len;
+    *_buf = tmp_buf;
+
+    return 0;
+}
+
+int getpwnam_r_wrapper(size_t buf_max, const char *name,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct passwd *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getpwnam_r(name, pwd, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct passwd *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getpwuid_r(uid, pwd, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getgrnam_r_wrapper(size_t buf_max, const char *name,
+                       struct group *grp, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct group *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getgrnam_r(name, grp, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
+                       struct group *grp, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct group *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getgrgid_r(gid, grp, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
 int parse_request_data(struct berval *req_val, struct extdom_req **_req)
 {
@@ -191,33 +373,6 @@ int check_request(struct extdom_req *req, enum extdom_version version)
     return LDAP_SUCCESS;
 }
-static int get_buffer(size_t *_buf_len, char **_buf)
-{
-    long pw_max;
-    long gr_max;
-    size_t buf_len;
-    char *buf;
-
-    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
-    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
-
-    if (pw_max == -1 && gr_max == -1) {
-        buf_len = 16384;
-    } else {
-        buf_len = MAX(pw_max, gr_max);
-    }
-
-    buf = malloc(sizeof(char) * buf_len);
-    if (buf == NULL) {
-        return LDAP_OPERATIONS_ERROR;
-    }
-
-    *_buf_len = buf_len;
-    *_buf = buf;
-
-    return LDAP_SUCCESS;
-}
-
 static int get_user_grouplist(const char *name, gid_t gid,
                               size_t *_ngroups, gid_t **_groups )
 {
@@ -323,7 +478,6 @@ static int pack_ber_user(enum response_types response_type,
     size_t buf_len;
     char *buf = NULL;
     struct group grp;
-    struct group *grp_result;
     size_t c;
     char *locat;
     char *short_user_name = NULL;
@@ -375,13 +529,13 @@ static int pack_ber_user(enum response_types response_type,
         }
         for (c = 0; c < ngroups; c++) {
-            ret = getgrgid_r(groups[c], &grp, buf, buf_len, &grp_result);
+            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
             if (ret != 0) {
-                ret = LDAP_NO_SUCH_OBJECT;
-                goto done;
-            }
-            if (grp_result == NULL) {
-                ret = LDAP_NO_SUCH_OBJECT;
+                if (ret == ENOMEM || ret == ERANGE) {
+                    ret = LDAP_OPERATIONS_ERROR;
+                } else {
+                    ret = LDAP_NO_SUCH_OBJECT;
+                }
                 goto done;
             }
@@ -542,7 +696,6 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
 {
     int ret;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -568,13 +721,13 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getpwuid_r(uid, &pwd, buf, buf_len, &pwd_result);
+        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-        if (pwd_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
@@ -610,7 +763,6 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
 {
     int ret;
     struct group grp;
-    struct group *grp_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -635,13 +787,13 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getgrgid_r(gid, &grp, buf, buf_len, &grp_result);
+        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-        if (grp_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
@@ -676,9 +828,7 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
 {
     int ret;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     struct group grp;
-    struct group *grp_result = NULL;
     char *domain_name = NULL;
     char *fq_name = NULL;
     char *object_name = NULL;
@@ -724,14 +874,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
     switch(id_type) {
     case SSS_ID_TYPE_UID:
     case SSS_ID_TYPE_BOTH:
-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
+        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-
-        if (pwd_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
@@ -755,14 +904,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
                             pwd.pw_shell, kv_list, berval);
         break;
     case SSS_ID_TYPE_GID:
-        ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
+        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-
-        if (grp_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
@@ -806,9 +954,7 @@ static int handle_name_request(enum request_types request_type,
     int ret;
     char *fq_name = NULL;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     struct group grp;
-    struct group *grp_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -842,15 +988,8 @@ static int handle_name_request(enum request_types request_type,
             goto done;
         }
-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
-        if (ret != 0) {
-            /* according to the man page there are a couple of error codes
-             * which can indicate that the user was not found. To be on the
-             * safe side we fail back to the group lookup on all errors. */
-            pwd_result = NULL;
-        }
-
-        if (pwd_result != NULL) {
+        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        if (ret == 0) {
             if (request_type == REQ_FULL_WITH_GROUPS) {
                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
                 if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
@@ -868,15 +1007,21 @@ static int handle_name_request(enum request_types request_type,
                                 domain_name, pwd.pw_name, pwd.pw_uid,
                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
                                 pwd.pw_shell, kv_list, berval);
+        } else if (ret == ENOMEM || ret == ERANGE) {
+            ret = LDAP_OPERATIONS_ERROR;
+            goto done;
         } else { /* no user entry found */
-            ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
+            /* according to the getpwnam() man page there are a couple of
+             * error codes which can indicate that the user was not found. To
+             * be on the safe side we fail back to the group lookup on all
+             * errors. */
+            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
             if (ret != 0) {
-                ret = LDAP_NO_SUCH_OBJECT;
-                goto done;
-            }
-
-            if (grp_result == NULL) {
-                ret = LDAP_NO_SUCH_OBJECT;
+                if (ret == ENOMEM || ret == ERANGE) {
+                    ret = LDAP_OPERATIONS_ERROR;
+                } else {
+                    ret = LDAP_NO_SUCH_OBJECT;
+                }
                 goto done;
             }
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
new file mode 100644
index 0000000000000000000000000000000000000000..8d1b012871b21cc9d5ffdba2168f35ef3e8a5f81
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
@@ -0,0 +1,2 @@
+group:x:11111:member0001,member0002
+group_big:x:22222:member0001,member0002,member0003,member0004,member0005,member0006,member0007,member0008,member0009,member0010,member0011,member0012,member0013,member0014,member0015,member0016,member0017,member0018,member0019,member0020,member0021,member0022,member0023,member0024,member0025,member0026,member0027,member0028,member0029,member0030,member0031,member0032,member0033,member0034,member0035,member0036,member0037,member0038,member0039,member0040,member0041,member0042,member0043,member0044,member0045,member0046,member0047,member0048,member0049,member0050,member0051,member0052,member0053,member0054,member0055,member0056,member0057,member0058,member0059,member0060,member0061,member0062,member0063,member0064,member0065,member0066,member0067,member0068,member0069,member0070,member0071,member0072,member0073,member0074,member0075,member0076,member0077,member0078,member0079,member0080,member0081,member0082,member0083,member0084,member0085,member0086,member0087,member0088,member0089,member0090,member0091,member0092,member0093,member0094,member0095,member0096,member0097,member0098,member0099,member0100,member0101,member0102,member0103,member0104,member0105,member0106,member0107,member0108,member0109,member0110,member0111,member0112,member0113,member0114,member0115,member0116,member0117,member0118,member0119,member0120,member0121,member0122,member0123,member0124,member0125,member0126,member0127,member0128,member0129,member0130,member0131,member0132,member0133,member0134,member0135,member0136,member0137,member0138,member0139,member0140,member0141,member0142,member0143,member0144,member0145,member0146,member0147,member0148,member0149,member0150,member0151,member0152,member0153,member0154,member0155,member0156,member0157,member0158,member0159,member0160,member0161,member0162,member0163,member0164,member0165,member0166,member0167,member0168,member0169,member0170,member0171,member0172,member0173,member0174,member0175,member0176,member0177,member0178,member0179,member0180,member0181,member0182,member0183,member0184,member0185,member0186,member0187,member0188,member0189,member0190,member0191,member0192,member0193,member0194,member0195,member0196,member0197,member0198,member0199,member0200,member0201,member0202,member0203,member0204,member0205,member0206,member0207,member0208,member0209,member0210,member0211,member0212,member0213,member0214,member0215,member0216,member0217,member0218,member0219,member0220,member0221,member0222,member0223,member0224,member0225,member0226,member0227,member0228,member0229,member0230,member0231,member0232,member0233,member0234,member0235,member0236,member0237,member0238,member0239,member0240,member0241,member0242,member0243,member0244,member0245,member0246,member0247,member0248,member0249,member0250,member0251,member0252,member0253,member0254,member0255,member0256,member0257,member0258,member0259,member0260,member0261,member0262,member0263,member0264,member0265,member0266,member0267,member0268,member0269,member0270,member0271,member0272,member0273,member0274,member0275,member0276,member0277,member0278,member0279,member0280,member0281,member0282,member0283,member0284,member0285,member0286,member0287,member0288,member0289,member0290,member0291,member0292,member0293,member0294,member0295,member0296,member0297,member0298,member0299,member0300,member0301,member0302,member0303,member0304,member0305,member0306,member0307,member0308,member0309,member0310,member0311,member0312,member0313,member0314,member0315,member0316,member0317,member0318,member0319,member0320,member0321,member0322,member0323,member0324,member0325,member0326,member0327,member0328,member0329,member0330,member0331,member0332,member0333,member0334,member0335,member0336,member0337,member0338,member0339,member0340,member0341,member0342,member0343,member0344,member0345,member0346,member0347,member0348,member0349,member0350,member0351,member0352,member0353,member0354,member0355,member0356,member0357,member0358,member0359,member0360,member0361,member0362,member0363,member0364,member0365,member0366,member0367,member0368,member0369,member0370,member0371,member0372,member0373,member0374,member0375,member0376,member0377,member0378,member0379,member0380,member0381,member0382,member0383,member0384,member0385,member0386,member0387,member0388,member0389,member0390,member0391,member0392,member0393,member0394,member0395,member0396,member0397,member0398,member0399,member0400,member0401,member0402,member0403,member0404,member0405,member0406,member0407,member0408,member0409,member0410,member0411,member0412,member0413,member0414,member0415,member0416,member0417,member0418,member0419,member0420,member0421,member0422,member0423,member0424,member0425,member0426,member0427,member0428,member0429,member0430,member0431,member0432,member0433,member0434,member0435,member0436,member0437,member0438,member0439,member0440,member0441,member0442,member0443,member0444,member0445,member0446,member0447,member0448,member0449,member0450,member0451,member0452,member0453,member0454,member0455,member0456,member0457,member0458,member0459,member0460,member0461,member0462,member0463,member0464,member0465,member0466,member0467,member0468,member0469,member0470,member0471,member0472,member0473,member0474,member0475,member0476,member0477,member0478,member0479,member0480,member0481,member0482,member0483,member0484,member0485,member0486,member0487,member0488,member0489,member0490,member0491,member0492,member0493,member0494,member0495,member0496,member0497,member0498,member0499,member0500,member0501,member0502,member0503,member0504,member0505,member0506,member0507,member0508,member0509,member0510,member0511,member0512,member0513,member0514,member0515,member0516,member0517,member0518,member0519,member0520,member0521,member0522,member0523,member0524,member0525,member0526,member0527,member0528,member0529,member0530,member0531,member0532,member0533,member0534,member0535,member0536,member0537,member0538,member0539,member0540,member0541,member0542,member0543,member0544,member0545,member0546,member0547,member0548,member0549,member0550,member0551,member0552,member0553,member0554,member0555,member0556,member0557,member0558,member0559,member0560,member0561,member0562,member0563,member0564,member0565,member0566,member0567,member0568,member0569,member0570,member0571,member0572,member0573,member0574,member0575,member0576,member0577,member0578,member0579,member0580,member0581,member0582,member0583,member0584,member0585,member0586,member0587,member0588,member0589,member0590,member0591,member0592,member0593,member0594,member0595,member0596,member0597,member0598,member0599,member0600,member0601,member0602,member0603,member0604,member0605,member0606,member0607,member0608,member0609,member0610,member0611,member0612,member0613,member0614,member0615,member0616,member0617,member0618,member0619,member0620,member0621,member0622,member0623,member0624,member0625,member0626,member0627,member0628,member0629,member0630,member0631,member0632,member0633,member0634,member0635,member0636,member0637,member0638,member0639,member0640,member0641,member0642,member0643,member0644,member0645,member0646,member0647,member0648,member0649,member0650,member0651,member0652,member0653,member0654,member0655,member0656,member0657,member0658,member0659,member0660,member0661,member0662,member0663,member0664,member0665,member0666,member0667,member0668,member0669,member0670,member0671,member0672,member0673,member0674,member0675,member0676,member0677,member0678,member0679,member0680,member0681,member0682,member0683,member0684,member0685,member0686,member0687,member0688,member0689,member0690,member0691,member0692,member0693,member0694,member0695,member0696,member0697,member0698,member0699,member0700,member0701,member0702,member0703,member0704,member0705,member0706,member0707,member0708,member0709,member0710,member0711,member0712,member0713,member0714,member0715,member0716,member0717,member0718,member0719,member0720,member0721,member0722,member0723,member0724,member0725,member0726,member0727,member0728,member0729,member0730,member0731,member0732,member0733,member0734,member0735,member0736,member0737,member0738,member0739,member0740,member0741,member0742,member0743,member0744,member0745,member0746,member0747,member0748,member0749,member0750,member0751,member0752,member0753,member0754,member0755,member0756,member0757,member0758,member0759,member0760,member0761,member0762,member0763,member0764,member0765,member0766,member0767,member0768,member0769,member0770,member0771,member0772,member0773,member0774,member0775,member0776,member0777,member0778,member0779,member0780,member0781,member0782,member0783,member0784,member0785,member0786,member0787,member0788,member0789,member0790,member0791,member0792,member0793,member0794,member0795,member0796,member0797,member0798,member0799,member0800,member0801,member0802,member0803,member0804,member0805,member0806,member0807,member0808,member0809,member0810,member0811,member0812,member0813,member0814,member0815,member0816,member0817,member0818,member0819,member0820,member0821,member0822,member0823,member0824,member0825,member0826,member0827,member0828,member0829,member0830,member0831,member0832,member0833,member0834,member0835,member0836,member0837,member0838,member0839,member0840,member0841,member0842,member0843,member0844,member0845,member0846,member0847,member0848,member0849,member0850,member0851,member0852,member0853,member0854,member0855,member0856,member0857,member0858,member0859,member0860,member0861,member0862,member0863,member0864,member0865,member0866,member0867,member0868,member0869,member0870,member0871,member0872,member0873,member0874,member0875,member0876,member0877,member0878,member0879,member0880,member0881,member0882,member0883,member0884,member0885,member0886,member0887,member0888,member0889,member0890,member0891,member0892,member0893,member0894,member0895,member0896,member0897,member0898,member0899,member0900,member0901,member0902,member0903,member0904,member0905,member0906,member0907,member0908,member0909,member0910,member0911,member0912,member0913,member0914,member0915,member0916,member0917,member0918,member0919,member0920,member0921,member0922,member0923,member0924,member0925,member0926,member0927,member0928,member0929,member0930,member0931,member0932,member0933,member0934,member0935,member0936,member0937,member0938,member0939,member0940,member0941,member0942,member0943,member0944,member0945,member0946,member0947,member0948,member0949,member0950,member0951,member0952,member0953,member0954,member0955,member0956,member0957,member0958,member0959,member0960,member0961,member0962,member0963,member0964,member0965,member0966,member0967,member0968,member0969,member0970,member0971,member0972,member0973,member0974,member0975,member0976,member0977,member0978,member0979,member0980,member0981,member0982,member0983,member0984,member0985,member0986,member0987,member0988,member0989,member0990,member0991,member0992,member0993,member0994,member0995,member0996,member0997,member0998,member0999,member1000,member1001,member1002,member1003,member1004,member1005,member1006,member1007,member1008,member1009,member1010,member1011,member1012,member1013,member1014,member1015,member1016,member1017,member1018,member1019,member1020,member1021,member1022,member1023,member1024,member1025,member1026,member1027,member1028,member1029,member1030,member1031,member1032,member1033,member1034,member1035,member1036,member1037,member1038,member1039,member1040,member1041,member1042,member1043,member1044,member1045,member1046,member1047,member1048,member1049,member1050,member1051,member1052,member1053,member1054,member1055,member1056,member1057,member1058,member1059,member1060,member1061,member1062,member1063,member1064,member1065,member1066,member1067,member1068,member1069,member1070,member1071,member1072,member1073,member1074,member1075,member1076,member1077,member1078,member1079,member1080,member1081,member1082,member1083,member1084,member1085,member1086,member1087,member1088,member1089,member1090,member1091,member1092,member1093,member1094,member1095,member1096,member1097,member1098,member1099,member1100,member1101,member1102,member1103,member1104,member1105,member1106,member1107,member1108,member1109,member1110,member1111,member1112,member1113,member1114,member1115,member1116,member1117,member1118,member1119,member1120,member1121,member1122,member1123,member1124,member1125,member1126,member1127,member1128,member1129,member1130,member1131,member1132,member1133,member1134,member1135,member1136,member1137,member1138,member1139,member1140,member1141,member1142,member1143,member1144,member1145,member1146,member1147,member1148,member1149,member1150,member1151,member1152,member1153,member1154,member1155,member1156,member1157,member1158,member1159,member1160,member1161,member1162,member1163,member1164,member1165,member1166,member1167,member1168,member1169,member1170,member1171,member1172,member1173,member1174,member1175,member1176,member1177,member1178,member1179,member1180,member1181,member1182,member1183,member1184,member1185,member1186,member1187,member1188,member1189,member1190,member1191,member1192,member1193,member1194,member1195,member1196,member1197,member1198,member1199,member1200,member1201,member1202,member1203,member1204,member1205,member1206,member1207,member1208,member1209,member1210,member1211,member1212,member1213,member1214,member1215,member1216,member1217,member1218,member1219,member1220,member1221,member1222,member1223,member1224,member1225,member1226,member1227,member1228,member1229,member1230,member1231,member1232,member1233,member1234,member1235,member1236,member1237,member1238,member1239,member1240,member1241,member1242,member1243,member1244,member1245,member1246,member1247,member1248,member1249,member1250,member1251,member1252,member1253,member1254,member1255,member1256,member1257,member1258,member1259,member1260,member1261,member1262,member1263,member1264,member1265,member1266,member1267,member1268,member1269,member1270,member1271,member1272,member1273,member1274,member1275,member1276,member1277,member1278,member1279,member1280,member1281,member1282,member1283,member1284,member1285,member1286,member1287,member1288,member1289,member1290,member1291,member1292,member1293,member1294,member1295,member1296,member1297,member1298,member1299,member1300,member1301,member1302,member1303,member1304,member1305,member1306,member1307,member1308,member1309,member1310,member1311,member1312,member1313,member1314,member1315,member1316,member1317,member1318,member1319,member1320,member1321,member1322,member1323,member1324,member1325,member1326,member1327,member1328,member1329,member1330,member1331,member1332,member1333,member1334,member1335,member1336,member1337,member1338,member1339,member1340,member1341,member1342,member1343,member1344,member1345,member1346,member1347,member1348,member1349,member1350,member1351,member1352,member1353,member1354,member1355,member1356,member1357,member1358,member1359,member1360,member1361,member1362,member1363,member1364,member1365,member1366,member1367,member1368,member1369,member1370,member1371,member1372,member1373,member1374,member1375,member1376,member1377,member1378,member1379,member1380,member1381,member1382,member1383,member1384,member1385,member1386,member1387,member1388,member1389,member1390,member1391,member1392,member1393,member1394,member1395,member1396,member1397,member1398,member1399,member1400,member1401,member1402,member1403,member1404,member1405,member1406,member1407,member1408,member1409,member1410,member1411,member1412,member1413,member1414,member1415,member1416,member1417,member1418,member1419,member1420,member1421,member1422,member1423,member1424,member1425,member1426,member1427,member1428,member1429,member1430,member1431,member1432,member1433,member1434,member1435,member1436,member1437,member1438,member1439,member1440,member1441,member1442,member1443,member1444,member1445,member1446,member1447,member1448,member1449,member1450,member1451,member1452,member1453,member1454,member1455,member1456,member1457,member1458,member1459,member1460,member1461,member1462,member1463,member1464,member1465,member1466,member1467,member1468,member1469,member1470,member1471,member1472,member1473,member1474,member1475,member1476,member1477,member1478,member1479,member1480,member1481,member1482,member1483,member1484,member1485,member1486,member1487,member1488,member1489,member1490,member1491,member1492,member1493,member1494,member1495,member1496,member1497,member1498,member1499,member1500,member1501,member1502,member1503,member1504,member1505,member1506,member1507,member1508,member1509,member1510,member1511,member1512,member1513,member1514,member1515,member1516,member1517,member1518,member1519,member1520,member1521,member1522,member1523,member1524,member1525,member1526,member1527,member1528,member1529,member1530,member1531,member1532,member1533,member1534,member1535,member1536,member1537,member1538,member1539,member1540,member1541,member1542,member1543,member1544,member1545,member1546,member1547,member1548,member1549,member1550,member1551,member1552,member1553,member1554,member1555,member1556,member1557,member1558,member1559,member1560,member1561,member1562,member1563,member1564,member1565,member1566,member1567,member1568,member1569,member1570,member1571,member1572,member1573,member1574,member1575,member1576,member1577,member1578,member1579,member1580,member1581,member1582,member1583,member1584,member1585,member1586,member1587,member1588,member1589,member1590,member1591,member1592,member1593,member1594,member1595,member1596,member1597,member1598,member1599,member1600,member1601,member1602,member1603,member1604,member1605,member1606,member1607,member1608,member1609,member1610,member1611,member1612,member1613,member1614,member1615,member1616,member1617,member1618,member1619,member1620,member1621,member1622,member1623,member1624,member1625,member1626,member1627,member1628,member1629,member1630,member1631,member1632,member1633,member1634,member1635,member1636,member1637,member1638,member1639,member1640,member1641,member1642,member1643,member1644,member1645,member1646,member1647,member1648,member1649,member1650,member1651,member1652,member1653,member1654,member1655,member1656,member1657,member1658,member1659,member1660,member1661,member1662,member1663,member1664,member1665,member1666,member1667,member1668,member1669,member1670,member1671,member1672,member1673,member1674,member1675,member1676,member1677,member1678,member1679,member1680,member1681,member1682,member1683,member1684,member1685,member1686,member1687,member1688,member1689,member1690,member1691,member1692,member1693,member1694,member1695,member1696,member1697,member1698,member1699,member1700,member1701,member1702,member1703,member1704,member1705,member1706,member1707,member1708,member1709,member1710,member1711,member1712,member1713,member1714,member1715,member1716,member1717,member1718,member1719,member1720,member1721,member1722,member1723,member1724,member1725,member1726,member1727,member1728,member1729,member1730,member1731,member1732,member1733,member1734,member1735,member1736,member1737,member1738,member1739,member1740,member1741,member1742,member1743,member1744,member1745,member1746,member1747,member1748,member1749,member1750,member1751,member1752,member1753,member1754,member1755,member1756,member1757,member1758,member1759,member1760,member1761,member1762,member1763,member1764,member1765,member1766,member1767,member1768,member1769,member1770,member1771,member1772,member1773,member1774,member1775,member1776,member1777,member1778,member1779,member1780,member1781,member1782,member1783,member1784,member1785,member1786,member1787,member1788,member1789,member1790,member1791,member1792,member1793,member1794,member1795,member1796,member1797,member1798,member1799,member1800,member1801,member1802,member1803,member1804,member1805,member1806,member1807,member1808,member1809,member1810,member1811,member1812,member1813,member1814,member1815,member1816,member1817,member1818,member1819,member1820,member1821,member1822,member1823,member1824,member1825,member1826,member1827,member1828,member1829,member1830,member1831,member1832,member1833,member1834,member1835,member1836,member1837,member1838,member1839,member1840,member1841,member1842,member1843,member1844,member1845,member1846,member1847,member1848,member1849,member1850,member1851,member1852,member1853,member1854,member1855,member1856,member1857,member1858,member1859,member1860,member1861,member1862,member1863,member1864,member1865,member1866,member1867,member1868,member1869,member1870,member1871,member1872,member1873,member1874,member1875,member1876,member1877,member1878,member1879,member1880,member1881,member1882,member1883,member1884,member1885,member1886,member1887,member1888,member1889,member1890,member1891,member1892,member1893,member1894,member1895,member1896,member1897,member1898,member1899,member1900,member1901,member1902,member1903,member1904,member1905,member1906,member1907,member1908,member1909,member1910,member1911,member1912,member1913,member1914,member1915,member1916,member1917,member1918,member1919,member1920,member1921,member1922,member1923,member1924,member1925,member1926,member1927,member1928,member1929,member1930,member1931,member1932,member1933,member1934,member1935,member1936,member1937,member1938,member1939,member1940,member1941,member1942,member1943,member1944,member1945,member1946,member1947,member1948,member1949,member1950,member1951,member1952,member1953,member1954,member1955,member1956,member1957,member1958,member1959,member1960,member1961,member1962,member1963,member1964,member1965,member1966,member1967,member1968,member1969,member1970,member1971,member1972,member1973,member1974,member1975,member1976,member1977,member1978,member1979,member1980,member1981,member1982,member1983,member1984,member1985,member1986,member1987,member1988,member1989,member1990,member1991,member1992,member1993,member1994,member1995,member1996,member1997,member1998,member1999,member2000,
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
new file mode 100644
index 0000000000000000000000000000000000000000..971e9bdb8a5d43d915ce0adc42ac29f2f95ade52
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
@@ -0,0 +1,2 @@
+user:x:12345:23456:gecos:/home/user:/bin/shell
+user_big:x:12346:23457:gecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecos:/home/user_big:/bin/shell
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
new file mode 100644
index 0000000000000000000000000000000000000000..ad839f340efe989a91cd6902f59c9a41483f68e0
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
@@ -0,0 +1,3 @@
+export LD_PRELOAD=$(pkg-config --libs nss_wrapper)
+export NSS_WRAPPER_PASSWD=./test_data/passwd
+export NSS_WRAPPER_GROUP=./test_data/group
--
2.1.0
SOURCES/0120-extdom-make-nss-buffer-configurable.patch
New file
@@ -0,0 +1,254 @@
From 637807410ae730436f9ca647092250ead70faa1c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Mar 2015 10:59:34 +0100
Subject: [PATCH] extdom: make nss buffer configurable
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 .../ipa-extdom-extop/ipa_extdom.h                  |  1 +
 .../ipa-extdom-extop/ipa_extdom_common.c           | 59 ++++++++++++++--------
 .../ipa-extdom-extop/ipa_extdom_extop.c            | 10 ++++
 3 files changed, 48 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 40bf933920fdd2ca19e5ef195aaa8fb820446cc5..d4c851169ddadc869a59c53075f9fc7f33321085 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -150,6 +150,7 @@ struct extdom_res {
 struct ipa_extdom_ctx {
     Slapi_ComponentId *plugin_id;
     char *base_dn;
+    size_t max_nss_buf_size;
 };
 struct domain_info {
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index cbe336963ffbafadd5a7b8029a65fafe506f75e8..47bcb179f04e08c64d92f55809b84f2d59622344 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -49,9 +49,6 @@
 #define MAX(a,b) (((a)>(b))?(a):(b))
 #define SSSD_DOMAIN_SEPARATOR '@'
-#define MAX_BUF (1024*1024*1024)
-
-
 int get_buffer(size_t *_buf_len, char **_buf)
 {
@@ -464,7 +461,8 @@ static int pack_ber_sid(const char *sid, struct berval **berval)
 #define SSSD_SYSDB_SID_STR "objectSIDString"
-static int pack_ber_user(enum response_types response_type,
+static int pack_ber_user(struct ipa_extdom_ctx *ctx,
+                         enum response_types response_type,
                          const char *domain_name, const char *user_name,
                          uid_t uid, gid_t gid,
                          const char *gecos, const char *homedir,
@@ -529,7 +527,8 @@ static int pack_ber_user(enum response_types response_type,
         }
         for (c = 0; c < ngroups; c++) {
-            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
+            ret = getgrgid_r_wrapper(ctx->max_nss_buf_size,
+                                     groups[c], &grp, &buf, &buf_len);
             if (ret != 0) {
                 if (ret == ENOMEM || ret == ERANGE) {
                     ret = LDAP_OPERATIONS_ERROR;
@@ -691,7 +690,8 @@ static int pack_ber_name(const char *domain_name, const char *name,
     return LDAP_SUCCESS;
 }
-static int handle_uid_request(enum request_types request_type, uid_t uid,
+static int handle_uid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, uid_t uid,
                               const char *domain_name, struct berval **berval)
 {
     int ret;
@@ -721,7 +721,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
+        ret = getpwuid_r_wrapper(ctx->max_nss_buf_size, uid, &pwd, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -744,7 +745,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
             }
         }
-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+        ret = pack_ber_user(ctx,
+                            (request_type == REQ_FULL ? RESP_USER
                                                       : RESP_USER_GROUPLIST),
                             domain_name, pwd.pw_name, pwd.pw_uid,
                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
@@ -758,7 +760,8 @@ done:
     return ret;
 }
-static int handle_gid_request(enum request_types request_type, gid_t gid,
+static int handle_gid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, gid_t gid,
                               const char *domain_name, struct berval **berval)
 {
     int ret;
@@ -787,7 +790,8 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
+        ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, gid, &grp, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -823,7 +827,8 @@ done:
     return ret;
 }
-static int handle_sid_request(enum request_types request_type, const char *sid,
+static int handle_sid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, const char *sid,
                               struct berval **berval)
 {
     int ret;
@@ -874,7 +879,8 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
     switch(id_type) {
     case SSS_ID_TYPE_UID:
     case SSS_ID_TYPE_BOTH:
-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -897,14 +903,16 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
             }
         }
-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+        ret = pack_ber_user(ctx,
+                            (request_type == REQ_FULL ? RESP_USER
                                                       : RESP_USER_GROUPLIST),
                             domain_name, pwd.pw_name, pwd.pw_uid,
                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
                             pwd.pw_shell, kv_list, berval);
         break;
     case SSS_ID_TYPE_GID:
-        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+        ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -947,7 +955,8 @@ done:
     return ret;
 }
-static int handle_name_request(enum request_types request_type,
+static int handle_name_request(struct ipa_extdom_ctx *ctx,
+                               enum request_types request_type,
                                const char *name, const char *domain_name,
                                struct berval **berval)
 {
@@ -988,7 +997,8 @@ static int handle_name_request(enum request_types request_type,
             goto done;
         }
-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
+                                 &buf_len);
         if (ret == 0) {
             if (request_type == REQ_FULL_WITH_GROUPS) {
                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
@@ -1002,7 +1012,8 @@ static int handle_name_request(enum request_types request_type,
                     goto done;
                 }
             }
-            ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+            ret = pack_ber_user(ctx,
+                                (request_type == REQ_FULL ? RESP_USER
                                                           : RESP_USER_GROUPLIST),
                                 domain_name, pwd.pw_name, pwd.pw_uid,
                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
@@ -1015,7 +1026,8 @@ static int handle_name_request(enum request_types request_type,
              * error codes which can indicate that the user was not found. To
              * be on the safe side we fail back to the group lookup on all
              * errors. */
-            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+            ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf,
+                                     &buf_len);
             if (ret != 0) {
                 if (ret == ENOMEM || ret == ERANGE) {
                     ret = LDAP_OPERATIONS_ERROR;
@@ -1061,20 +1073,23 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
     switch (req->input_type) {
     case INP_POSIX_UID:
-        ret = handle_uid_request(req->request_type, req->data.posix_uid.uid,
+        ret = handle_uid_request(ctx, req->request_type,
+                                 req->data.posix_uid.uid,
                                  req->data.posix_uid.domain_name, berval);
         break;
     case INP_POSIX_GID:
-        ret = handle_gid_request(req->request_type, req->data.posix_gid.gid,
+        ret = handle_gid_request(ctx, req->request_type,
+                                 req->data.posix_gid.gid,
                                  req->data.posix_uid.domain_name, berval);
         break;
     case INP_SID:
-        ret = handle_sid_request(req->request_type, req->data.sid, berval);
+        ret = handle_sid_request(ctx, req->request_type, req->data.sid, berval);
         break;
     case INP_NAME:
-        ret = handle_name_request(req->request_type, req->data.name.object_name,
+        ret = handle_name_request(ctx, req->request_type,
+                                  req->data.name.object_name,
                                   req->data.name.domain_name, berval);
         break;
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index aa66c145bc6cf2b77fdfe37be18da67588dc0439..e53f968db040a37fbd6a193f87b3671eeabda89d 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -40,6 +40,8 @@
 #include "ipa_extdom.h"
 #include "util.h"
+#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024)
+
 Slapi_PluginDesc ipa_extdom_plugin_desc = {
     IPA_EXTDOM_FEATURE_DESC,
     "FreeIPA project",
@@ -185,6 +187,14 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx)
         goto done;
     }
+    ctx->max_nss_buf_size = slapi_entry_attr_get_uint(e,
+                                                      "ipaExtdomMaxNssBufSize");
+    if (ctx->max_nss_buf_size == 0) {
+        ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER;
+    }
+    LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
+
+    ret = 0;
 done:
     if (ret) {
--
2.1.0
SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch
New file
@@ -0,0 +1,32 @@
From 0ce5d4e89e1a619bbae28105ece7033f8dbadce4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 4 Mar 2015 13:39:04 +0100
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT to the client
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index e53f968db040a37fbd6a193f87b3671eeabda89d..1ea0c1320accc66235d6f1a41055de434aeacab7 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -123,8 +123,12 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
     ret = handle_request(ctx, req, &ret_val);
     if (ret != LDAP_SUCCESS) {
-        rc = LDAP_OPERATIONS_ERROR;
-        err_msg = "Failed to handle the request.\n";
+        if (ret == LDAP_NO_SUCH_OBJECT) {
+            rc = LDAP_NO_SUCH_OBJECT;
+        } else {
+            rc = LDAP_OPERATIONS_ERROR;
+            err_msg = "Failed to handle the request.\n";
+        }
         goto done;
     }
--
2.1.0
SOURCES/0122-extdom-fix-memory-leak.patch
New file
@@ -0,0 +1,25 @@
From a19a8e4174560ca6c7a23aa821c14713415b4c5d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 4 Mar 2015 17:53:08 +0100
Subject: [PATCH] extdom: fix memory leak
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 1 +
 1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index 1ea0c1320accc66235d6f1a41055de434aeacab7..dc7785877fc321ddaa5b6967d1c1b06cb454bbbf 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -154,6 +154,7 @@ done:
         LOG("%s", err_msg);
     }
     slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
+    ber_bvfree(ret_val);
     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
 }
--
2.1.0
SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch
New file
@@ -0,0 +1,128 @@
From 2805b17bb7f204c25ed27bea1ee4fb999ae3d9d7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 17 Mar 2015 09:28:47 +0000
Subject: [PATCH] certstore: Make certificate retrieval more robust
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipalib/certstore.py | 74 +++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 22 deletions(-)
diff --git a/ipalib/certstore.py b/ipalib/certstore.py
index 8a9b41015127fcb1b2b5e01da10f0defcee18265..3a5555c95251fdf3384c7dd21cb19d2125a469f5 100644
--- a/ipalib/certstore.py
+++ b/ipalib/certstore.py
@@ -239,6 +239,31 @@ def put_ca_cert(ldap, base_dn, dercert, nickname, trusted=None,
         pass
+def make_compat_ca_certs(certs, realm, ipa_ca_subject):
+    """
+    Make CA certificates and associated key policy from DER certificates.
+    """
+    result = []
+
+    for cert in certs:
+        subject, issuer_serial, public_key_info = _parse_cert(cert)
+        subject = DN(subject)
+
+        if ipa_ca_subject is not None and subject == DN(ipa_ca_subject):
+            nickname = get_ca_nickname(realm)
+            ext_key_usage = {x509.EKU_SERVER_AUTH,
+                             x509.EKU_CLIENT_AUTH,
+                             x509.EKU_EMAIL_PROTECTION,
+                             x509.EKU_CODE_SIGNING}
+        else:
+            nickname = str(subject)
+            ext_key_usage = {x509.EKU_SERVER_AUTH}
+
+        result.append((cert, nickname, True, ext_key_usage))
+
+    return result
+
+
 def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
                  filter_subject=None):
     """
@@ -250,6 +275,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
         filter_subject = [str(subj).replace('\\;', '\\3b')
                           for subj in filter_subject]
+    certs = []
     config_dn = DN(('cn', 'ipa'), ('cn', 'etc'), base_dn)
     container_dn = DN(('cn', 'certificates'), config_dn)
     try:
@@ -265,7 +291,6 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
                         'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
                         'cACertificate;binary'])
-        certs = []
         for entry in result:
             nickname = entry.single_value['cn']
             trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower()
@@ -281,34 +306,39 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
                 ext_key_usage.discard(x509.EKU_PLACEHOLDER)
             for cert in entry.get('cACertificate;binary', []):
+                try:
+                    _parse_cert(cert)
+                except ValueError:
+                    certs = []
+                    break
                 certs.append((cert, nickname, trusted, ext_key_usage))
-
-        return certs
     except errors.NotFound:
         try:
             ldap.get_entry(container_dn, [''])
         except errors.NotFound:
-            pass
-        else:
-            return []
-
-        # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
-        dn = DN(('cn', 'CAcert'), config_dn)
-        entry = ldap.get_entry(dn, ['cACertificate;binary'])
-
-        cert = entry.single_value['cACertificate;binary']
-        subject, issuer_serial, public_key_info = _parse_cert(cert)
-        if filter_subject is not None and subject not in filter_subject:
-            return []
+            # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
+            dn = DN(('cn', 'CAcert'), config_dn)
+            entry = ldap.get_entry(dn, ['cACertificate;binary'])
+
+            cert = entry.single_value['cACertificate;binary']
+            try:
+                subject, issuer_serial, public_key_info = _parse_cert(cert)
+            except ValueError:
+                pass
+            else:
+                if filter_subject is not None and subject not in filter_subject:
+                    raise errors.NotFound(reason="no matching entry found")
-        nickname = get_ca_nickname(compat_realm)
-        ext_key_usage = {x509.EKU_SERVER_AUTH}
-        if compat_ipa_ca:
-            ext_key_usage |= {x509.EKU_CLIENT_AUTH,
-                              x509.EKU_EMAIL_PROTECTION,
-                              x509.EKU_CODE_SIGNING}
+                if compat_ipa_ca:
+                    ca_subject = subject
+                else:
+                    ca_subject = None
+                certs = make_compat_ca_certs([cert], compat_realm, ca_subject)
-        return [(cert, nickname, True, ext_key_usage)]
+    if certs:
+        return certs
+    else:
+        raise errors.NotFound(reason="no such entry")
 def trust_flags_to_key_policy(trust_flags):
--
2.1.0
SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
New file
@@ -0,0 +1,60 @@
From 175dbfb667a9989593eaef2f35586d2afbfdc66c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 17 Mar 2015 09:29:21 +0000
Subject: [PATCH] client-install: Do not crash on invalid CA certificate in
 LDAP
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipa-client/ipa-install/ipa-client-install | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..c60124472005670834496569f550f0ffd986aa27 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2585,14 +2585,15 @@ def install(options, env, fstore, statestore):
     except ValueError:
         pass
+    ca_certs = x509.load_certificate_list_from_file(CACERT)
+    ca_certs = [cert.der_data for cert in ca_certs]
+
     with certdb.NSSDatabase() as tmp_db:
         # Add CA certs to a temporary NSS database
         try:
             pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
             tmp_db.create_db(pwd_file.name)
-            ca_certs = x509.load_certificate_list_from_file(CACERT)
-            ca_certs = [cert.der_data for cert in ca_certs]
             for i, cert in enumerate(ca_certs):
                 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
         except CalledProcessError, e:
@@ -2665,8 +2666,16 @@ def install(options, env, fstore, statestore):
         return CLIENT_INSTALL_ERROR
     # Get CA certificates from the certificate store
-    ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
-                                   ca_enabled)
+    try:
+        ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
+                                       ca_enabled)
+    except errors.NoCertificateError:
+        if ca_enabled:
+            ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
+        else:
+            ca_subject = None
+        ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
+                                                  ca_subject)
     ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
                       for (c, n, t, u) in ca_certs]
--
2.1.0
SOURCES/0125-client-Fix-ca_is_enabled-calls.patch
New file
@@ -0,0 +1,53 @@
From 424b8c73fa0c92ea8befe6e918c0bcaee384ed6b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 17 Mar 2015 09:35:49 +0000
Subject: [PATCH] client: Fix ca_is_enabled calls
The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipa-client/ipa-install/ipa-client-install | 4 ++--
 ipa-client/ipaclient/ipa_certupdate.py    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index c60124472005670834496569f550f0ffd986aa27..b7b3d05b6b6d1c9635084e0c01aa7443bb559db2 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2645,10 +2645,10 @@ def install(options, env, fstore, statestore):
     try:
         result = api.Backend.rpcclient.forward(
             'ca_is_enabled',
-            version=u'2.0',
+            version=u'2.107',
         )
         ca_enabled = result['result']
-    except errors.CommandError:
+    except (errors.CommandError, errors.NetworkError):
         result = api.Backend.rpcclient.forward(
             'env',
             server=True,
diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
index 031a34c3a54a02d43978eedcb794678a1550702b..5ec5026f5ff7bf93227ce0a551fbf5cf60b9175d 100644
--- a/ipa-client/ipaclient/ipa_certupdate.py
+++ b/ipa-client/ipaclient/ipa_certupdate.py
@@ -63,10 +63,10 @@ class CertUpdate(admintool.AdminTool):
             try:
                 result = api.Backend.rpcclient.forward(
                     'ca_is_enabled',
-                    version=u'2.0',
+                    version=u'2.107',
                 )
                 ca_enabled = result['result']
-            except errors.CommandError:
+            except (errors.CommandError, errors.NetworkError):
                 result = api.Backend.rpcclient.forward(
                     'env',
                     server=True,
--
2.1.0
SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
New file
@@ -0,0 +1,106 @@
From e6bdbe215ae3fba629eea69e4413c44fea7cd02b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 17 Mar 2015 08:23:40 +0000
Subject: [PATCH] upload_cacrt: Fix empty cACertificate in cn=CAcert
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipaserver/install/plugins/upload_cacrt.py | 54 +++++++++++++++++--------------
 1 file changed, 30 insertions(+), 24 deletions(-)
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 66270ae7613e935fc8df4bc90aa5001296e1c06d..4d5ce52d4073660fc0c1c1ba09e993b250e11fcb 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -20,7 +20,7 @@
 from ipaserver.install.plugins import MIDDLE
 from ipaserver.install.plugins.baseupdate import PostUpdate
 from ipaserver.install import certs
-from ipalib import api, certstore
+from ipalib import api, errors, certstore
 from ipapython import certdb
 from ipapython.dn import DN
@@ -45,7 +45,7 @@ class update_upload_cacrt(PostUpdate):
                 if ca_chain:
                     ca_nickname = ca_chain[-1]
-        updates = {}
+        ldap = self.obj.backend
         for nickname, trust_flags in db.list_certs():
             if 'u' in trust_flags:
@@ -53,40 +53,46 @@ class update_upload_cacrt(PostUpdate):
             if nickname == ca_nickname and ca_enabled:
                 trust_flags = 'CT,C,C'
             cert = db.get_cert_from_db(nickname, pem=False)
+            trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
+
+            dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
+                    ('cn','etc'), self.api.env.basedn)
+            entry = ldap.make_entry(dn)
+
             try:
-                dn, entry = self._make_entry(cert, nickname, trust_flags)
+                certstore.init_ca_entry(entry, cert, nickname, trust, eku)
             except Exception, e:
                 self.log.warning("Failed to create entry for %s: %s",
                                  nickname, e)
                 continue
             if nickname == ca_nickname:
                 ca_cert = cert
+                config = entry.setdefault('ipaConfigString', [])
                 if ca_enabled:
-                    entry.append('ipaConfigString:ipaCA')
-                entry.append('ipaConfigString:compatCA')
-            updates[dn] = {'dn': dn, 'default': entry}
+                    config.append('ipaCa')
+                config.append('ipaCa')
+
+            try:
+                ldap.add_entry(entry)
+            except errors.DuplicateEntry:
+                pass
         if ca_cert:
             dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
                     self.api.env.basedn)
-            entry = ['objectclass:nsContainer',
-                     'objectclass:pkiCA',
-                     'cn:CAcert',
-                     'cACertificate;binary:%s' % ca_cert,
-                    ]
-            updates[dn] = {'dn': dn, 'default': entry}
-
-        return (False, True, [updates])
-
-    def _make_entry(self, cert, nickname, trust_flags):
-        dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
-                ('cn','etc'), self.api.env.basedn)
-
-        entry = dict()
-        trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
-        certstore.init_ca_entry(entry, cert, nickname, trust, eku)
-        entry = ['%s:%s' % (a, v) for a, vs in entry.iteritems() for v in vs]
+            try:
+                entry = ldap.get_entry(dn)
+            except errors.NotFound:
+                entry = ldap.make_entry(dn)
+                entry['objectclass'] = ['nsContainer', 'pkiCA']
+                entry.single_value['cn'] = 'CAcert'
+                entry.single_value['cACertificate;binary'] = ca_cert
+                ldap.add_entry(entry)
+            else:
+                if '' in entry['cACertificate;binary']:
+                    entry.single_value['cACertificate;binary'] = ca_cert
+                    ldap.update_entry(entry)
-        return dn, entry
+        return (False, False, [])
 api.register(update_upload_cacrt)
--
2.1.0
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
@@ -1,4 +1,4 @@
From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001
From d99f08c6b205edbbf5df68a088296b5fe029b049 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode
@@ -61,10 +61,10 @@
     try:
         check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755
index b7b3d05b6b6d1c9635084e0c01aa7443bb559db2..82ac1d4db8bf969ba72113bc2802879fea5dcb01 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2865,6 +2865,10 @@ def main():
@@ -2874,6 +2874,10 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
SOURCES/1010-Disable-DNSSEC-support.patch
@@ -1,4 +1,4 @@
From 80cae5f5ea38528caab01efae9100659e2ebb86e Mon Sep 17 00:00:00 2001
From a19cb9b5477901efc08c00c122f08e3d5ed126ff Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:25:50 +0200
Subject: [PATCH] Disable DNSSEC support
@@ -373,10 +373,10 @@
 
     if any(named_conf_changes):
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 34afc189866993481229bb68a5edd77e0a4eaff3..d01dde31ad37f7d7aa4044de77704f4d560f0d30 100644
index ea4c212b42631e8513a13d2a7f5a859b2176376b..60129f8b873fad1d3552ca749068f36db41108e9 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2362,7 +2362,9 @@ class dnszone(DNSZoneBase):
@@ -2389,7 +2389,9 @@ class dnszone(DNSZoneBase):
             if options['idnssecinlinesigning'] is True:
                 messages.add_message(options['version'], result,
                     messages.DNSSECWarning(
SOURCES/1013-extdom-fix-wrong-realloc-size.patch
New file
@@ -0,0 +1,25 @@
From 0e76322666c91affc47387d88260a8774a634eaa Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Feb 2015 10:28:22 +0100
Subject: [PATCH] extdom: fix wrong realloc size
---
 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 47bcb179f04e08c64d92f55809b84f2d59622344..686128e9bb6994cf442c1cc9ff725657584e17be 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -386,7 +386,7 @@ static int get_user_grouplist(const char *name, gid_t gid,
     ret = getgrouplist(name, gid, groups, &ngroups);
     if (ret == -1) {
-        new_groups = realloc(groups, ngroups);
+        new_groups = realloc(groups, ngroups * sizeof(gid_t));
         if (new_groups == NULL) {
             free(groups);
             return LDAP_OPERATIONS_ERROR;
--
2.1.0
SOURCES/1014-fix-Makefile.am-for-daemons.patch
New file
@@ -0,0 +1,63 @@
From d249ac3c15aefd23b6c47f16cc2843bd136f4fd5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 18 Mar 2015 17:09:06 +0000
Subject: [PATCH] fix Makefile.am for daemons
---
 daemons/Makefile.am                                    | 2 +-
 daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am        | 1 -
 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -
 daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    | 1 -
 4 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/daemons/Makefile.am b/daemons/Makefile.am
index 956f399b1ed6d399ee52a620dcda5f67d252c848..f919429dcbd29fed3071e8f385d2573354717519 100644
--- a/daemons/Makefile.am
+++ b/daemons/Makefile.am
@@ -1,6 +1,6 @@
 # This file will be processed with automake-1.7 to create Makefile.in
 #
-AUTOMAKE_OPTIONS = 1.7
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
 NULL =
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
index 8e35cdbd4499582dd0e14562f05e4eda5bb3ec5b..fba5b08bfc15450ab4864812049699d2cfcbaf05 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
@@ -6,7 +6,6 @@ AM_CPPFLAGS =                            \
     -I.                            \
     -I$(srcdir)                        \
     -I$(PLUGIN_COMMON_DIR)                    \
-    -I$(COMMON_BER_DIR)                    \
     -DPREFIX=\""$(prefix)"\"                 \
     -DBINDIR=\""$(bindir)"\"                \
     -DLIBDIR=\""$(libdir)"\"                 \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index a1679812ef3c5de8c6e18433cbb991a99ad0b6c8..8ee26a7fe8ef988dbbf2ac357e6702b73e887754 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -7,7 +7,6 @@ AM_CPPFLAGS =                            \
     -I$(srcdir)                        \
     -I$(PLUGIN_COMMON_DIR)                    \
     -I$(KRB5_UTIL_DIR)                    \
-    -I$(COMMON_BER_DIR)                    \
     -DPREFIX=\""$(prefix)"\"                 \
     -DBINDIR=\""$(bindir)"\"                \
     -DLIBDIR=\""$(libdir)"\"                 \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index 1ab6c6704e401810772a5ababc7cc5eec19d2c83..078ff9c8476b8547db58d2cf5c5d941846a3143c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -14,7 +14,6 @@ AM_CPPFLAGS =                            \
     -I$(PLUGIN_COMMON_DIR)                    \
     -I$(KRB5_UTIL_DIR)                    \
     -I$(ASN1_UTIL_DIR)                    \
-    -I$(COMMON_BER_DIR)                    \
     -DPREFIX=\""$(prefix)"\"                 \
     -DBINDIR=\""$(bindir)"\"                \
     -DLIBDIR=\""$(libdir)"\"                 \
--
2.1.0
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -32,7 +32,7 @@
Name:           ipa
Version:        4.1.0
Release:        18%{?dist}
Release:        18%{?dist}.3
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -40,10 +40,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -160,6 +160,20 @@
Patch0110:      0110-idviews-Allow-setting-ssh-public-key-on-ipauseroverr.patch
Patch0111:      0111-Fix-ipa-pwd-extop-global-configuration-caching.patch
Patch0112:      0112-group-detach-does-not-add-correct-objectclasses.patch
Patch0113:      0113-Always-return-absolute-idnsname-in-dnszone-commands.patch
Patch0114:      0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
Patch0115:      0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch
Patch0116:      0116-Restore-default.conf-and-use-it-to-build-API.patch
Patch0117:      0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch
Patch0118:      0118-Add-configure-check-for-cwrap-libraries.patch
Patch0119:      0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch
Patch0120:      0120-extdom-make-nss-buffer-configurable.patch
Patch0121:      0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch
Patch0122:      0122-extdom-fix-memory-leak.patch
Patch0123:      0123-certstore-Make-certificate-retrieval-more-robust.patch
Patch0124:      0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
Patch0125:      0125-client-Fix-ca_is_enabled-calls.patch
Patch0126:      0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -173,8 +187,8 @@
Patch1010:      1010-Disable-DNSSEC-support.patch
Patch1011:      1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch
Patch1012:      1012-Expand-the-token-auth-sync-windows.patch
Patch1013:      1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
Patch1014:      ipa-centos-branding.patch
Patch1013:      1013-extdom-fix-wrong-realloc-size.patch
Patch1014:      1014-fix-Makefile.am-for-daemons.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -277,6 +291,9 @@
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.54-2
Requires: pki-ca >= 10.1.2-5
%if 0%{?rhel}
Requires: subscription-manager
%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1-2
@@ -289,7 +306,7 @@
Requires: open-sans-fonts
# RHEL spec file only: DELETED: Disable DNSSEC support
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -463,10 +480,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -492,6 +509,9 @@
make version-update
cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
%if ! %{ONLY_CLIENT}
# RHEL SPEC file only: START: Force re-generation of the makefiles
find daemons -name Makefile.in |egrep -v '(libotp|lockout|otp-counter|lasttoken)'|xargs rm -f
# RHEL SPEC file only: END: Force re-generation of the makefiles
cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
%endif # ONLY_CLIENT
@@ -1013,11 +1033,25 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Thu Mar 05 2015 CentOS Sources <bugs@centos.org> - 4.1.0-18.el7.centos
- Roll in CentOS Branding
- Remove supscription-manager requires
* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
  (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)
* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> 4.1.0-18
* Wed Mar 18 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.0-18.2
- IPA extdom plugin fails when encountering large groups (#1193759)
- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
  (#1202997)
* Thu Mar  5 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.1
- "an internal error has occurred" during ipa host-del --updatedns (#1198431)
- Renamed patch 1013 to 0114, as it was merged upstream
- Fax number not displayed for user-show when kinit'ed as normal user.
  (#1198430)
- Replication agreement with replica not disabled when ipa-restore done without
  IPA installed (#1199060)
- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)
* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> - 4.1.0-18
- Fix ipa-pwd-extop global configuration caching (#1187342)
- group-detach does not add correct objectclasses (#1187540)